Get Team's Planner using App Only permission in Azure Function - microsoft-graph-api

Is there any example how I can achieve following requirement:
I need to read Planner Plans from Group in an Azure Function trough Graph Api.
Application permissions are not supported, only delegated.
I tried with ConfidentialClientApplicationBuilder with OnBehalfOfProvider, but no luck. I do not know how to set UserAssertion in this case.
Also, username and password flow is not an option, because end user can use MFA.

Unfortunately Microsoft Planner APIs on Microsoft Graph do not support Application permissions (App-only) . This is confirmed in the docs here https://learn.microsoft.com/en-us/graph/api/planner-post-plans?view=graph-rest-1.0&tabs=http#permissions
Please vote up the feature request for this https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/5904632-application-permissions-to-task-api

Related

steps to create PowerBI API token

i'm using this URL https://login.windows.net/(the Tenant ID of the App that i made in Azure AD)/oauth2/token to create a Token for PowerBI API. my postman looks like this:
but when i use this Access token to do some operations like getting a list of reports in a Dataset i get 401 Unauthorized:
exactly which steps i have taken so far can be seen in this Question. I also haven't created a Service Principal, is that needed here? Am i missing a step?
I tried to follow all the steps, it's working fine for me.
Please check the API permissions provided for your registered app.
You can check the required permission API Permissions -> Add a permission -> Power BI Service and select the required permission.
For Instance, We need these permissions to access the datasets:
You can also try the same with the 'try it' feature from here:
Datasets - Get Dataset In Group - REST API (Power BI Power BI REST APIs) | Microsoft Docs

Give mailbox permissions from graph api

I am using the Graph API with app permission & with a certificate.
I know how to send emails with the sender which is different from the requestor's email.
I go to admin.exchange.com, select the user and add a mailbox delegation then add the user in "Send as".
My question is how to add user with "Send As" option via Graph API only.
I would like use this method microsoft permission: but from graph api
Thanks for your help
No this (and all the other Exchange Admin tasks) aren't currently in the Graph API, the only option for doing this programmatically is to use the Powershell cmdlets https://learn.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps. The good news is that the v2 Powershell module does now support the client_credentials flow https://techcommunity.microsoft.com/t5/exchange-team-blog/modern-auth-and-unattended-scripts-in-exchange-online-powershell/ba-p/1497387

Require re-register MFA using Microsoft Graph API

I am working on the MVC application which is using Microsoft Azure Active Directory for signing in. I am also going to enable the MFA for users.
If the user changes the phone number or phone then that user needs to able to reset MFA from the application itself. I know we can reset MFA from the portal using Require re-register MFA.
Is there any way to accomplish this functionality using Graph API or using code?
After a long time of searching and testing, I am sure that Update phoneAuthenticationMethod api can definitely meet your requirements.

What API do I use with the permissions my Teams app received in App Studio?

I am developing an app in Microsoft Teams using the App Studio. Towards the end of the proccess, in the section Domains and Permissions, you are allowed to give resource-specific consent permissions such as File.Read.Group. I was wondering where I would use these permissions (Microsoft Graph, Azure AD Graph, ...) to programmatically access an API. As a side question, does anybody know which permission allows the app to manage group members?
Thank you!
Here is a good read on that permissions settings page, those consent permissions are not actually a part of azure ad app registrations as of this articles writing. so that means while they are sort of graph permissions, you would use them against the graph api. They are for specific teams based resource specific permissions.
https://blog.thoughtstuff.co.uk/2020/01/microsoft-teams-has-a-new-more-granular-and-resource-specific-permissions-model-for-apps-what-is-resource-specific-consent-rsc-and-how-do-i-use-it/
the official documentation on the matter: https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
as per the microsoft link i don't see a resource specific permission to "edit" groups members.

Are There Azure AD App Perms Available for Microsoft Teams REST API

I want to start doing some development with the preview edition of the Microsoft Teams APIs.
I currently have a solution working using the Azure AD v2 Endpoint but I wanted to get a working solution using the v1 Endpoint.
I can't find any Microsoft Teams permissions available in the Azure AD portal and I didn't see anything specifically about this in the Known Issues the Teams API.
Can anyone comment on whether there are any options for a pure v1 Endpoint solution using application registration available right now? If not, is it planned?
The v1 Endpoint uses the same permissions as the v2 Endpoint. The primary difference between the two is that v2 scopes can by dynamically requested during authentication while v1 Endpoint requires permissions to be pre-defined within the registration.
When using the Azure Portal, all of the permissions for Teams show up under "Microsoft Graph". For the Teams you'll generally need User.Read and Group.ReadWrite.All. The Azure Portal lists permissions by description (although you can see the underlying scope name in the tooltip):
Sign in and read user profile (user.read)
Read and write all groups (Group.ReadWrite.All)
Note that Group.ReadWrite.All does require Admin Consent. Before you can authenticate normal user's, you will first need to have an Administrator go through the Admin Consent process.
I'm posting this as the answer, because I'm pretty certain this will trip up other developers out there. Up to this point, when getting an access token for AAD v1 apps that use Microsoft Graph, you use "https://graph.windows.net" as the Resource ID. The interwebs are replete with this example, and I have it in my own code that I use for OneNote and other services.
Now with the Graph endpoint for connecting to Teams (and probably other things), the Resource ID you need to use is "https://graph.microsoft.com". Just ran through a quick test using an AAD v1 app with the Microsoft Graph API and Read All Groups permission. I'm sure there's an explanation out there from some MSFT person that might make sense, but I have not found it after many hours of searching the web.
Hope this helps someone.

Resources