groupPolicyConfigurations/{groupPolicyConfigurationId}/updateDefinitionValues can't update configuration with API - microsoft-graph-api

I am trying to update my Microsoft Intune Configuration using Microsoft Graph API.
For this I am using Postman. I have set up an app registration to assign the needed permissions and retrieve an access token. This is working in so far that I can read most of my configurations.
Now I am trying to change a configuration using POST /deviceManagement/groupPolicyConfigurations/{groupPolicyConfigurationId}/updateDefinitionValues. (Docs)
Now the problem is when I forming the request according to the docs:
{ "added":[],
"updated":[{
"#odata.type": "#microsoft.graph.groupPolicyDefinitionValue",
"createdDateTime": "2017-01-01T00:02:43.5775965-08:00",
"enabled": true,
"configurationType": "policy",
"id": "<id>",
"lastModifiedDateTime": "2017-01-01T00:00:35.1329464-08:00"
}],
"deletedIds":[]}
I get:
error code: BadRequest
"date": "2020-11-04T19:04:33",
"request-id": "c66c508b-0f73-4e7f-966a-97bf460818be",
I also tried to inspect the requests sent by the Azure Portal when changing the it in the UI and the Graph API request sent by the UI is quite a bit different than the one from the docs:
{ "added":[],
"updated":[{
"id":"<id>",
"enabled":true,
"presentationValues":[],
"definition#odata.bind":"https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('<id>')"
}],
"deletedIds":[]}
and this one returns a HTTP 403 Forbidden I get a
error code: BadRequest
"date": "2020-11-04T19:04:27",
"request-id": "c70d67bc-b4d4-40cc-b2c9-7d60896f972a",
Unfortunately the response does not contain any information on what exactly the issue is and I don't know if there is any logs where I could find a more detailed error description.
Does anybody have experience with this and knows where I could get the correct payload for the request?

Related

Create Team, 400 Bad Request, Required functionality is not supported

I'm trying to create a Microsoft Teams team in Migration mode via the Graph API. However I get a 400 response that I can't figure out. The query is shared in the link below.
Shared Query
For those that don't want to view it that way, here is my request:
POST https://graph.microsoft.com/beta/teams
Authorization: Bearer ...
Content-Type: application/json
{
"#microsoft.graph.teamCreationMode": "migration",
"template#odata.bind": "https://graph.microsoft.com/beta/teamsTemplates(\u0027standard\u0027)",
"displayName": "SlackMigrationTest",
"description": "testing slack migrations",
"createdDateTime": "2021-01-14T00:00:00.000Z"
}
I created this based on the microsoft doc here.
The reponse I get is:
The remote server returned an error: (400) Bad Request.
{
"error": {
"code": "BadRequest",
"message": "Required functionality is not supported.",
"innerError": {
"date": "2021-01-20T15:51:21",
"request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05",
"client-request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05"
}
}
}
I'm sure its something obvious that I'm missing but any help would be greatly appreciated.
Here you are using the User Context token and trying to make the call. This API call only works in Application context as shown in the below screenshot.
So use Client Credential flow and set Application permissions and then make a call.
As you can see below, it worked for me with App token.
You cannot test it in graph explorer because the Graph Explorer gets user token.

microsoft-graph api users endpoint with filter provides NextLink Token Expired

Removing my code as part of the equation, I was able to reproduce this through the Microsoft Graph API Explorer.
First, I Do a GET https://graph.microsoft.com/v1.0/users?$filter=assignedLicenses%2fany(d%3ad%2fskuid+eq+ --actualySKUIDHere--)
I get results back like
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"#odata.nextLink": "https://graph.microsoft.com/v1.0/users?$filter=assignedLicenses%2fany(d%3ad%2fskuid+eq+
--actualSKUIDHere-- )&$skiptoken=X%27 --actualtokenhere-- %27",
"value": [
{
I copy paste the nextLink into the API Explorer
ie.
https://graph.microsoft.com/v1.0/users?$filter=assignedLicenses%2fany(d%3ad%2fskuid+eq+ --actualSKUIDHere-- )&$skiptoken=X%27 --actualtokenhere-- %27
and it works with good results like above, but the next skipToken is shorter and copy & pasting it will result in the following
{
"error": {
"code": "Directory_ExpiredPageToken",
"message": "The specified page token value has expired and can no longer be included in your request.",
"innerError": {
"request-id": "4cce84ea-83c5-403a-98d2-5ad5c948fcdc",
"date": "2020-02-03T21:04:43"
}
} }
I'm assuming this is a bug but wanted to post to see if anyone else has experienced this and has a resolution
This was a temporary service issue which has been fixed since. You should not try to parse/modify the next link in your application, simply use it as provided by the service.

