The Azure port still uses the Azure AD Graph API in some places. One thing it uses this for is to list API permissions. For this, the portal uses the REST API target GET https://graph.windows.net/myorganization/applicationRefs/c5393580-f805-4401-95e8-94b7a6ef2fc2?api-version=2.0 (example shown for Office 365 Management API). I've searched and cannot seem to find a way to list similar permission sets using the Microsoft Graph API. Is there a way to access this using the Microsoft Graph API?
Ok, was going to upvote one of the previous answers, but my profile is too new. :( You can do this by reading the MS Graph service principal in your tenant as described above. This PowerShell code gives an example (it's used in a command called Find-GraphPermission in the autographps and autographps-sdk modules.
Basic approach is:
Get app-only permissions from the appRoles property of the servicePrincipal
Get delegated permissions from the publishedPermissionScopes property
Each element of appRoles has an id that can be read or written from a given appRoleAssigment object on an app's servicePrincipal in your tenant. Note that each appRole element has a value property that is the common friendly name of the app-only permission (e.g. BitlockerKey.ReadBasic.All
A similar id and value pair exists for each element of publishedPermissionScopes which gives you the delegated permissions. You can use those ids with oauth2PermissionGrant objects under the segment /oauth2PermissionGrants to enumerate consent grants for a given servicePrincipal (and thus app) in your tenant or grant or remove consent
Note that the ids for both appRoles and publishedPermissionScopes are the same in all tenants, so you can actually perform this same mapping of friendly names to ids for any tenant, and use a static snapshot. This can be useful as your application may not be able to read the Microsoft Graph servicePrincipal object. If you store a static version, you'll have the mapping regardless and you'll only miss any new permissions that get added to Microsoft Graph for new APIs.
This file contains a snapshot of the MS Graph servicePrincipal as a fairly readable JSON-like PowerShell hash table: https://github.com/adamedx/autographps-sdk/blob/main/src/common/DefaultScopeData.ps1
For this requirement, you can use this microsoft graph api: https://graph.microsoft.com/v1.0/applications/<object id of the application>
It will response the result like below screenshot(please pay attention to the field requiredResourceAccess):
The content under requiredResourceAccess is the API permissions of this application. The type scope means the permission is Delegated type and the type role means the permission is Application type.
Then please refer to steps below to know which permission does the id under resourceAccess field refer to.
Copy the resourceAppId, in my screenshot is 00000003-0000-0000-c000-000000000000. And request the graph api: https://graph.microsoft.com/v1.0/serviceprincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
Copy one of the id under resourceAccess field in the response of first graph api. For example copy the first id a154bxxxxxxxxxxx59 in my first screenshot. And then search this id in the response of second graph api, we can find this id refer to User.Read.All permission.
Related
I discovered today that permissions are not returned anymore using this query using a regular user (it is working with a Global admin account):
https://graph.microsoft.com/v1.0/sites/<siteId>/lists/<listId>/drive/items/<folderId>?&expand=Permissions
The list of permission returned is empty.
Same result using
https://graph.microsoft.com/v1.0/sites/<siteId>/lists/<listId>/drive/items/<folderId>/Permissions
Based on documentation, For a non-owner caller, only the sharing permissions that apply to the caller are returned.
If I'm going directly in SharePoint with the user, I see the right permissions.
According the remarks
The permissions relationship of DriveItem cannot be expanded as part of a call to get DriveItem or a collection of DriveItems. You must access the permissions property directly.
Could you try to call this endpoint?
GET /v1.0/sites/<siteId>/lists/<listId>/drive/items/<folderId>/permissions
Resources:
Permissions
We need to read out distribution lists from a contact folder of a dedicated exchange/outlook mailbox (O365). The process must run as a service with no user interaction.
Unfortunately the Graph API does not support distribution lists (not even the Graph beta version does). Because of this we have to use another API - I tried using EWS.
