We have created a WP that we have published to Teams that would give owners the possibility to modify the external sharing setting ("AllowToAddGuests") from a tab in their Teams.
We are experiencing a problem when we try to do the set of AllowToAddGuests using an owner account.
The Teams app has :
{
"resource": "Microsoft Graph",
"scope": "Directory.ReadWrite.All"
}
As per MS Graph docs
https://learn.microsoft.com/en-us/graph/api/directorysetting-update?view=graph-rest-beta&tabs=http
should work fine with delegated.
If I execute the graph call in the graph explorer using the owner user it gives the same access error.
All permissions are granted at admin level.
If a global admin is used, then all works fine.
The error I am receiving is the following:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-07-02T15:18:56",
"request-id": "84fe9be9-a4b0-4023-93e6-68dd780ce2ea"
}
}
}
Has the owner the possibility to change the flag AllowToAddGuests or should I do this via an App reg?
Thanks for the answers.
Alex
I am posting this here so that if anybody looks for the same information, they have it here.
At the time of this writing, the answer we got from Microsoft is that for this call to work, the user performing the call (in our case one of the owners) needs to also be a Group Administrator. For our use case this was not doable as any user in the company can potentially be an owner of a MS Teams.
The solution we have chosen is to use application permission with Directory.ReadWrite.All to perform the call. This works as expected now.
Microsoft has also promised they will update the documentation in order to include the current information.
Related
We are trying to identify Sharepoint sites user has access to using Graph API. This is working just fine for internal users. However when we try this for external user (already guested in Azure AD), we are getting below error -
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2022-06-20T16:28:01",
"request-id": "cde68280-5538-40c3-af60-6602bd7c1214",
"client-request-id": "ef1f7a56-caf4-e1f2-b2b0-57577fa96f03"
}
}
We have tried to use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer and it's the same error there as well.
if you are using the /common endpoint a guest user has its own shadow tenant and wont be pointing to the AAD tenant it has been invited into, thus they cannot access resources like a normal member could, plus they have limitied default permissions and that does not include groups/site access unless they have been added to the area as a direct member.
However, if you are defining the tenant id in the authority then the above is not relevent.
You are right, I tried to do the same thing.
My workaround solution is testing with MS Graph Explorer, its worked for me, then you can code the same requests to talk to Graph API. Here are the steps:
Get your tenant Id using this site : https://www.whatismytenantid.com/
Open MS Graph Explorer like this : https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantId
Sign in to MS Graph Explorer with the guess account
You should see the name of your guess signed in with your tenant if not sign out and sign in again.
Unfortunately, You won't be able to lists the SharePoint Sites using https://graph.microsoft.com/v1.0/sites?search=* (honestly I do not know why, maybe because the guest has only a Family account ? Its worked fine with a user in the same org.
You need to know the siteId, then you can list the document libraries, folders, files, etc... using a request like this : https://graph.microsoft.com/v1.0/sites/siteId/drives
I wish I can get the siteId from MS Graph Explorer for a guest user, but looks like it is not possible. BTW, doing the same on Google WorkSpace is a no brainer using shared drives, not like Microsoft at all...
I'm trying to access reports from Graph API using the Graph Explorer. However, it throws 403 Unauthorised errors.
For example the request:
GET https://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageDetail(period='D30')
throws the following error
{
"error": {
"code": "S2SUnauthorized",
"message": "Invalid permission.",
"innerError": {
"request-id": "fda8c3ec-1949-46a9-b179-e1017f7e94ab",
"date": "2020-04-02T01:01:08"
}
}
}:
According to the documentation this requires the permissions 'Reports.Read.All'
When looking at the permissions I have in the explorer it says that Reports.Read.All permission is 'consented'
This worked without issues in early December when I was first testing this, so unless something changed I don't know what is going on.
Am I misunderstanding what consented means in this context, or is this a problem with the Graph Explorer as this permission is marked as 'preview'?
Regardless of the source of the problem, does anyone know a way around this/how to fix it?
