I'm trying to add an Azure AD B2C user with the Microsoft Graph API to a group.
I've tried this documentation: https://learn.microsoft.com/de-de/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
In Postman it looks like this:
I have a valid token. The GUID of the group and the GUID of the user is correct. And I think, that I have given all the needed permissions to my client:
But (if you look to the Postman screenshot) I get the error: "Insufficient privilleges to complete the operation."
Does someone know what I'm doing wrong?
Thank you in forward for your help
Best regards
Matthias
In the same directory, we can add an Azure AD B2C user with the Microsoft Graph API to an AD group.
You can see the directories to which you belong in the upper right corner of your AD and B2C portals.
I reproduced your problem with two different directories. That is, the AD and B2C directories are different.
Thank you to #JasSuri. Your hint to decode the token helped me. In this token the roles where this:
"roles":["User.ReadWrite.All","User.Invite.All","User.Read.All","User.Export.All","User.ManageIdentities.All"]
But in the app registration in the Azure portal I had set more permissions. Then I have registered the app again - in my opinion with the same settings. And now I have more roles:
"roles":["User.ReadWrite.All","Group.Read.All","Directory.ReadWrite.All","Group.ReadWrite.All","User.Invite.All","Directory.Read.All","User.Read.All","GroupMember.Read.All","User.ManageIdentities.All","GroupMember.ReadWrite.All"]
And now it's working. So I don't know what I've done wrong, but now with the new registered app it works.
Thank you to all for your help!
Best regards
Matthias
Related
I have a custom developed Windows service that until recently used basic authentication to access an O365 mailbox over POP and pull the contents on a predefined schedule. Microsoft recently announced that they were dropping the support for basic authentication and I should be using OAuth 2 instead. I have followed the steps in this article and my application has the necessary permissions in the Azure portal. I'm still running into an issue.
I can successfully generate the OAuth token. When I try to use said token to authenticate I get "Authentication failure: unknown user name or bad password". No further details are available. I tried Microsoft support but they only referred me to guides I've already followed. Any help is greatly appreciated!
After three days of scratching my head I finally stumbled upon the answer. Turns out that according to Microsoft ObjectID is different from ObjectID. Because logic! Two different interfaces for the same thing with two different ObjectIDs. You need the one on the right when giving permissions to the mailbox.
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I am developing an app in Microsoft Teams using the App Studio. Towards the end of the proccess, in the section Domains and Permissions, you are allowed to give resource-specific consent permissions such as File.Read.Group. I was wondering where I would use these permissions (Microsoft Graph, Azure AD Graph, ...) to programmatically access an API. As a side question, does anybody know which permission allows the app to manage group members?
Thank you!
Here is a good read on that permissions settings page, those consent permissions are not actually a part of azure ad app registrations as of this articles writing. so that means while they are sort of graph permissions, you would use them against the graph api. They are for specific teams based resource specific permissions.
https://blog.thoughtstuff.co.uk/2020/01/microsoft-teams-has-a-new-more-granular-and-resource-specific-permissions-model-for-apps-what-is-resource-specific-consent-rsc-and-how-do-i-use-it/
the official documentation on the matter: https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
as per the microsoft link i don't see a resource specific permission to "edit" groups members.
I want to start doing some development with the preview edition of the Microsoft Teams APIs.
I currently have a solution working using the Azure AD v2 Endpoint but I wanted to get a working solution using the v1 Endpoint.
I can't find any Microsoft Teams permissions available in the Azure AD portal and I didn't see anything specifically about this in the Known Issues the Teams API.
Can anyone comment on whether there are any options for a pure v1 Endpoint solution using application registration available right now? If not, is it planned?
The v1 Endpoint uses the same permissions as the v2 Endpoint. The primary difference between the two is that v2 scopes can by dynamically requested during authentication while v1 Endpoint requires permissions to be pre-defined within the registration.
When using the Azure Portal, all of the permissions for Teams show up under "Microsoft Graph". For the Teams you'll generally need User.Read and Group.ReadWrite.All. The Azure Portal lists permissions by description (although you can see the underlying scope name in the tooltip):
Sign in and read user profile (user.read)
Read and write all groups (Group.ReadWrite.All)
Note that Group.ReadWrite.All does require Admin Consent. Before you can authenticate normal user's, you will first need to have an Administrator go through the Admin Consent process.
I'm posting this as the answer, because I'm pretty certain this will trip up other developers out there. Up to this point, when getting an access token for AAD v1 apps that use Microsoft Graph, you use "https://graph.windows.net" as the Resource ID. The interwebs are replete with this example, and I have it in my own code that I use for OneNote and other services.
Now with the Graph endpoint for connecting to Teams (and probably other things), the Resource ID you need to use is "https://graph.microsoft.com". Just ran through a quick test using an AAD v1 app with the Microsoft Graph API and Read All Groups permission. I'm sure there's an explanation out there from some MSFT person that might make sense, but I have not found it after many hours of searching the web.
Hope this helps someone.
I'm truing to figure out how to create an adwords developer token in new google interface. It was in settings tab formerly (right here at the screenshot http://take.ms/9lBlZ) but now it's gone. I looked through almost all links and didn't find an answer. So I really appreciate your help guys! Thanks!
If you create a campaign in your MCC (manager account), the MCC became normal Account, and you cant find "AdWords API Center" option.
I had to re-create another MCC
This thread is kind of old, but I just went through this so I can highlight the things that were confusing to me.
You need to create a legitimate MCC account, AND a test account. In the real one you need to apply for a developer token. You want to put this token in the properties file here api.adwords.developerToken
From your test MCC you need to create a test client. Use the clientId from the TEST client you just created in api.adwords.clientCustomerId in the properties file.
You need to get an API token for your app (and an OAuth token) through Google's developer console https://console.developers.google.com
Make sure the active google account session for your browser is for the email you registered your TEST Account to. Run the script they give to get the refresh token and put it here api.adwords.refreshToken in the properties file.
Now you're using your test developer token from your real account and given permissions to use the test account.
Google made this way more confusing than it had to be in my opinion...hopefully this helps someone figure it out though!
There are two types of Adwords Manager accounts, normal and testing.
How to get a testing account
With the normal one, I got the developer token but I cannot run nothing throught the API because the account was not approved.
So I created a testing account, which allows to work with the API without the need of being approved.
With the testing account I didn't saw the Adwords API Center link under Account Settings.
Reading documentation I saw the developer token of a normal account can be used with a different Adwords account.
So I'm using the info (client_id, client_secret, oauth_token) of a testing Adwords account and the developer token a normal Adwords account.
To get the Oauth_token you can use the OAuth Playground (remember to set the Playground link for redirection on your Oauth credentials).
Instructions to get a OAuth Playground with Adwords
Please complete the billing details after creating MCC account.
Once that is completed you can see API Center option under Tool Icon.
By filling billing details doesn't charge you but its just for verification purpose.
I just had the same issue.
Go here: https://ads.google.com/home/tools/manager-accounts/
Click "Create a manager account", follow the prompts and voila.