I'm trying to Share Files on a SharePoint Document Library that I have as a part of an Office 365 Developer Program instance.
My AD has a variety of users, some "native" users created in the AD manually and the rest are "guests" from different domains that my team and I work for.
I'm executing the following API request on the graph via code using NestJs (as per snippet). I've all the required Delegated Permissions in the Application Registration to do everything too.
REST View:
POST /drives/{drive-id}/items/{item-id}/invite
{
"requireSignIn": true,
"sendInvitation": false,
"roles": [
"sp.full control"
],
"recipients": [
{
"email": "xxx.xxx#xxx.com"
}
]
}
Code View:
//build list of all to add: PL, PLB, Main, Current User and whatever is added in DTO
const participantsToAdd = [project.projectLead]
.concat(project.projectLeadBackup)
.concat(project.participants.filter(p => newRoles.includes(p.participantRole.name)).map(p => p.user))
.map(u => ({
oid: u.microsoftId,
mail: u.mail,
}));
const permission = {
recipients: participantsToAdd.map(p => ({ email: p.mail })),
requireSignIn: true,
sendInvitation: false,
roles: ['sp.full control'],
};
// add the right permissions to the file
const result = await client.api(`/drives/${this.libraryId}/items/${fileId}/invite`).post(permission);
The above code is building up a list of "User" objects which contain an "oid" which I use later, and a "mail" object. I give these users "sp.full control" role on a file. Some are granted direct access and others are given links (grantedToIndentities) with write permissions.
This only seems to be happening when Guests on the active directory make the request; though it's only occurring for some guests. Two guest users in particular that I grant access to are fine, they get "Direct Access". Others go into the "link sharing" category. I don't see any differences in the users in AD anywhere.
I've tried looking through all admin sites (SharePoint, M365) and tweaked External Sharing permissions but the problem still persists.
When I invoke the action from a "native" user on AD to the Graph using the same request, it all works fine. All users (native and guests) are added with "direct access".
Can anyone share any thoughts? Hope I've given enough info.
Snippet from Graph response:
Image
Related
We are getting the following error whilst trying to send activity notifications to users in a chat for our custom application:
Application with AAD App Id '{APPID}' is not authorized to generate custom text notifications about '/beta/users/{USERID}/teamwork/Microsoft.Teams.GraphSvc.sendActivityNotification' to the recipient. Ensure that the expected Teams app is installed in the target scope (user, team, or chat).
We have spent a long time perusing the documentation and examining the various options & parameters which we could adjust, but are hitting the same error.
Any assistance would be appreciated at this point.
The url is: "https://graph.microsoft.com/v1.0/teams/19:{CHANNELID}/sendActivityNotification"
Payload looks like this:
{
topic: {
source: 'text',
value: '#mention',
webUrl: 'https://teams.microsoft.com/l/entity/{ENTITYID}/_djb2_msteams_prefix_1474050903?context={"subEntityId":null,"channelId":"19:{CHANNELID}"&groupId={GROUPID}&tenantId={TENANTID}'
},
activityType: 'userMention',
previewText: { content: '#mention' },
recipient: {
'#odata.type': 'microsoft.graph.aadUserNotificationRecipient',
userId: '{USERID}'
},
templateParameters: [
{ name: 'firstName', value: 'John' },
{ name: 'lastName', value: 'Smith' }
]
}
As the title says, the error returned is an authorization error:
Application with AAD App Id '{APPID}' is not authorized to generate custom text notifications about '/beta/users/{USERID}/teamwork/Microsoft.Teams.GraphSvc.sendActivityNotification' to the recipient. Ensure that the expected Teams app is installed in the target scope (user, team, or chat).
The manifest includes the following:
"webApplicationInfo":{
"id":"{APPID}",
"resource": "https://notapplicable",
"applicationPermissions": [
"TeamsActivity.Send.Group",
"Microsoft.Teams.GraphSvc.sendActivityNotification"
]
},
"permissions": [
"identity", "messageTeamMembers"
],
"configurableTabs": [
{
...
"scopes": [ "team", "groupchat"],
"context": ["channelTab", "privateChatTab"]
}
]
Our app has the following permissions in the Teams Admin Center:
Create new notifications in the teamwork activity feeds of the users in this team.
