I am making an application for Microsoft Teams.
Must get the teams in Microsoft Teams that the user is a direct member of.
If I use the same email under which I registered the application in Active Directory, then getting the list on request to /me/joinedTeams is not difficult.
However, if I am using someone else's Teams account, I get an UnknownError when requesting /me/joinedTeams.
I noticed that after consent and authorization in the Microsoft Graph, the user has a token shorter than mine.
However, it works with other endpoints (/me and /drive/root).
Permissions are exposed in accordance with the documentation.
Permissions:
Directory.Read.All
Directory.ReadWrite.All
email
Files.Read
Files.Read.All
Files.Read.Selected
Group.Read.All
Group.ReadWrite.All
offline_access
openid
profile
Team.ReadBasic.All
TeamsAppInstallation.ReadWriteSelfForChat.All
TeamsAppInstallation.ReadWriteSelfForTeam.All
TeamsAppInstallation.ReadWriteSelfForUser.All
TeamSettings.Read.All
TeamSettings.ReadWrite.All
User.Read
User.Read.All
User.ReadWrite.All
enter image description here
Here you are getting the error because the /me/joinedTeams doesn't support personal accounts. See this document.
It works for /me and /drive/root because it supports personal accounts. See this document and this document.
Related
We have recently started getting a 401 response with "Requested API is not supported in Admin On-Behalf-Of mode" when calling certain Microsoft endpoints. Specifically,
GET https://graph.microsoft.com/beta/chats/{channelId}/messages/{messageId}
GET https://graph.microsoft.com/v1.0/users/{userId}/joinedTeams
GET https://graph.microsoft.com/v1.0/me/joinedTeams
However this one works
GET https://graph.microsoft.com/v1.0/me
Some information about the setup:
We are using a token with delegated scopes
The token has the required permissions:
AppCatalog.ReadWrite.All
ChannelMessage.Send Chat.Create Chat.Read Chat.ReadWrite
ChatMember.ReadWrite Files.Read.All Files.ReadWrite Sites.Read.All
Sites.ReadWrite.All Team.ReadBasic.All User.Read User.Read.All
User.ReadBasic.All User.ReadWrite.All profile openid email
This has previously worked with the same token
This is happening on the v1.0 and beta endpoints
We tried removing admin consent from each scopes but still faced the
same issue
I cannot find any information in the MS documentation regarding Admin On-Behalf-Of mode and wondered if anyone could shed any light on what we could be doing wrong?
Further Update.
We have now been able to reproduce this on a tenant and has to do with external guest users. These users are able to authenticate into the tenant but you cannot use the token obtained to call some of the Graph API endpoints - Anyone know why this is?
We have tried changing all the settings in External Identities in AAD but still getting the same response on the Graph API endpoints
My question is, does Microsoft Graph work without User.Read scope ? I am not able to request the email profile openid permissions directly.
It throws AccessDenied error. So is User.Read pre requisite for email profile or openid ?
User.Read is just the delegated permission for getting the user profile using MS Graph Get User. If your app does not need to read the user profile you don't need this permission but in most cases you do because you app is acting on behalf of the user.
Does Microsoft Graph work without User.Read scope ?
No, but in most cases, you need the scope to read user profile and call /me endpoints.
You should check the api document to see if calling that api required User.Read permission.
For instance: I wanna call this api to list emails, and we can see that this api provides 2 kinds of permissions, one is for delegate, another is for application(this means client credential flow is supported). All the api permissions are listed here and we need to go to azure ad portal to add the api permission to your azure ad application which used to generate access token.
After generating the access token, you can user jwt decode tool to check if your access token contains correct scopes(for delegate permission) or roles(for application permission). Using a correct token to call the api will not lead to AccessDenied error. By the way, newly added permission may be deferrable to take effect.
I have a Microsoft Graph & MSA/AAD v2 daemon which is exclusively for Server Side API access. In the Azure Portal I have granted admin consent for my Microsoft account (MSA) for User.Read.All and Files.Read.All.
I can successfully get a token, and I have tried both /me/drive/root and /users/{user_guid}/drive/root with the same return result:
GraphError {
statusCode: 400,
code: 'BadRequest',
message: 'Tenant does not have a SPO license.',
requestId: 'guid',
date: 2020-06-08T09:53:12.000Z,
body: '{"code":"BadRequest","message":"Tenant does not have a SPO license.","innerError":{"request-id":"guid","date":"2020-06-08T02:53:12"}}'
}
Note: I'm aware SPO refers to SharePoint Online & OneDrive for Business, however this is for a Microsoft account user, and I am intending to access their OneDrive Consumer (i.e. http://onedrive.live.com).
Is the Graph incapable of accessing OneDrive for Consumers? Or is it only possible with Delegated permissions? I did not see any reference in both the Graph and OneDrive dev docs.
After talking with the Microsoft Identity team, it is not currently a supported scenario to access a Microsoft account user's personal OneDrive (or other Microsoft Graph) content using the client_credentials grant type.
You can obtain admin consent for an MSA user, however those scenarios are limited to the MSA user operating as a guest user in your AAD tenant, or requires them to otherwise have an M365 license and associated SharePoint Online instance.
If you are looking to access an MSA user's content from a service, persisting the refresh token in the service and obtaining consent for offline_access currently appears to be the recommended method.
We have to generate an online meeting request from our Dynamics CRM System. We tried using the Microsoft graphs API, and were able to generate the token. However while submitting the request, we get a 403 Forbidden Error. We have registered our application in Azure and also given the required API permissions.
I have attached the screenshots of our testing. I am testing this on my personal Azure test account.
Screenshots
The user has to consent the permission:
Consent experience
Azure AD will sign the user in and ensure their consent for the permissions your app requests.
At this point, the user will be asked to enter their credentials to authenticate with Microsoft. The Microsoft identity platform v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the scope query parameter. If the user has not consented to any of those permissions and if an administrator has not previously consented on behalf of all users in the organization, they will be asked to consent to the required permissions.
I am new to Azure and Microsoft Graph API.
I am trying to access: https://graph.microsoft.com/v1.0/me/messages
and I am getting a `404 Not Found.
I took the access token and decrypted in JWT and I can see the access token contains my name and credentials and the scopes defined are :
Directory.AccessAsUser.All Directory.Read.All email Files.ReadWrite Group.Read.All Mail.Send offline_access openid profil.Read
Can someone please suggest why I am getting a bad request?
In order to list (read) the mail messages (as described here) you need the Mail.Read or Mail.ReadWrite (if you also want to write messages) permission (scope).
With respect to mailing functionality you only have requested (or granted?) Mail.Send permission which only allows you send message (as described here).
The email claim is OpenID Connect specific claim and provides the logged-in user's email as claim. It has nothing to do with Exchange Online and sending/receiving e-mails.