Microsoft graph /me/mailFolders not working while permissions are given - microsoft-graph-api

I have a office 365 account and Iwant to access my emails
I followed Microsoft graph documentation
https://learn.microsoft.com/en-us/graph/api/user-list-mailfolders?view=graph-rest-1.0&tabs=http
I have selected the permissions asked as you see below :
Permissions Image
I have requested the token and the following request does not work :
GET https://graph.microsoft.com/v1.0/me/mailFolders
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
But when I use the next one , it works :
GET https://graph.microsoft.com/v1.0/users('xxx.yyy#zzz.onmicrosoft.com')/mailFolders('Inbox')/messages
I need to use the first endpoint which everybody is using on the internet , I can't get why I doesn't work for me

In Graph, the /me/ endpoint is an alias for the currently signed in user (based on the token). An application without a user present will not be able to query /me/, and should instead specify the user id of the user of interest (/users/user id).
If you call this endpint /me/mailFolders which means listing the mailFolders of the currently signed in user. So you need to add delegated permissions and use the flow except client credential flow to get access token.
If you still would like to use application permissions, you need to call this endpoint /users/{id | userPrincipalName}/mailFolders.
About the error(Resource does not exist or one of its queried reference-property objects are not present.), see the code sample of this issue.

Related

Microsoft Graph - get Outlook Calender events - 403 Forbidden

I tried to receive all events for an Microsoft 365 User. It's a business license and a add an App with all User/Mail/Calendar Permissions (also consent granted) to Api permissions.
When running this command or some similar like in the documentation I got 403
Client error: `GET https://graph.microsoft.com/v1.0/users/xxxxxxxxxxxxxxxxxxxx/events` resulted in a `403 Forbidden` re
sponse:
{"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
What did I do wrong? I also tried the Graph Explorer (with logged in user).
Are the permissions you are assigning delegated or application permissions?
If you are using application permissions for your App Registration then you need to give access on the user's calendar to the app (probably by using a new service principal on exchange online).
If you are using delegated permissions then you should check the access token you are getting for validation in jwt.ms
Bear in mind that Graph explorer with logged in user needs different permissions than your App Registration. ( it's a different app registration altogether )
Seems like I had the same issue https://learn.microsoft.com/en-us/answers/questions/1165285/microsoft-graph-get-outlook-calendar-events-403?page=1&orderby=Helpful&comment=answer-1168253#newest-answer-comment
The fix was to remove all the other permissions and just give it

ResourceNotFound Microsoft Graph Api with correct token

I want to use microsoft graph API in my application without user. For I got access token by tenant id (a8ef7dd1-217d-430f-9ba0-4dd465b9098d) using this url
https://login.microsoftonline.com/a8ef7dd1-217d-430f-9ba0-4dd465b9098d/oauth2/v2.0/token
I see correct result after this request.
Afte that I try to get user using this url
https://graph.microsoft.com/v1.0/users
It also works fine for me.
Example response: {"#odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","value":[{"businessPhones":[],"displayName":"IOTA CLM","givenName":"IOTA","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"CLM","userPrincipalName":"clm-iota_outlook.com#EXT##clmiotaoutlook.onmicrosoft.com","id":"50ecbaed-9cee-411f-abb6-5e53e2a1051a"}]}
But if I try to get mailFolders using next get request
https://graph.microsoft.com/v1.0/users/50ecbaed-9cee-411f-abb6-5e53e2a1051a/mailFolders
I see 404 error :
"code": "ResourceNotFound",
"message": "Resource could not be discovered."
What I missed?
Are you sure that that user has a mailbox?
Make sure you have the correct permissions? To access mail, you require Mail.Read application permissions that have been admin consented. https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0
You can admin consent where you've registered the application in the portal in the "Permissions" tab of the application. https://aad.portal.azure.com
I've had the same error.
You probably didn't assign a license while adding users at https://admin.microsoft.com
If you go to the Microsoft site, you will find that you need to license Exchange Online to use the Exchange Online feature.
https://learn.microsoft.com/en-us/exchange/exchange-online
Check it out!