Microsoft.Teams.GraphSvc.sendActivityNotification
Our Azure AD app API permissions has the following:
API / Permissions name
Type
Description
Admin consent required
Status
ChannelMember.Read.All
Application
Read the members of all channels
Yes
Granted for Default Directory
ChannelMessage.Send
Delegated
Send channel messages
No
ChannelSettings.Read.All
Application
Read the names, descriptions, and settings of all channels
Yes
Granted for Default Directory
ChatMember.Read.All
Application
Read the members of all chats
Yes
Granted for Default Directory
Organization.Read.All
Application
Read organization information
Yes
Granted for Default Directory
OrgContact.Read.All
Application
Read organizational contacts
Yes
Granted for Default Directory
Team.ReadBasic.All
Application
Get a list of all teams
Yes
Granted for Default Directory
TeamMember.Read.All
Application
Read the members of all teams
Yes
Granted for Default Directory
TeamsActivity.Send
Delegated
Send a teamwork activity as the user
No
TeamsActivity.Send
Application
Send a teamwork activity to any user
Yes
Granted for Default Directory
User.Read
Delegated
Sign in and read user profile
No
Granted for Default Directory
User.Read.All
Application
Read all users' full profiles
Yes
Granted for Default Directory
.
Adding answer from comment section for more visibility.
groupId in the Microsoft Teams context corresponds to the teamId in Graph API.
If you are sending notifications, you will need to use the endpoint /team/{groupId}/sendActivityNotification
I am using a vanilla configuration of the firebase Auth SDK. It is currently asking for all of these scopes.
I do not need profile picture or name, and would love to remove them. Is it possible?
Simple answer is No name, and picture permissions are granted to your application when you request the profile scope as part of signin.
explanation
Assuming you are following the example found here. If you check the lines called addScopes.
provider.addScope('profile');
provider.addScope('email');
This is where you define what permissions your applicating needs. The email and profile scopes are part of Google sign in (Open Id Connect) The profile scope give you access to some basic profile information about the user. Part of basic profile information is their picture.
These two claims are actually returned by the user info endpoint. This is the response from the userinfo endpoint when I authorized only with the profile scope.
{
"family_name": "Lawton",
"name": "Linda Lawton",
"picture": "https://lh3.googleusercontent.com/a-/AOh14GhroCYJp2P9xeYeYk1npchBPK-zbtTxzNQo0WAHI20=s96-c",
"locale": "en",
"given_name": "Linda",
"id": "1172004755376"
}
This is all default, so its not something you can change.
full example
// Using a redirect.
firebase.auth().getRedirectResult().then(function(result) {
if (result.credential) {
// This gives you the OAuth Access Token for that provider.
var token = result.credential.accessToken;
}
var user = result.user;
});
// Start a sign in process for an unauthenticated user.
var provider = new firebase.auth.OAuthProvider('google.com');
provider.addScope('profile');
provider.addScope('email');
firebase.auth().signInWithRedirect(provider);
I am building a Teams chat-bot that looks at the history of messages in the current chat/channel whilst in conversation with the user.
My bot has been granted all the RSC (Resource-Specific Content) Permissions it needs (see image below)
Here is the relevant parts of the manifest:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.11/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.11",
"id": "bd33f8b1-b593-433c-926e-44a27c1bd94a",
...
"permissions": [
"identity",
"messageTeamMembers"
],
...
"bots": [
{
"botId": "e6d93739-a8ab-412d-a4f6-b6f514a3451a",
"scopes": [
"team",
"personal",
"groupchat"
],
"isNotificationOnly": false,
"supportsFiles": true
}
],
"validDomains": [],
"webApplicationInfo": {
"id": "e6d93739-a8ab-412d-a4f6-b6f514a3451a",
"resource": "https://RscBasedStoreApp",
"applicationPermissions": [
"TeamSettings.Read.Group",
"ChannelMessage.Read.Group",
"TeamSettings.Edit.Group",
"ChannelSettings.ReadWrite.Group",
"Channel.Create.Group",
"Channel.Delete.Group",
"TeamsApp.Read.Group",
"TeamsTab.Read.Group",
"TeamsTab.Create.Group",
"TeamsTab.ReadWrite.Group",
"TeamsTab.Delete.Group",
"Member.Read.Group",
"Owner.Read.Group",
"ChatSettings.Read.Chat",
"ChatSettings.ReadWrite.Chat",
"ChatMessage.Read.Chat",
"ChatMember.Read.Chat",
"Chat.Manage.Chat",
"TeamsTab.Read.Chat",
"TeamsTab.Create.Chat",
"TeamsTab.Delete.Chat",
"TeamsTab.ReadWrite.Chat",
"TeamsAppInstallation.Read.Chat",
"OnlineMeeting.ReadBasic.Chat",
"Calls.AccessMedia.Chat",
"Calls.JoinGroupCalls.Chat",
"TeamsActivity.Send.Chat"
]
}
}
Note: the bot has permission to read messages in chats and channels. Specifically, my problem affects chats and not channels (which I can get messages from fine).