I succeeded by granting full_access_as_app permission to our service. However this allows to read and modify ANY data in ANY mailbox which is a security risk. Granting this permission only to read out some distribution lists from one mailbox is not acceptable.
So I tried to use the ROPC flow that should allow authenticating a user and then accessing the mailbox with the permissions of this user. I followed the information here: How to get OAuth2 access token for EWS managed API in service/daemon application
(Btw I found this post linked in the discussion here: https://github.com/microsoftgraph/microsoft-graph-docs/issues/5659 which has some more information about the topic.)
I exactly followed the steps mentioned above but unfortunately this is not working: I always get a “401 Unauthorized” exception when doing the EWS calls (OAuth calls succeed) and no additional information.
According to https://developer.microsoft.com/en-us/graph/blogs/upcoming-changes-to-exchange-web-services-ews-api-for-office-365/ this is no longer working. So how can I read out distribution lists from a specific mailbox without giving full access and without an interactive login?
EDIT
Here as requested the full code:
string[] ewsScopes = { "https://outlook-tdf-2.office.com/EWS.AccessAsUser.All" };
IPublicClientApplication clientApplication = PublicClientApplicationBuilder.Create(appId).WithAuthority(AzureCloudInstance.AzurePublic, tenantId).Build();
NetworkCredential credentials = new NetworkCredential(appUsername, appPassword);
AuthenticationResult authResult = await clientApplication.AcquireTokenByUsernamePassword(ewsScopes, credentials.UserName, credentials.SecurePassword).ExecuteAsync().ConfigureAwait(false);
ExchangeService exchangeService = new ExchangeService
{
Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx"),
Credentials = new OAuthCredentials(authResult.AccessToken),
};
ItemView view = new ItemView(int.MaxValue)
{
PropertySet = new PropertySet(ItemSchema.Id),
};
SearchFilter.IsEqualTo filter = new SearchFilter.IsEqualTo(ItemSchema.ItemClass, "IPM.Contact");
FindItemsResults<Item> ewsResult = await exchangeService.FindItems(WellKnownFolderName.Contacts, filter, view).ConfigureAwait(false);
I have also tried with other scopes such as "https://outlook.office.com/EWS.AccessAsUser.All" or "https://outlook.office365.com/EWS.AccessAsUser.All" but without success. I feel the problem might be related to the scope? I can see that the Exchange legacy API that was listed in the Azure UI when adding permissions is now gone...?
The Scope in your code is wrong (I'm not sure where you got that from) it should be
string[] ewsScopes = { "https://outlook.office.com/EWS.AccessAsUser.All" };
Using your code with the scope you had gives a 401 error and if you look at the response headers of the EWS response it actually tells you that the scope is the issue eg
2000003;reason="The audience claim value is invalid for current resource. Audience claim is 'https://outlook-tdf-2.office.com/', request url is 'https://outlook.office365.com/EWS/Exchange.asmx' and resource type is 'Exchange'.";error_category="invalid_resource"
Using your code with the correct scope works fine
But then why is the option to add the Exchange Legacy permission (step 6 in the MS docu mentioned above) gone from the Azure UI?
Its hasn't been removed from the AzureUI they have just moved all the Exchange legacy permissions (including the ones used in the Exchange Admin cmdlets which isn't really a legacy API) under the Graph Permissions. Why they did this way and didn't communicate it well (I'll only just saw it today as well) I'm not sure.
Yesterday Nov 19th Microsoft has updated the documentation: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
Following the new documentation it works (again). The main difference is to use the shortened scope "EWS.AccessAsUser.All" and not any of the full scopes found in many examples and posts such as “https://outlook.office.com/EWS.AccessAsUser.All”, “https://outlook.office365.com/EWS.AccessAsUser.All” etc.
Thank you MS for wasting my time.
Distribution groups are only exposed in Exchange PowerShell today, and are not currently supported via the Microsoft Graph API.