Please make sure,
try repro the above using MS Graph Explorer with your tenant!!
if you're using delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user the appropriate Azure AD limited administrator role
Let me know still you can repro the issue.
I'm attempting to get tasks assigned to a specific user from the Graph API, so based off of the sample query in the graph explorer i'm using this endpoint
https://graph.microsoft.com/v1.0/users/<user-email>/planner/tasks
Which works fine for whatever user I'm signed in as, but attempting to get tasks for a user I'm not signed in as will always return with a 403 and say I don't have the required permissions. Group.ReadWrite.All is granted by admin, and according to the graph docs, that should be fine, but no luck.
I've also just created a new demo tenant and one by one granted permissions in the graph explorer with admin and still no luck! So i'm doubting the issue really is permissions. And for the record I've tried v1.0 and beta endpoints, and I've attempted this in a SPFx Web Part, and it doesn't work in practice either.
Not sure that it will help, but this is what is being returned each time:
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item.",
"innerError": {
"request-id": "b02e3529-a4ae-4825-b4e6-7fc9b1fa228e",
"date": "2019-03-27T12:28:41"
}
}
}
Anyone else ran into this issue or know of a workaround?
Reading tasks for other people is not allowed. We are investigating app-only request support, which should enable this scenario.
We have an issue accessing the attachment(s) of an event created in a O365 Group when using the Graph. The event is created in the group calendar, the group is set to public and can be accessed by the user requesting the event. Using the Graph Explorer we can access the event by using the following:
https://graph.microsoft.com/v1.0/groups/groupid/events/eventid
However using the: https://graph.microsoft.com/v1.0/groups/groupid/events/eventid/attachments results in a 403 error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "af65c3ce-6f00-4137-817b-fa1a069d820e",
"date": "2018-08-06T09:02:26"
}
}
}
The issue can be replicated in either using the Graph Explorer or any other method. Obviously we have checked the permissions and Calendar.Read has been applied, but even after checking all permissions boxes available in the Graph Explorer (or AD App Registration) a 403 still occurs regardless of the selected permissions.
Any call to the attachment endpoint results in a success for events that are in a user’s calendar and it seems to be only occurring when retrieving events for a group. There seems no changes in behavior whether the group is public or private, nor using either the /beta or the /v1.0 endpoint.
The intellisense in the graph explorer does shows /attachment to be an option but always return a 403 when requested.
Any insights or tips on how to retrieve attachements for events created in a group would great.
I can reproduce your scenario from my end as well.
Tried using Graph Explorer, Console project and ASP.NET MVC (can download the sample from this link)
I have read through the attachment_get Microsoft document, however I can't find any API for your case. I presume there is no such function atm.
I recommend you to raise a ticket from your end to the OfficeDev.
PS: I had an unusual access is denied error when I tried to access group in ASP.NET MVC sample although I'm logged in with admin account, and it still shows access request is denied.
https://learn.microsoft.com/en-us/graph/api/resources/attachment?view=graph-rest-1.0
Events in group calendars do not support attachments.
Last year (an entire year after this question was asked) Microsoft finally clarified in the Graph docs that group events do not support attachments.
I'm using Microsoft Graph API v1 with Administrator credentials via my software to create Events in a Group. However the response I get is a 403 with the following:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "c4754c79-5e3a-4f63-9f88-404100513796",
"date": "2018-07-11T10:11:27"
}
}
}
on a POST request to https://graph.microsoft.com/v1.0/groups/{idGroup}/events/
I have checked all rights provided to the app via Azure AD and everything is fine (tokens, code and scope with Group.Read.All Group.ReadWrite.All). The Group is also created, the users are added to it and the owner is the admin I use for the create request.
I have also tried on the Microsoft Graph API Explorer but i have the same error.
Yesterday morning the creation was possible but I think some rights were corrupted. Is anybody has got this problem before? How to fix it?
After a few days without any changes in the code the problem dissapeared.
I am still not sure of what happened, anyway thanks guys !