I am O Auth 2 authorization code flow to Authenticate to Azure and Invoke Graph APIs for Intune (by delegated app that was created in Intune for access to API).
Following permissions has been provided at the APP registered in Azure under my organization tenant.
https://graph.microsoft.com/DeviceManagementApps.Read.All https://graph.microsoft.com/DeviceManagementConfiguration.Read.All https://graph.microsoft.com/DeviceManagementManagedDevices.Read.All https://graph.microsoft.com/User.Read
API under scope:
https://graph.microsoft.com/v1.0/deviceManagement/detectedApps
https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps```
I am getting the following error both at Mobile APP level and Postman. Could you please help me to identify the issue?
{
"error": {
"code": "UnknownError",
"message": {
"ErrorCode": "Forbidden",
"Message": {
"_version ": 3,
"Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: c85eb7ab-687d-4780-bd88-94a3b52e7df7 - Url: https://fef.msub02.manage.microsoft.com/DeviceConfiguration_2008/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations?api-version=2020-02-21",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders": {
"WWW-Authenticate": "Bearer realm=urn:intune:service,bb7003b9-cb7f-44b2-b534-54f84f2f0d63,f0f3c450-59bf-4f0d-b1b2-0ef84ddfe3c7"
}
},
"Target": null,
"Details": null,
"InnerError": null,
"InstanceAnnotations": []
},
"innerError": {
"date": "2020-09-02T21:09:14"
"request-id": "c85eb7ab-687d-4780-bd88-94a3b52e7df7",
}
}```
You can try using the Global Administrator role or a Global reader role to read the intune data as there is a necessity of having these roles. After giving any of these roles, try the below calls with their respective permissions.
https://graph.microsoft.com/v1.0/deviceManagement/detectedApps
https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps
Related
I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All
Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All
I want to search email using Graph API in my own developed application. By referring to these threads - Graph Api: Region is required when request with application permission , How to use Graph API Sharepoint Search from console app , Search content with application permissions , I tried to run the search which resulted in Application permission is only supported for the following entity types:site, list, listItem, drive and driveItem. (Request and response json is below).
Does it mean that using an app like a console application developed in C# will not be able to search the emails (as message is not mentioned in error response - only these are mentioned: site, list, listItem, drive and driveItem) even if it has required secret, auth token and permissions?
Request:
URL : https://graph.microsoft.com/beta/search/query
Request Payload:
{
"requests": [
{
"entityTypes": [
"person"
],
"query": {
"queryString": "contoso"
},
"Region" : "NAM",
"from": 0,
"size": 25
}
]
}
Response:
{
"error": {
"code": "System.UnauthorizedAccessException",
"message": "Application permission is only supported for the following entity types:site, list, listItem, drive and driveItem.",
"target": "",
"httpCode": 403
},
"Instrumentation": {
"TraceId": "7174e417-a2fe-02e5-1523-1fcda7a66886"
}
}
I am trying to add user using Microsoft graph API.
I have provided the consent for all the permissions required.
POST https://graph.microsoft.com/v1.0/users
Request body that is send to the post request.
{
"accountEnabled": true,
"displayName": "Adele Vance",
"mailNickname": "AdeleV",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com",
"passwordProfile": {
"forceChangePasswordNextSignIn": true,
"password": "xWwvJ]6NMw+bWH-d"
}
}
Error that is received in response
{
"error": {
"code": "",
"message": "No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:0ff49e4749deeaf2')/profile?api-version=AGSV1-internal'.",
"innerError": {
"date": "2021-02-04T10:41:56",
"request-id": "025218e1-191c-464f-adf3-f0cdc5fcebfd",
"client-request-id": "c071d220-2f14-d7fa-956e-cd45ccbdc735"
}
}
}
Is there something that I am missing?
I have also gone through the docs for adding user provided by Microsoft.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http
What you said in the comment is correct, the document has detailed instructions, it does not support Microsoft personal accounts.
You will have to check the end point are you using to authorize in order to obtain the token.
If you are using a tenant specific end point
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
Try replacing with the common endpoint
https://login.microsoftonline.com/common/oauth....
I have an application that fetches profile data using Microsoft Graph APIs. The application should be able to fetch profiles for both Work/School Azure account and consumer Azure accounts. The issue I have is that when I am retrieving data that is exposed on Work/School accounts but not a consumer accounts, I get a 404 error. In other words, my application should handle Work/School accounts and consumer accounts the same, only fetching data that is exposed by Microsoft Graph for a consumer account without returning an error when data is unexposed.
Calling this endpoint https://graph.microsoft.com/v1.0/me/ with authorization token for a consumer account, I get the following response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(etc)/$entity",
"displayName": "<fullname>",
"surname": "<lastname>",
"givenName": "<firstname>",
"id": "value",
"userPrincipalName": "value#hotmail.com",
"businessPhones": [],
"jobTitle": null,
"mail": null,
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null
}
Calling https://graph.microsoft.com/v1.0/me/?$select=birthday with a Work/School account, I get data I can work with. Meanwhile calling https://graph.microsoft.com/v1.0/me/?$select=birthday with the same authorization token returns:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "5dac0b98-0335-4de2-b8fa-3b9a2dfbe378",
"date": "2019-04-26T23:23:21"
}
}
}
Is there any way to retrieve the profile data for a consumer account while still attempting to retrieve the unexposed data in a Work/School account without getting a 404 returned?
Since you are requesting data that doesn't exist (birthday), you should be getting a 404 Not Found response. Per RFC 7231 Section 6.5.4 :
The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
This is the new error message that I am encountering now. When trying out graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) to execute office 365 APIs using my company account, I am encountering an error below when using APIs for Outlook Mail and Calendar. Same error encountered for the applications that I have downloaded in Github. Applications that are trying to access the calendar APIs. I have also tried to create a developer account for office 365 and it has the same error message when accessing the APIs.
It looks like an access issue and/or admin privilege is needed.
Error response:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"request-id": "351f57d5-3bdb-4c6f-a06c-b204f23d0eda",
"date": "2018-06-13T03:12:28"
}
}
}
But I can access User APIs. Like getting my profile details in OSM AD.
Successful response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "987f2dcf-a66c-4f14-a180-41e2eac0b65c",
"businessPhones": [
"+47 37 50 46 15"
],
"displayName": "Teemee F Tang",
"givenName": "Teemee F",
"jobTitle": null,
"mail": "Teemee.Tang#osm.no",
"mobilePhone": "+63 947 33 71109",
"officeLocation": null,
"preferredLanguage": null,
"surname": "Tang",
"userPrincipalName": "Teemee.Tang#osm.no"
}
I just login my account in https://outlook.office365.com. After that I can already use my company account with Microsoft Graph.