Earlier i asked this question, where #Dev helped me. Now when i tried doing to Delegated permissions, its again throwing HTTP error 403. Application permission works for me. Only looks like issue with delegated permission. Strange? Any inputs will be of help.
#Alice, I see that you're using delegated permission scenario. If yes, then you need to allow apps to read service usage reports on behalf of a user. I would suggest you to work with your tenant administrator. They should have assigned the user the appropriate Azure AD limited administrator role - its needed, apart from the permissions that you specify in your code.
I tried the above in past and helped; so give a try. If you still face issues let me know. For more info you can refer the related document.
Related
I tried to receive all events for an Microsoft 365 User. It's a business license and a add an App with all User/Mail/Calendar Permissions (also consent granted) to Api permissions.
When running this command or some similar like in the documentation I got 403
Client error: `GET https://graph.microsoft.com/v1.0/users/xxxxxxxxxxxxxxxxxxxx/events` resulted in a `403 Forbidden` re
sponse:
{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
What did I do wrong? I also tried the Graph Explorer (with logged in user).
Are the permissions you are assigning delegated or application permissions?
If you are using application permissions for your App Registration then you need to give access on the user's calendar to the app (probably by using a new service principal on exchange online).
If you are using delegated permissions then you should check the access token you are getting for validation in jwt.ms
Bear in mind that Graph explorer with logged in user needs different permissions than your App Registration. ( it's a different app registration altogether )
Seems like I had the same issue https://learn.microsoft.com/en-us/answers/questions/1165285/microsoft-graph-get-outlook-calendar-events-403?page=1&orderby=Helpful&comment=answer-1168253#newest-answer-comment
The fix was to remove all the other permissions and just give it
I am having issues accessing Education Assignment using Microsoft Grap returning "Access Denied", even though we have all the required permissions.
I noticed that under Application Permissions, it requires one of these permissions:
enter image description here
But under API Permission > Application Permission, we actually have EduAssignments.ReadBasic.All, EduAssignments.ReadWriteBasic.All, EduAssignments.Read.All, and EduAssignments.ReadWrite.All:
I am not sure whether this is an issue here.
I'm afraid these particular Application scopes are still in limited public preview. The documentation unfortunately fails to properly explain how these work.
I've asked for the documentation to be updated to explain this limitation as well as the process for gaining access to the preview.
Using the Graph API we are already successfully retrieving calendar views for a user's calendar (on behalf of the user). Now users would also like to be able to retrieve room calendars. So I tried the following:
https://graph.microsoft.com/beta/users/room1#ourdomain.com/calendarView
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/calendarView
https://graph.microsoft.com/beta/users/room1#ourdomain.com/events
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/events
Unfortunately all of them return a ErrorServiceUnavailable error.
App permissions and OAuth2 scopes are set to: openid email profile offline_access https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/Calendars.Read.Shared https://graph.microsoft.com/User.Read https://graph.microsoft.com/User.ReadBasic.All https://graph.microsoft.com/User.Read.All, so that should not be an issue.
Am I doing something wrong or is this simply not supported?
https://graph.microsoft.com/v1.0/users/room1#ourdomain.com/calendarView is the approach I've used successfully. I had an issue with permissions and gave my app every permission in Azure, and it worked for me. I can't help with which specific permissions it is, but for testing this is how I resolved an issue I had.
Am I doing something wrong or is this simply not supported?
For your current question: Obviously you did wrong or the Service - side temporary exception. The api is supported.
You should provide the code you have used, and based on the code, we can check what is wrong on your side.
I am writing a .Net Core 2.0 MVC-like app where users log in and then do such operations on an AAD B2C tenant such as add new user, edit user, delete user etc.
Listing and adding users was pretty easy to do, but now when I try to remove certain users, I get a 403 Forbidden error. I'm assuming it's because I missed permissions somewhere, but I don't really know where.
I have enabled literally ALL possible App permissions in my AAD B2C Tenant b2c-extensions-app and most of the ones that sound right (30 app+30 delegated) in apps.dev.microsoft.com. I added the account I log in to test to owner list, too. Any clues on why I keep getting those errors would be much appreciated. What are the things I could have missed?
// I found out that to delete users, Directory.AccessAsUser.All is required. I already have it in delegated permissions but I keep getting the same error.
// Yes, I did add myself as owner to b2c-extensions-app and I also added literally every possible permission to it. Windows Azure Active Directory has 7+9, Microsoft Graph has 37+78.
// Okay it seems that the same error occurs when I try to edit a user's password (or any contents, really), too.
Did you setup your permissions through Azure portal or PowerShell?
Delete permissions for a B2C application must be created using PowerShell.
You can find instructions on this page of Microsoft Docs, under the section 'Configure delete permissions for your application'.
Let me know if it helped!
I am trying to run the sample Google Apps Script Service Account OAuth example taken from here:
https://github.com/googlesamples/apps-script-oauth2/blob/master/samples/GoogleServiceAccount.gs and keep getting a server timed-out error. I copied the exact code and just substituted in the private key, client email, and a user email. The example code looks to be current as there was an update to it on July 30th.
I have authorized https://www.googleapis.com/drive/v2/files through the admin console as well as https://accounts.google.com/o/oauth2/token and have listed these as scopes in the admin settings (and domain-wide delegation is enabled). I am using an admin account to run the script.
I keep getting the ubiquitious "Server Timed Out" error and nothing shows up in the Execution Logs.
What might be the problem? Any help would be appreciated. Thanks in advance.
Thanks, Gerardo, for pointing me in the right direction. It turned out that our organization manages permissions for the Google Developer's Console by Organizations (in the Google Admin console). Somehow a few accounts, including mine, were kicked out of the Organization that had permissions to access the Developer's Console. After adding myself back in, the sample worked without problems.