I am trying to migrate on-premise TFS (DevOps Server 2019 update 1.1) to DevOps Services and using the migrate tool. I have run the validate command and cleaned up those warnings but the next command (prepare) fails mysteriously. The log file simply says:
[Error #11:18:19.488]
Exception Message: Request failed (type AadGraphTimeoutException)
Exception Stack Trace: at Microsoft.VisualStudio.Services.Identity.DataImport.AadIdentityMapper.ExecuteGraphRequest[T](Func`1 request)
at Microsoft.VisualStudio.Services.Identity.DataImport.AadIdentityMapper.GetAadTenantId()
at TfsMigrator.TfsMigratorCommandValidate.PopulateDataImportPropertiesOnContext()
at TfsMigrator.TfsMigratorCommandValidate.PopulateValidationItems(DataImportValidationContext context)
at TfsMigrator.TfsMigratorCommandValidate.RunValidations(Boolean validateFiles)
at TfsMigrator.TfsMigratorCommandPrepare.RunImpl()
at TfsMigrator.TfsMigratorCommand.Run()
A colleague pointed out this troubleshooting from the docs but a) we have about 10 users involved in TFS (~50 total active in local AD) so it is hard to believe we have so many users it would time out, and b) I ran the Get-MsolUser troubleshooting commands and successfully queried AAD via Graph.
I ran the prepare command again with Fiddler Classic connected as a proxy and discovered a failing call to the Graph API. It looked like
Request (simplified headers):
POST https://graph.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-0664e34adcbd/$batch?api-version=1.6 HTTP/1.1
Content-Type: multipart/mixed; boundary=batch_ea471df4-db73-403d-a172-a0955ddb1575
...
--batch_ea471df4-db73-403d-a172-a0955ddb1575
GET https://graph.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-0664e34adcbd/tenantDetails?api-version=1.6 HTTP/1.1
...
--batch_ea471df4-db73-403d-a172-a0955ddb1575--
Response (body):
{
"odata.error": {
"code": "Authentication_Unauthorized",
"message": {
"lang": "en",
"value": "User was not found."
},
"requestId": "58c4cabc-dd67-4ce8-9735-134a7e0df60c",
"date": "2020-09-14T20:07:49"
}
}
So my question at this point is - Are there any permissions (DevOps, Azure, Graph) that are missing? Are there any work arounds available? I did tag this question with Microsoft Graph API but do believe the failing call uses the older Azure AD Graph API.
Related
I'm trying to create a Microsoft Teams team in Migration mode via the Graph API. However I get a 400 response that I can't figure out. The query is shared in the link below.
Shared Query
For those that don't want to view it that way, here is my request:
POST https://graph.microsoft.com/beta/teams
Authorization: Bearer ...
Content-Type: application/json
{
"#microsoft.graph.teamCreationMode": "migration",
"template#odata.bind": "https://graph.microsoft.com/beta/teamsTemplates(\u0027standard\u0027)",
"displayName": "SlackMigrationTest",
"description": "testing slack migrations",
"createdDateTime": "2021-01-14T00:00:00.000Z"
}
I created this based on the microsoft doc here.
The reponse I get is:
The remote server returned an error: (400) Bad Request.
{
"error": {
"code": "BadRequest",
"message": "Required functionality is not supported.",
"innerError": {
"date": "2021-01-20T15:51:21",
"request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05",
"client-request-id": "dc4189cf-db4a-4a60-a271-f63b5d759a05"
}
}
}
I'm sure its something obvious that I'm missing but any help would be greatly appreciated.
Here you are using the User Context token and trying to make the call. This API call only works in Application context as shown in the below screenshot.
So use Client Credential flow and set Application permissions and then make a call.
As you can see below, it worked for me with App token.
You cannot test it in graph explorer because the Graph Explorer gets user token.
The teams list channel Graph API has started throw Unauthorized error as below. It use to work fine until yesterday. We are using "ServicePrincipal" for authentication and it has all necessary graph permission. In this case - Group.Read.All
Sample endpoint we are using is as below.
https://graph.microsoft.com/v1.0/teams/dccde580-0fc5-11eb-adc1-0242ac120002/channels.
Since this morning, it is failing continuously with the below error. More over, this is not a beta API.
As per our analysis, it is failing for those teams which has a private channel it. But as per documentation, private channels should be returned in the response as well. I dont understand what could be the issue.
Any idea / hints /help in this regard is really appreciated.
{
"error": {
"code": "Unauthorized",
"message": "Failed to execute Aad backend request GetUsersByObjectIdsRequest. Workload Unknown. Request Url: https://graph.windows.net/myorganization/getObjectsByObjectIds?api-version=1.61-internal, Request Method: POST, Response Status Code: Unauthorized, Response Headers: ocp-aad-diagnostics-server-name: 0yK5pQbb6mmQTig21hH07WmGI0k2nuTime8Zw4wMO7k=\r\nrequest-id: c33c655e-27f7-4f96-aabf-70e6d9d8770d\r\nclient-request-id: 5bd775a7-7dba-4ad7-bc9a-fbd91ae46fea\r\nStrict-Transport-Security: max-age=31536000; includeSubDomains\r\nDate: Fri, 16 Oct 2020 15:23:45 GMT\r\n, Reason Phrase: Unauthorized",
"innerError": {
"date": "2020-10-16T15:23:45",
"request-id": "3f3793b8-02d6-4653-a14f-3e455660e3d8",
"client-request-id": "3f3793b8-02d6-4653-a14f-3e455660e3d8"
}
}
}
We are facing the same issue, and the error exist in some of our test tenants and it will thrown by microsoft when we using the application permission to make the request.