In order to do this, I get a JWT token for the bot account, accessing the Graph API like so:
GraphServiceClient<?> gsc = GraphServiceClient.builder()
.authenticationProvider(u -> mac.getToken())
.buildClient();
Next, I am using the Graph API to pull back these messages. For messages in channels I can do:
gsc.teams("some group id")
.channels("team id")
.messages()
.buildRequest(Collections.emptyList()).get()));
This works fine.
For chats, I am doing something like:
gsc.chats("29:13qY8hmfkJinH9-v7rYKjCNFHYFJXKbjqR-NyzyKzL694npelHJoq5HrVtqJLRYo79OYeHGQq-bhtJM5N-yKXyQ")
.messages()
.buildRequest().get()));
However, this time I get an error from the Graph API:
[Some information was truncated for brevity, enable debug logging for
more details] com.microsoft.graph.http.GraphServiceException: Error
code: Forbidden Error message: Invoked API requires Protected API
access in application-only context when not using Resource Specific
Consent. Visit
https://learn.microsoft.com/en-us/graph/teams-protected-apis for more
details.
GET
https://graph.microsoft.com/v1.0/chats/29:13qY8hmfkJinH9-v7rYKjCNFHYFJXKbjqR-NyzyKzL694npelHJoq5HrVtqJLRYo79OYeHGQq-bhtJM5N-yKXyQ/messages
SdkVersion : graph-java/v5.6.0
I am at a loss to explain why querying channels works fine but querying chats fails.
Any help gratefully appreciated!
This is a protected API and in order to use it you will first need to make a formal request to Microsoft Graph, asking for permissions to use the API without any user interaction
Here is the list of protected APIs. You need to fill this form to get the required permissions.
To request access to these protected APIs, complete the following
request form. We review access requests every Wednesday and deploy
approvals every Friday, except during major holiday weeks in the U.S.
Submissions during those weeks will be processed the following
non-holiday week.
The other option would be to use delegated flow.
Desired Behaviour
Create a group via Microsoft Graph, using the JavaScript SDK and MSAL in a single tenant application with delegated API permissions.
Actual Behaviour
{
"statusCode": 403,
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"requestId": "6e865d96-ef8b-408e-a905-5393b4adcfdc",
"date": "2020-05-16T20:20:15.000Z",
"body": "{\"code\":\"Authorization_RequestDenied\",\"message\":\"Insufficient privileges to complete the operation.\",\"innerError\":{\"request-id\":\"6e865d96-ef8b-408e-a905-5393b4adcfdc\",\"date\":\"2020-05-17T06:20:15\"}}"
}
What I've Tried
To create the code, I used the following API reference instructions:
Create group
Group properties
Sign-in/sign-out and all other API requests are working.
Subscription
Microsoft 365 Business Standard Trial
API Permissions
Directory.AccessAsUser.All +++
Directory.ReadWrite.All ***
Group.ReadWrite.All
GroupMember.ReadWrite.All ***
openid
profile
Sites.Read.All
Tasks.ReadWrite
User.Read
*** I added these after reading this answer, but still get the same error.
+++ I added this after suggestion in answer below.
I have clicked the 'Grant admin consent' button in Azure app registrations area.
index.html
<!-- msal -->
<!-- from: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core -->
<script type="text/javascript" src="https://alcdn.msauth.net/lib/1.3.0/js/msal.js" integrity="****" crossorigin="anonymous"></script>
<!-- javascript sdk -->
<!-- from: https://github.com/microsoftgraph/msgraph-sdk-javascript -->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/#microsoft/microsoft-graph-client/lib/graph-js-sdk.js"></script>
config.js
// msal options
const msalConfig = {
auth: {
clientId: "client-id-here",
redirectUri: "http://localhost:8080",
authority: "https://login.microsoftonline.com/tenant-id-here"
},
cache: {
cacheLocation: "sessionStorage",
storeAuthStateInCookie: false,
forceRefresh: false
}
};
// define application permissions
const scopes = ['directory.accessasuser.all', 'directory.readwrite.all', 'group.readwrite.all', 'groupmember.readwrite.all', 'openid', 'profile', 'sites.read.all', 'user.read', 'tasks.readwrite' ];
auth.js
const msalApplication = new Msal.UserAgentApplication(msalConfig);
const loginRequest = {
scopes: scopes
}
async function sign_in() {
try {
await msalApplication.loginPopup(loginRequest);
if (msalApplication.getAccount()) {
console.log("sign in success");
}
} catch (error) {
console.log("sign in error");
console.log(error);
}
}
function sign_out() {
msalApplication.logout();
}
graph.js
var path = "/groups";
var group = {
description: "Here is a description.",
displayName: "test_test_test",
groupTypes: [
"Unified",
"DynamicMembership"
],
mailEnabled: true,
mailNickname: "test_test_test",
securityEnabled: false, // initially i had this as true, doesn't seem to make a difference either way
visibility: "Hiddenmembership",
"owners#odata.bind": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
],
"members#odata.bind": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
]
};
var response = await client.api(path)
.post(group);
Related reading:
Compare groups
Learn about Microsoft 365 Groups
Overview of Microsoft 365 Groups for administrators
Working with groups in Microsoft Graph
Create, edit, or delete a security group in the Microsoft 365 admin center
Creating teams and managing members using Microsoft Graph
Overview of Office 365 groups in Microsoft Graph
Other ideas about what could be causing error...
