my program through a Graph API call accesses channel messages. I have a problem. For one Azure application it works but for another it doesn't.
The two applications have the same Api authorization. What can it be?
var c = Task.Run(() =>
graphClient.Teams[teams].Channels[channelId].Messages
.Request()
.GetAsync());
It's the error:
Code: UnknownError
Inner error:
AdditionalData:
date: 2020-08-28T12:15:04
request-id: 3026d5b8-8178-45f0-97a2-103d5a602b33
ClientRequestId: 3026d5b8-8178-45f0-97a2-103d5a602b33
It's Api authorization
List channel messages is included in Protected APIs in Microsoft Teams.
To request access to these protected APIs, complete the following request form.
The form requires you to enter the "App id(s) to enable application permissions for".
After that the 403 error will be fixed.
Related
I have a web application which uses App only tokens to override the end user's permission to retrieve all Site Collections in the tenant. When attempting to use the boiler plate code provided in the example with one minor change, the Graph API is returning accessDenied when attempting to issue the call https://graph.microsoft.com/v1.0/sites?search=*. If I remove WithAppOnly(), the call succeeds [if Delegated rights for Sites.Read.All is assigned]. The Azure AD registered app has admin approved Application-scoped Sites.Read.All assigned to it.
var queryOptions = new List<QueryOption>()
{
new QueryOption("search","*")
};
var sites = await graphServiceClient.Sites.Request(queryOptions)
.WithAppOnly()
.WithScopes("Sites.Read.All")
.GetAsync();
ServiceException: Code: accessDenied
Message: Access denied
Inner error:
AdditionalData:
date: 2021-03-20T21:45:27
request-id: 16933bd6-5e7f-4820-9563-fec75575c9b2
client-request-id: 16933bd6-5e7f-4820-9563-fec75575c9b2
ClientRequestId: 16933bd6-5e7f-4820-9563-fec75575c9b2
You need to add Sites.Read.All of applicaiton permission in the Azure portal.
Note: Click the , because this permission is admin consent required.
Try to test with client credentials flow.
// Get access token
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={client_id}
&scope=https://graph.microsoft.com/.default
&client_secret={client_secret}
&grant_type=client_credentials
// Call MS Graph API
GET https://graph.microsoft.com/v1.0/sites?search={query}
I'm trying to download a file located in a M365 site via the Graph API. If I reference the site via "hostname,siteID,webID", the request works via HttpClient, the Graph API SDK and Graph Explorer:
https://graph.microsoft.com:443/v1.0/sites/hostname.sharepoint.com,fe0f6782-2cc6-447a-938f-bf6a379ed791,133e22cf-9a72-4ff2-a700-c0accacdcc8d/lists/Documents/drive/items/017TIGYVRADE3TAWYAQZBI3ET6GTHX77QO/content
If I try to reference the site via the site relative URL method, the request fails if there is information beyond the "drive" part of the URL:
https://graph.microsoft.com:443/v1.0/sites/hostname.sharepoint.com:/sites/MySiteCollection:/lists/Documents/drive/items/017TIGYVRADE3TAWYAQZBI3ET6GTHX77QO/content
ServiceException: Code: BadRequest Message: Url specified is invalid.
Inner error:
AdditionalData:
request-id: d897756c-f135-4ac2-85e3-454e8a8fd627
date: 2020-05-04T14:47:07 ClientRequestId: d897756c-f135-4ac2-85e3-454e8a8fd627
The query works fine until just after expressing the "Documents" list as a Drive.
This works: https://graph.microsoft.com:443/v1.0/sites/hostname.sharepoint.com:/sites/MySiteCollection:/lists/Documents/drive
This doesn't work: https://graph.microsoft.com:443/v1.0/sites/hostname.sharepoint.com:/sites/MySiteCollection:/lists/Documents/drive/
Why doesn't the server relative URL method of accessing a site work?
