Since yesterday, the file upload api keeps returning 403 randomly. But it depends on the sharepoint. Many of our clients dont seem to encounter the issue, but our own sharepoint, and a new client's sharepoint have this problem.
Basically every upload request either succeeds or returns 403 Access denied error. And more often than not, it returns 403:
Here is an example of a request (client's sharepoint):
error: "{
↵ "error": {
↵ "code": "accessDenied",
↵ "message": "Access denied",
↵ "innerError": {
↵ "date": "2020-10-14T08:51:20",
↵ "request-id": "cacf89c3-5dbc-4390-98a1-5d7cb9e2668d",
↵ "client-request-id": "cacf89c3-5dbc-4390-98a1-5d7cb9e2668d"
↵ }
↵ }
↵}"
Another example (our sharepoint):
error: "{
↵ "error": {
↵ "code": "accessDenied",
↵ "message": "Access denied",
↵ "innerError": {
↵ "date": "2020-10-14T09:01:38",
↵ "request-id": "3c23f74d-579b-41e8-aafc-a6e3b3a6d885",
↵ "client-request-id": "3c23f74d-579b-41e8-aafc-a6e3b3a6d885"
↵ }
↵ }
↵}"
Nothing has been changed on our sharepoint, it used to always work, no code change, no configuration change on sharepoint.
Edit, code being used for upload:
private function uploadSmallFile(string $localFilePath, string $remoteFilePath, $conflictBehavior)
{
$route = "/sites/root/drive/items/root:$remoteFilePath:/content";
$route = $route . '?#microsoft.graph.conflictBehavior=' . $conflictBehavior;
$item = $this->client->createRequest('PUT', $route, true)
->setReturnType(Model\DriveItem::class)
->attachBody(file_get_contents($localFilePath))
->execute();
return $item;
}
Further details:
Accessing sharepoint on the browser works fine.
Using Insomnia (like Postman but for all uses), here is what happens with a path (Content-Type and Content-Length specified):
Successful upload (201), 403 Access denied (although it happens twice in about 50 uploads in Insomnia)
{
"error": {
"code": "accessDenied",
"message": "Access denied",
"innerError": {
"date": "2020-10-15T07:34:19",
"request-id": "cf7f0f59-046c-4115-ab67-3f471f340dca",
"client-request-id": "cf7f0f59-046c-4115-ab67-3f471f340dca"
}
}
}
With itemId:
Only Successful upload
This is strange, because I'm pretty sure it's not code related, since this happens on a codebase thats as old as june 2020 and didn't change since then.
Edit: Problem seems to be solved, no code was changed on my side. API Related problem.
Edit 2: Problem is back as of today 20-10-2020 (at least since 8am CEST)
Related
I have an enterprise application registered in Azure AD Tenant. It contains certain appRoles which have been assigned to Azure AD Users. Now, I would like to fetch all the users having some specific appRoles.
I have tried this:
GET /servicePrincipals/{id}/appRoleAssignedTo
taken from here:https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignedto?view=graph-rest-beta&tabs=http#optional-query-parameters
It seems like I am able to fetch all the appRoleAssignments successfully using this API, but whenever I put a filter such as: appRoleId eq {app-role-id} I am geting error like:
{
"error": {
"code": "Request_BadRequest",
"message": "Invalid filter clause appRoleId: System.Guid",
"innerError": {
"date": "2021-10-25T16:33:41",
"request-id": "{request-id}",
"client-request-id": "{client-request-id}"
}
}
}
And whenever I put single quotes, like appRoleId eq '{app-role-id}', I get this error:
{
"error": {
"code": "BadRequest",
"message": "Invalid filter clause",
"innerError": {
"date": "2021-10-25T16:34:30",
"request-id": "{request-id}",
"client-request-id": "{client-request-id}"
}
}
}
I tried with both v1 and beta endpoint. So how do I filter on appRoleId?
It seems that Microsoft Graph does not support the $filter on appRoleId yet. They already have an open issue:
https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/990
There is also a feature request here which we can upvote: https://techcommunity.microsoft.com/t5/microsoft-365-developer-platform/application-api-add-support-for-filtering-approleassignment-by/idi-p/2433822
Also in the Doc, $filter is only provided on principalDisplayName and resourceId
[1]: https://i.stack.imgur.com/ZVD8Y.png
When accessing data using https://graph.microsoft.com/beta/teams/{id}, it is failing with 400 bad request without any error details. {id} is the value received from the response of https://graph.microsoft.com/beta/groups.
Following response is returned.
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"date": "2021-10-15T15:01:43",
"request-id": "1d82fe40-5186-46fc-9fb7-c16341eb1ffb",
"client-request-id": "29c9e68d-bfd8-6f53-65c4-c49a82581a76"
}
}
}
We tried using MS graph SDK as well as graph explorer. All the consent are given for the end point.
What could be the reason for the error?
I have an active GraphAPI subscription to /communications/callRecords which is successfully returning the callid for calls. When attempting to get the call details using the following request:
https://graph.microsoft.com/beta/communications/callRecords/45578cfe-8329-48b7-ba6b-54a627b00bf4?$expand=sessions($expand=segments)
I receive the following error:
{
"error": {
"code": "BadRequest",
"message": "Unsupported segment type. ODataQuery: /communications/callRecords/45578cfe-8329-48b7-ba6b-54a627b00bf4",
"innerError": {
"date": "2020-11-24T12:34:11",
"request-id": "277b4fa1-11a5-4922-94d7-83fec3a57572",
"client-request-id": "277b4fa1-11a5-4922-94d7-83fec3a57572"
}
}
}
I get the same error if I change the GraphAPI call to /v1.0/. I am sure this worked previously but can't seem to work out what may have changed.
When trying to change permissions to a ODfB folder (granted by a sharing link) from write to read, a bad request error is getting thrown:
{
"error": {
"code": "badArgument",
"message": "One of the provided arguments is not acceptable.",
"innerError": {
"date": "2020-09-15T21:30:01",
"request-id": "a43eb6a1-3c3b-49c4-bda1-5b4fd791da08",
"client-request-id": "d8f9a715-9dac-9db7-1ac5-8d16d49630f2"
}
}
}
Request :
PATCH https://graph.microsoft.com/v1.0/me/drive/items/01HKVKMAZ1QBH7KJAWF5AIOO4D3P7AETV2/permissions/0cc09318-b541-4aa4-ba3d-aeca64c7d932
Content-type: application/json
{
"roles": [
"read"
]
}
I made sure that item id is correct, as well as permission id, autorization token in header is also fine.
Am I missing something, or does updating folder permissions granted by sharing links not work at all in Graph API?
I need to read the list of synchtonizationProfile entities. I get accessToken using grant_type=code and requested permissions for EduAdministration.Read and EduAdministration.ReadWrite (as specified in the documentation).
But when I try the request, I get the following error:
{
"error": {
"code": "AuthenticationError",
"message": "Error authenticating with resource.",
"innerError": {
"request-id": "1a47270e-f902-48af-81cc-5ed8e279b050",
"date": "2017-12-21T12:20:27"
}
}
}
The problem only with the /synchronizationProfiles endpoint.
What is the problem? And how to solve it?