Visibility is supported only for unified groups; it is not supported for security groups.
Source
Maybe the combination of securityEnabled: true and visibility:Hiddenmembership are not compatible?
I tried changing it to securityEnabled: false and got the same message.
Is there something wrong with the token?
I copied the Authorisation: Bearer value from Chrome dev tools console and pasted at https://jwt.io and there were two additional scopes provided in the token - but all other scopes are present:
from your graph call, I saw you try to create the dynamic group and assign a member to this group, the dynamic group did not support to add members, that's the reason why you delete "dynamicMemberShip" under group type can fix this issue, below is the example to create dynamic groups via graph API call:
{
"description": "test1",
"displayName": "test1",
"groupTypes": [
"Unified",
"DynamicMembership"
],
"mailEnabled": true,
"membershipRule": "user.displayname -contains A",
"membershipRuleProcessingState":"On",
"mailNickname": "library",
"securityEnabled": false,
}
I can see that you have not given Group.Create permission in your permission set.
Give this permission to create a group.
For Application permission type, these all permissions are required:
Group.Create
Group.ReadWrite.All
Directory.ReadWrite.All
And for Delegated user permission type:
Group.ReadWrite.All
Directory.ReadWrite.All
Directory.AccessAsUser.All
I was able to create a Group by changing the following in graph.js:
groupTypes: ["Unified","DynamicMembership"]
to
groupTypes: ["Unified"]`
I have no idea why DynamicMembership causes an error.
It is a valid property value of Group > groupTypes listed at the link below with no caveats:
https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties
For reference, the code above creates:
Group
SharePoint 'Team Site'
Outlook email group
It does not automatically create a corresponding:
Team
Plan
You can see the new group listed in the following locations:
https://admin.microsoft.com/AdminPortal/Home#/groups
https://outlook.office365.com/people
https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups
And you can see the group 'Team Site' listed at:
https://your_account-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/siteManagement
I'm trying to use the Sample Graph API app to change a user's password but I'm getting:
Error Calling the Graph API Response:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
Graph API Request:
PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM
JSON File
{
"passwordProfile": {
"password": "Somepassword1$",
"forceChangePasswordNextLogin": false
}
}
I've tested updating the user's displayName and that works fine.
{
"displayName": "Joe Consumer"
}
AD Application Permissions
I've configured my app permissions as described here.
Check out this article. Seems like it has the same symptoms.
Solution 1:
If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.
Go to Azure Management Portal and click Active Directory.
Select your custom AD directory.
Click Applications and select your Application.
Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
Finally save the changes.
Solution 2:
If you are receiving this error when you call the API that includes delete or reset password operations, that is because those operations require the Admin role of Company Administrator. As of now, you can only add this role via the Azure AD Powershell module.
Find the service principal using Get-MsolServicePrincipal –AppPrincipalId
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
Use Add-MsolRoleMember to add it to Company Administrator role
$clientIdApp = 'your-app-id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.
Try below settings, works for me.
Used the below JSON
{
"accountEnabled": true,
"signInNames": [
{
"type": "emailAddress",
"value": "kart.kala1#test.com"
}
],
"creationType": "LocalAccount",
"displayName": "Joe Consumer",
"mailNickname": "joec",
"passwordProfile": {
"password": "P#$$word!",
"forceChangePasswordNextLogin": false
},
"passwordPolicies": "DisablePasswordExpiration",
"givenName": "Joe",
}
Also make sure you assign the application the user account, administrator role which will allow it to delete users link here