Cannot update oauth2PermissionGrants using graph.microsoft.com

Using https://graph.microsoft.com/beta/oauth2PermissionGrants I now cannot use POST to update B2C apps to grant them access to API's due to an error : Missing property: expiryTime
We've been using the BETA endpoint to update our B2C apps to grant them access to various API's using a Powershell script I created however in the last week or so something has changed on the back end as we now receive an error when attempting a POST : Missing property: expiryTime. The expirytime however is present in the JSON.
We can POST via graph.windows.net using the same JSON so this is something specific to the BETA endpoint. When querying the App's Oauth2permissiongrants I also cannot see the expirytime or starttime using graph.microsoft.com for some reason.
Please see the code below and let me know if I can answer any questions.
https://developer.microsoft.com/en-us/graph/graph-explorer#
POST https://graph.microsoft.com/beta/oauth2PermissionGrants
{
"clientId": "APP servicePrincial ObjectID",
"consentType": "AllPrincipals",
"expiryTime": "2030-05-12T19:34:28.9831598Z",
"principalId": null,
"resourceId": "02bccee7-8958-4e5e-89c7-466a5370a205",
"scope": "user_impersonation"
}
{
"error": {
"code": "Request_BadRequest",
"message": "Missing property: expiryTime",
"innerError": {
"request-id": "b15edafa-1415-4430-9d89-5ea3fb824f9c",
"date": "2019-09-16T11:29:39"
}
}
}

Unable to access the Sharepoint List using Microsoft Graph API--

Working with the Microsoft graph api and especially the sharepoint beta api and i am constantly running into issues. I know its beta, but still;)
SO the issue is When i tried to access the sharepoint list using Graph API in graph explorer
URL is: GET https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}
So SiteID i am passing my site tenant GUID and List ID as Sharepoint List GUID
and i am facing the error continously in Response
{
"error": {
"code": "invalidRequest",
"message": "Provided id is not suitable for the current host",
"innerError": {
"request-id": "61efc5b1-88f8-442c-a41d-7213b587318e",
"date": "2017-05-10T07:38:04"
}
}
}
IF any one also has faced this issue please let me know the solution you have resolved
The format of the ID's for sites have changed as part of a set of updates to the API this week. The new format is documented here, but it includes the SharePoint hostname, SPSite.ID, and SPWeb.ID as a triplet:
https://graph.microsoft.com/beta/sites/contoso.sharepoint.com,fc016e3c-d8ae-4ee0-a10c-de6d26788b6a,9a4ea7a5-c3c4-44ae-9f80-273bd67431b8
If you add the hostname into your IDs, your calls should start working again. You can discover the hostname by making a request to:
https://graph.microsoft.com/beta/sites/root/siteCollection/hostname
You can also search for sites now using the following search syntax:
https://graph.microsoft.com/beta/sites?search={keyword}
#Ryan Gregg has the correct answer
The SiteId is not just one GUID but a combination of <HostName,SPSite.ID,SPWeb.ID>.
Example: <contoso.sharepoint.com,fc016e3c-d8ae-4ee0-a10c-de6d26788b6a,9a4ea7a5-c3c4-44ae-9f80-273bd67431b8>
The whole string in the above example is what you should pass for {SiteId} in your request
If you dont have the SPSite.ID but have the URL for the site, you can make a GRAPH API call with relative path to the site
https://graph.microsoft.com/v1.0/sites/contoso.sharepoint.com:/sites/Documetation
This call will return all the properties for the site and you can grab the full SiteId from here:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites/$entity",
"createdDateTime": "2020-04-23T12:18:48.653Z",
"description": "Documentation",
"id": "contoso.sharepoint.com,fc016e3c-d8ae-4ee0-a10c-de6d26788b6a,9a4ea7a5-c3c4-44ae-9f80-273bd67431b8",
"lastModifiedDateTime": "2020-12-09T19:17:21Z",
"name": "Documentation",
"webUrl": "https://contoso.sharepoint.com/sites/Documentation",
"displayName": "Documentation",
"root": {},
"siteCollection": {
"hostname": "contoso.sharepoint.com"
}
}
Try https://graph.microsoft.com/beta/sites/{siteCollectionId},{siteId}/lists
You can find these ids from https://graph.microsoft.com/beta/site/sites

Error when createUploadSession on OneDrive graph api for the special AppFolder

I am attempting to create an upload session in the special app folder for my OneDrive app using the Graph API. My app have the following permissions:
Files.ReadWrite
Files.ReadWrite.AppFolder
offline_access
The request looks like this
https://graph.microsoft.com/v1.0/users/xxxxxx96-2e02-4300-8ab0-a05d73xxxxxx/drive/special/approot:/documentname.docx:/createUploadSession
gives the following error:
{
"error": {
"code": "itemNotFound",
"message": "The resource could not be found.",
"innerError": {
"request-id": "7447aa01-6685-4af0-998a-64abc9b14825",
"date": "2017-04-06T10:07:46"
}
}
}
I can create an upload session on the normal root folder without any errors:
graph.microsoft.com/v1.0/users/xxxxxx96-2e02-4300-8ab0-a05d73xxxxxx/drive/root:/documentname.docx:/createUploadSession
result:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.uploadSession",
"expirationDateTime": "2017-04-06T10:32:48.5252565Z",
"nextExpectedRanges": [
"0-"
],
"uploadUrl": "......."
}
The createuploadsession method does not support special/approot. As mentioned in the documentation, these are the only paths to use:
POST /drive/root:/{path_to_item}:/createUploadSession
POST /drive/items/{parent_item_id}:/{filename}:/createUploadSession
Just wanted to clarify, since people are sometimes referring to this thread still: This syntax actually is supported. Due to the flexibility of OData syntax/support, the docs are not always 100% comprehensive about every request path that works.
I believe the actual issue is that Files.ReadWrite.AppFolder is not supported on ODB/SPO/business accounts yet (as of 2022) - it is only for personal/MSA accounts. However, there is work in progress to bring this support to SPO in the future.
The two scopes that are mentioned above are:
Files.ReadWrite - grants access to content on the caller's mysite only
Files.ReadWrite.AppFolder - has no effect on SPO/business
Files.ReadWrite.All should work in the short term, until Files.ReadWrite.AppFolder is implemented on SPO/ODB.

Resources