I am following this documentation : https://learn.microsoft.com/fr-fr/graph/api/b2cauthenticationmethodspolicy-get?view=graph-rest-beta&tabs=http
but even when I give my service principal the policy.read.all graph api permission, I still get 403 permission denied errors as response to my request. I have the same issue with the PATCH request and the Policy.ReadWrite.AuthenticationMethod.
Note : the bearer is correct, I can use it to make other requests.
I also found a log of the request in the azure ad saying :
Access denied. The token is app only but does not have any valid permissions.
According to your error message, you may not be a logged-in user, you need a logged-in user to call the api. Please follow my process:
First you need to grant the Policy.Read.All permission to the application, and then make the admin consent to the permission.
Next, you need to use the auth code flow to obtain the access token, which requires you to log in to the user to obtain the authorization code, and then use the authorization code to redeem the access token.
3.Call ms graph api:
In addition, calling the api also requires the user to have an administrator role:
You must have one of the following user roles for access: External ID
User Flow Administrator, External ID User Flow Attribute
Administrator, External Identity Provider Administrator, Application
Administrator, Security Administrator, Security Reader, Global Reader,
Global Administrator.
Related
This is my app's api permissions
api permissions
This is my postman settings
postman settings
I can get token successfully using an AD admin account
I can get all users successfully
user list
I can create calendar event successfully using this AD admin' user id
enter image description here
I can not create calendar event using another user id
enter image description here
First, this is the document api for introducing the api permission, you can see Permission type with Delegated and Application.
The second, this is the section for introducing the request example, you can see that there are 2 types /me and /users/{id | userPrincipalName}.
The difference between the 2 kinds of api permission is that, using Delegated permission means we need to make users sign in first to generate the access token and call the api, while Application permission not. So when we use Delegated api permission, we can use api request like /me because the token contained the user information so graph api knows who is me and me is authorized to access this api. So we can also use users/user_principle_name_of_the_signed_in_user here. But it doesn't mean we can use another user principle name here, because other users aren't authorized in the access token.
How can we put any user of your tenant into the request and call the api successfully? We need to use Application permission here. When you add api permission, you may notice it and please add application api permission. Then we need to use client credential flow to generate access token with application permission. Then you may try yor failed request with the new token.
Application permission means you are calling the graph api on behalf the application, so it doesn't require users to sign in, but using delegated permission is much more safe since it will generate access token with limited scope(the api permission you defined in the token generating request), but client credential flow uses /.defalut as the scope, this means all the application api permission in the azure ad application will be added to the generated token, you can't control which application permission is allowed and which is not allowed in one token.
My question is, does Microsoft Graph work without User.Read scope ? I am not able to request the email profile openid permissions directly.
It throws AccessDenied error. So is User.Read pre requisite for email profile or openid ?
User.Read is just the delegated permission for getting the user profile using MS Graph Get User. If your app does not need to read the user profile you don't need this permission but in most cases you do because you app is acting on behalf of the user.
Does Microsoft Graph work without User.Read scope ?
No, but in most cases, you need the scope to read user profile and call /me endpoints.
You should check the api document to see if calling that api required User.Read permission.
For instance: I wanna call this api to list emails, and we can see that this api provides 2 kinds of permissions, one is for delegate, another is for application(this means client credential flow is supported). All the api permissions are listed here and we need to go to azure ad portal to add the api permission to your azure ad application which used to generate access token.
After generating the access token, you can user jwt decode tool to check if your access token contains correct scopes(for delegate permission) or roles(for application permission). Using a correct token to call the api will not lead to AccessDenied error. By the way, newly added permission may be deferrable to take effect.
I have had success using OAuth 2.0 with EWS when using admin permission. Now I am trying to set it up so that an individual user can log in and grant access for himself. So I start a browser with this URL:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=f3f92d23-29dd-4465-828e-35300884ef61&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&response_type=code&scope=offline_access%20Calendars.ReadWrite.All%20Contacts.ReadWrite.All%20Mail.ReadWrite.All%20Tasks.ReadWrite%20User.ReadBasic.All
The browser allows me to log in to my test account, but then this error is returned:
error=invalid client
description=AADSTS650053 The application 'my app name' asked for scope 'Calendars.ReadWrite.All' that
doesn't exist on the resource '00000003-0000-0000-c000-000000000000'
In Azure, when looking at the API permissions for my application, I have 11 Exchange permissions, including both Application and Delegated permissions for Calendars.ReadWrite.All, in addition to all of the others that I requested.
What's going on here?
Because EWS is a legacy API it doesn't implement the more restrictive permission model that the Graph and Outlook REST API uses. The only permission that will work for Delegate access is EWS.AccessAsUser.All (Scope https://outlook.office.com/EWS.AccessAsUser.All). This gives full access to every folder in a Mailbox (and any mailboxes the user has been granted access to).It looks like you application registration already includes that permission so
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=f3f92d23-29dd-4465-828e-35300884ef61&redirect_uri=https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fnativeclient&response_type=code&scope=offline_access%20https%3A%2F%2Foutlook.office.com%2FEWS.AccessAsUser.All
should work
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.
I am trying to get an access token to upload large files as described in the docs.
I am using client credentials grant flow to get access token per the documentation. I got an access token using that flow.
I tried to use that access token with this URI:
/v1.0/users/{userId}/drive/items/{itemId}/createUploadSession
but it gives me an error that "AccessDenied Either scp or roles claim need to be present in the token"
I have granted admin permission for the app. I have tried this flow in both postman and in coding but both give the same error.
Well as Marc pointed out Sites.ReadWrite.All was the only permission i needed, it was just that permission had not been accepted by admin.so the roles were not visible in my access token.Now i am able to call graph api using that access token.