Please vote on this feature request on UserVoice:
I'm using the Microsoft Graph API within a PowerShell script to automate the creation of Microsoft Teams teams. I am obtaining email addresses from a database of a proprietary non-Microsoft application that does not contain the Microsoft User Id. The Microsoft User ID is needed in order to add members to the Teams.
I am using the Microsoft Graph URI:
graph.microsoft.com/v1.0/users/
to obtain the User Id.
Unfortunately, that database sometimes contains an email alias rather than the user's primary email address. When the script attempts to obtain the person's User Id using an alias, the Graph API call returns an error.
For example, when the primary email is address is "jsmith#abc.com", but the database contains his alias "joe#abc.com" I was expecting to be able to call that API with a filter such as:
graph.microsoft.com/v1.0/users?$filter=alias eq 'joe#abc.com'
but I can find no such filter option.
I would appreciate any tips on how to solve this problem.
The user object has a property called otherMails. This is a multi-value property.
The filter syntax is different for multi-value-properties.
To filter users by alias, you'll need to use:
https://graph.microsoft.com/v1.0/users?$filter=otherMails/any(c:c eq 'joe#abc.com')
I am trying to create a flow process to automate creating CSV files which contains the student, teacher assignment, submissions, and submission outcomes. I have registered an app in Azure AD and I can connect to this fine via PowerShell with delegate permissions and see all of the data I need.
However, when I try to connect with application permissions EduAdministration.Read.All, EduAssignments.Read.All and EduRoster.Read.All, I can only see basic Class and Student information. So calling https://graph.microsoft.com/v1.0/education/classes works but calling https://graph.microsoft.com/v1.0/education/classes/CLASSID/assignments does not (I get a "Resource not found for the segment 'assignments'").
As I have an admin account which is a member of the CLASSID team, I can see all of this information if running from graph explorer with delegated permissions.
So, is there something else I need to do to get the application .Read.All permissions working or are there a tutorial of how to connect to graphs with Flow using delegated permissions?
There are a couple of things going on here:
"Resource not found for the segment 'assignments'" Error
You're receiving this error because you're attempting to call the Assignments endpoint in v1.0. Assignments is still in Beta, so you need to use /beta, not /v1.0.
Once you get past the segment error, you will still have a permissions issue. The Assignments endpoint only supports Delegated scopes. The inverse is true for Classes which only return limited information using Delegated scopes. In order to call both endpoints, you'll want to have two separate tokens (one delegated, one application):
For /education/classes/{id}, use the Application scope EduRoster.Read.All.
For /education/classes/{id}/assignments/, use the Delegated scope EduAssignments.Read.
We are using Microsoft Graph APIs ( https://graph.microsoft.com/v1.0/ ) to get all users from Azure Active Directory ( AAD ).
We get the basic user parameters as the response.
We don't get manager, groups & roles of the user in the list users API paged response. We need to call separate API for an individual user with his AAD id & get this additional information. We come across this $expand parameter in API documentation which states the following (emphasis mine):
Note: Not all relationships and resources support the $expand query parameter. For example, you can expand the directReports, manager, and memberOf relationships on a user, but you cannot expand its events, messages, or photo relationships. Not all resources or relationships support using $select on expanded items.
This note clearly suggests we shall get manager & memberOf properties for the user. But when we tried this with /users API it throws bad requests.
Again we searched more in an article titled Known issues with Microsoft Graph it has the information about $expand as follows,
$expand:
No support for nextLink
No support for more than 1 level of expand
No support with extra parameters ($filter, $select)
What is the exact use of $expand? How do we get additional information like manager, roles & groups of the user in List users API so that we don't have to call separate APIs per user?
Below APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.
$expand-Normally, you can query either the properties of a resource or one of its relationships in a single request, but not both. You can use the $expand query string parameter to include the expanded resource or collection referenced by a single relationship (navigation property) in your results.
Memberof gives the groups, directory roles and administrative units that the user is a member of.
https://graph.microsoft.com/beta/users?$expand=memberof
To get manager details please use below query
https://graph.microsoft.com/beta/users?$expand=manager