The requests with the delegate permission token work without any issue.
Microsoft adds some Permissons.
https://learn.microsoft.com/de-de/graph/api/channel-list?view=graph-rest-beta&tabs=http
Do you have the application permissons?
Do you use the beta endpoint?
Look at this: https://learn.microsoft.com/de-de/microsoftteams/platform/graph-api/rsc/resource-specific-consent
Problem:
Only one of our three Office 365 tenant, a Graph call fails with an itemNotFound error. The other two tenants works as expected.
Case:
When using the Graph API to access a folder on a SharePoint site, we get the following "itemNotFound" error:
{
"error": {
"code": "itemNotFound",
"message": "The resource could not be found.",
"innerError": {
"request-id": "4ea1730c-1b1d-4993-8335-4e10cc3b47c1",
"date": "2020-04-27T09:15:37"
}
}
}
Query Information:
This is the final query that fails: https://graph.microsoft.com/v1.0/sites/54929188-6c44-4555-a85b-27a698b9b572/drive/root:/InvestmentTemplate
To find information to "build" the query, that fails, we are using this query to find the site id:https://graph.microsoft.com/v1.0/sites/testnrep.sharepoint.com:/sites/DocumentTemplates
To recreate test data:
Create a site with the url "/sites/DocumentTemplates"
Add a folder name "InvestmentTemplate" to the Shared Document library
The full folder url: https://ZXY.sharepoint.com/sites/DocumentTemplates/Shared%20Documents/InvestmentTemplate
Re-stating comment above as answer as this appears to address your scenario.
I reproduced a similar scenario in my lab environment. The query succeeds when running as a tenant administrator. Query fails as a normal user. I removed all permissions granted to Graph Explorer and added them back one by one. Once I granted Files.Read.All (not just Files.Read) for the non-admin user I was then able to successfully query a similar endpoint.
As for the ":/" syntax, yes that is common to use a ":" when specifying a relative location within the siteUrl or path in a document library. See examples for site-id using relative URL or relative path within document library.
My application sends email using Microsoft Graph. We followed the documentation, this was working as expected for almost a year:
https://graph.microsoft.com/v1.0/users/me/microsoft.graph.sendmail
Since 3/8/2019, the same code sendmail API in PROD started failing with the HTTP 400 - Bad Request:
{
"error": {
"code": "TargetIdShouldNotBeMeOrWhitespace",
"message": "Id is malformed.",
"innerError": {
"request-id": "0de5a4eb-dac4-4d98-a4b4-178e503a6657",
"date": "2019-03-19T17:16:20"
}
}
}
As a part of the investigation, we found that the SendMail documentation has a different URL used in the examples than the API help section. We were successful when calling this URL:
https://graph.microsoft.com/v1.0/me/sendmail
Questions:
Clearly looks like there was some update on the Graph API happened around 3/8/2019 that disabled working of the earlier URL
Documentation has 2 URL's that are misleading/confusing: one is the API help section and one in examples. As of now the API URL in the help section is no longer working. That should be fixed with the correct URL to be used.
Why was such breaking change like this introduced that caused a PROD outage for our application?
What is the official channel to get these changes?
The correct URI is https://graph.microsoft.com/v1.0/me/microsoft.graph.sendmail (not /me)
The correct API route is: https://graph.microsoft.com/v1.0/me/sendMail
You can find more practical samples here: https://developer.microsoft.com/en-us/graph/graph-explorer#
We use Microsoft Graph API's to create a calendar in outlook
Following is the HTTP Request
POST https://graph.microsoft.com/v1.0/users/me/calendars
Content-type: application/json
{
"name": "My Calendar"
}
It was working for the last 2 years. Suddenly it is throwing an error as
{
"error": {
"code": "TargetIdShouldNotBeMeOrWhitespace",
"message": "Id is malformed.",
"innerError": {
"request-id": "78bce863-d6fb-4ea9-b0f8-e5097010cef6",
"date": "2019-03-23T11:54:34"
}
}
}
When we searched the documentation (https://learn.microsoft.com/en-us/graph/api/user-post-calendars?view=graph-rest-1.0).
We found the API URL has been changed
When was a critical update like this was rolled out which caused breakage in our flows?
Is there any official channel/group notifying these changes.
similar question for mail API's Microsoft Graph API - SendMail http 400 - API url from documentation not working
The correct URI is /me, not /users/me. Behind the scenes, /me is just an alias for /users/{id}. Asking for /users/me would be the equivalent of asking for /users/users/me.
It sounds like you were making use of an unintended behavior. It stopped working when that behavior was corrected.