I'm trying to create a private channel in a Team using the Microsoft Graph API. I'm using the beta API because the membershipType (to make the channel private) is not available in the 1.0 API. My code was working fine until yesterday, now I get a 502 Bad Gateway error, with message Failed to execute backend request. :
Server error: `POST https://graph.microsoft.com/beta/teams/{my-team-id-is-here}/channels` resulted in a `502 Bad Gateway` response:
{
"error": {
"code": "BadGateway",
"message": "Failed to execute backend request.",
"innerError": {
"request-id": "2ceece83-e3ff-455d-bc7b-b82f5454269f",
"date": "2020-04-17T12:45:12"
}
}
}
The JSON body sent with this request :
displayName = "Private Channel Test"
membershipType = "private"
description = "Test"
I have all the privileges in my AccessToken and I am Owner of this team. If I switch to the 1.0 API with the same code, the channel get created, but is public, which is correct because the membershipType is not available in this API, but here I need to create private channels, not public.
The scope of my Token :
Files.ReadWrite.All Group.ReadWrite.All GroupMember.Read.All offline_access openid People.Read.All profile Sites.Read.All Sites.ReadWrite.All User.Read User.Read.All
Did anyone ever had this problem, and a solution?
The problem is that I reached the limit of 30 private channels, even though my private channels are all «deleted», they are still available to restore for 30 days, after what they are permanently deleted. I tested with a new Team and my code is working fine.
It would be nice to have a detailed error, I wouldn't have spent time debugging what is not really a bug.
When trying to create a private channel from Microsoft Teams, I get the error «Your team has reached the maximum number of private channels.». I should have tried this before...
More information here : https://learn.microsoft.com/en-us/microsoftteams/private-channels
I was successfully creating private channels using the v1.0 API, because it's supported now.
The JSON content of the request requires at least one owner.
I recieved this error when I (accidentally) attempted to specify owners in the JSON that weren't members of the Team.
I am testing Get Chat Microsoft Graph API (which is still in Beta) and it seems to work successfully when it is called from Graph Explorer (which uses an user token), instead when I call this API from Postman with an application token, I get 401 Unauthorized with an Unknown Error as response.
https://graph.microsoft.com/beta/users/<user-id>/chats/<conversation-id>
My App Registration on Azure has these permissions:
And the decoded application token contains:
"aud": "https://graph.microsoft.com",
"roles": ["User.Read.All", "Chat.Read.All" ]
The same token it works for the Get User API
https://graph.microsoft.com/beta/users/<user-id>
Basically, it seems to have problems only the GET Chat API when called with an application token, although the documentation says it is supported. Am I missing something in the App Registration configuration?
EDIT
As I have already explained in the comments, this question doesn't help me, since:
audit is correct
permissions are present in the token and are granted by the admin in the App registration
scope is correct
Should I check something else?
Have you seen this message on the (English) documentation page?
Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.
It seems like Microsoft has implemented an extra layer of security for apps accessing "Teams" endpoints.
Trying to post events to user calendars for our organization. Getting a 401 error.
Azure admins created an app/user, and gave permissions
Delegated Graph Permissions: Calendars.ReadWrite
App graph permissions: Calendars.ReadWrite
I can connect to the OAuth token generation end point, and retrieve a token. Using that token, I can't send my JSON payload and create a series of calendar events, I get a 401. The JSON is known good - I can copy/paste it into the graph explorer tool and get correct results.
I've examined a generated token using jwt.ms and I'm not seeing anything related to permissions, calendars, etc.
Our Azure logins use empIDnumber#example.com and I've been told that is what our userPrincipalName is
I've tried changing the URL end point with no change-
/v1.0/users/empIDnumber#example.com/calendar/events
and
/v1.0/users/empIDnumber#examplecom.onmicrosoft.com/calendar/events
Where should I look next?
Solved.
Slight typo in the content of the JSON I was sending, was only able to find it by doing the POST using postman. Java was throwing an exception, not showing the returned string as well as the exception message, but postman showed the returned JSON with content regarding malformed date/time.
Still got 401 exceptions though, so The Fix Part II was to add an Accept-Encoding property set to application/json to my http client request options array.
Still no claims showing up in my tokens, but that is a non-issue apparently.