Unable to "List channel messages" on Azure AD Graph API Beta

When I try to list channel messages I get:
[...] "code": "UnknownError", "message": "Failed to execute backend request." [...]
This error is for all teams I don't belong to.
I have this error when trying to call the API from Microsoft Flow (with HTTP GET) but also with Graph Explorer: the account I used has FULL permission but still asks to check my permission:
Failure - Status Code 403, 656ms Looks like you may not have the permissions for this call. Please modify your permissions
And the registered application has the delegated permission needed to call this endpoint regarding the documentation:
GET /teams/{id}/channels/{id}/messages
https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-beta
Is it a bug because of the "beta" or something I've missed?
After searching and testing I can confirm that I was miss understanding how the delegated permission works.
The user need to have the permission to read the chat message meaning that the user need to be at least a member of the team who is concerned by the call.
I confirmed it by testing on a teams/groups where the account is not member of (result = Satus code 403) and everything is working with success after adding the account in the teams/groups
Does this mean that at the moment to be able to List channel messages from all teams in organisation we need to have a unique account member of each teams (=account used in the microsoft-graph call) ?
if anyone faced same situation this video helps to understand more easly the concept : https://www.youtube.com/watch?v=UPkHvy3eRCM

Can't access Microsoft Graph users calendars 403

I have seen other posts that are very similar, but I don't find a real answer. Some say "it is coming", those are old.
I am authenticating with the Admin credentials to our O365 and trying to pull calendar information. The Scope has Calendars.ReadWrite (which falls under App-Only and Delegate as far as scopes), but it always returns a 403. ErrorAccessDenied, "Access is denied. Check credentials and try again"
The Graph doc for calendar views shows it can send in users/{id} in the request, and the id's came back when I listed all the users. Of course if I use mine, it works.
If there really is an App-Only scope vs a Delegate scope for this same scope name, how do you specify that?
Is there something I have to specify in O365 for my admin user so it has rights? I can delete or create any user with that account in O365, so it appears it should have what it needs.
Thanks
So, App-Only has a slightly different flow.
First, instead of authenticating the user at "https://login.microsoftonline.com/common/oauth2/v2.0/authorize", you authenticate them at "https://login.microsoftonline.com/common/adminconsent".
Second, you pass in the same parameters minus "scope". Scope is determined by your Application Permissions defined in you application that you registered at apps.dev.microsoft.com.
Third, when you receive your callback you will not have a "code" to use to go and retrieve your Access and Refresh tokens. Instead, you will receive a "tenant" property and an "admin_consent" property. "admin_consent" will tell you whether you have the rights or not.
Fourth, when requesting your access token, you will not supply the "scope" or "code" parameters, but you will provide a "resource" parameter, with the value "https://graph.microsoft.com".
Lastly, the URL you contact to get the token will change from "https://login.microsoftonline.com/common/oauth2/v2.0/token" to "https://login.microsoftonline.com/{tenant}/oauth2/token", where {tenant} will be the value returned.
Please note that in the URL that "v2.0" is missing. That isn't a typo. If you do not remove that from the path you will get errors about an invalid or missing "scope" parameter.
Once it successfully returns your Access and Refresh token, the flow seems to follow normal delegated access.
Here are a couple of links that Microsoft gave me, with their guidance to help figure this out.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint
https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
(Big Thanks to Jeff at Microsoft)
Latest doc is here: https://learn.microsoft.com/en-us/graph/auth-v2-service
I followed it and I was able to read/write other's calendar with permission Calendars.ReadWrite.

Using Microsoft graph to read all users calendars

I gave my application the following scopes:
SCOPES = [ "Calendars.Read", "User.Read.All" ]
I got an access token. With this token I am able to get the users and I get two users back which is correct.
When I then ask for the calendar of myself (admin):
https://graph.microsoft.com/v1.0/users/stijn#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
This also works perfectly. However when I do this for the other user:
https://graph.microsoft.com/v1.0/users/frank#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
I get this error message:
Access is denied. Check credentials and try again.
According to the documentation: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Calendars.Read: Read calendars in all mailboxes: Allows the app to read events of all calendars without a signed-in user.
The scope I got back together with the access token was this: "calendars.read user.read.all" so it got accepted.
What am I missing here?
We are working to support the scenario you are requesting (Accessing other users' calendars) but the feature hasn't shipped yet. Stay tuned ...
UPDATE: Please take a look at using client credential flow. The blog post https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ explains how to do this for Outlook API endpoint. But you should be able to follow the instructions for Microsoft Graph as well.
The app will require an admin to consent, and then can access calendar of any user in the organization, as long as their mailbox is in Office 365.

Resources