Currently all graph API access tokens have a scope within the me context. Is there any way to move a message to a folder outside the user scope. Eg: Move a message from user1's folder to user2's folder using graph access token.
We can do this using outlook ecp mailflow rules.
No, this isn't possible with Microsoft Graph. Moves and copies can only happen within the same mailbox.
Related
I discovered today that permissions are not returned anymore using this query using a regular user (it is working with a Global admin account):
https://graph.microsoft.com/v1.0/sites/<siteId>/lists/<listId>/drive/items/<folderId>?&expand=Permissions
The list of permission returned is empty.
Same result using
https://graph.microsoft.com/v1.0/sites/<siteId>/lists/<listId>/drive/items/<folderId>/Permissions
Based on documentation, For a non-owner caller, only the sharing permissions that apply to the caller are returned.
If I'm going directly in SharePoint with the user, I see the right permissions.
According the remarks
The permissions relationship of DriveItem cannot be expanded as part of a call to get DriveItem or a collection of DriveItems. You must access the permissions property directly.
Could you try to call this endpoint?
GET /v1.0/sites/<siteId>/lists/<listId>/drive/items/<folderId>/permissions
Resources:
Permissions
The Azure port still uses the Azure AD Graph API in some places. One thing it uses this for is to list API permissions. For this, the portal uses the REST API target GET https://graph.windows.net/myorganization/applicationRefs/c5393580-f805-4401-95e8-94b7a6ef2fc2?api-version=2.0 (example shown for Office 365 Management API). I've searched and cannot seem to find a way to list similar permission sets using the Microsoft Graph API. Is there a way to access this using the Microsoft Graph API?
Ok, was going to upvote one of the previous answers, but my profile is too new. :( You can do this by reading the MS Graph service principal in your tenant as described above. This PowerShell code gives an example (it's used in a command called Find-GraphPermission in the autographps and autographps-sdk modules.
Basic approach is:
Get app-only permissions from the appRoles property of the servicePrincipal
Get delegated permissions from the publishedPermissionScopes property
Each element of appRoles has an id that can be read or written from a given appRoleAssigment object on an app's servicePrincipal in your tenant. Note that each appRole element has a value property that is the common friendly name of the app-only permission (e.g. BitlockerKey.ReadBasic.All
A similar id and value pair exists for each element of publishedPermissionScopes which gives you the delegated permissions. You can use those ids with oauth2PermissionGrant objects under the segment /oauth2PermissionGrants to enumerate consent grants for a given servicePrincipal (and thus app) in your tenant or grant or remove consent
Note that the ids for both appRoles and publishedPermissionScopes are the same in all tenants, so you can actually perform this same mapping of friendly names to ids for any tenant, and use a static snapshot. This can be useful as your application may not be able to read the Microsoft Graph servicePrincipal object. If you store a static version, you'll have the mapping regardless and you'll only miss any new permissions that get added to Microsoft Graph for new APIs.
This file contains a snapshot of the MS Graph servicePrincipal as a fairly readable JSON-like PowerShell hash table: https://github.com/adamedx/autographps-sdk/blob/main/src/common/DefaultScopeData.ps1
For this requirement, you can use this microsoft graph api: https://graph.microsoft.com/v1.0/applications/<object id of the application>
It will response the result like below screenshot(please pay attention to the field requiredResourceAccess):
The content under requiredResourceAccess is the API permissions of this application. The type scope means the permission is Delegated type and the type role means the permission is Application type.
Then please refer to steps below to know which permission does the id under resourceAccess field refer to.
Copy the resourceAppId, in my screenshot is 00000003-0000-0000-c000-000000000000. And request the graph api: https://graph.microsoft.com/v1.0/serviceprincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
Copy one of the id under resourceAccess field in the response of first graph api. For example copy the first id a154bxxxxxxxxxxx59 in my first screenshot. And then search this id in the response of second graph api, we can find this id refer to User.Read.All permission.
I am trying to create a flow process to automate creating CSV files which contains the student, teacher assignment, submissions, and submission outcomes. I have registered an app in Azure AD and I can connect to this fine via PowerShell with delegate permissions and see all of the data I need.
However, when I try to connect with application permissions EduAdministration.Read.All, EduAssignments.Read.All and EduRoster.Read.All, I can only see basic Class and Student information. So calling https://graph.microsoft.com/v1.0/education/classes works but calling https://graph.microsoft.com/v1.0/education/classes/CLASSID/assignments does not (I get a "Resource not found for the segment 'assignments'").
As I have an admin account which is a member of the CLASSID team, I can see all of this information if running from graph explorer with delegated permissions.
So, is there something else I need to do to get the application .Read.All permissions working or are there a tutorial of how to connect to graphs with Flow using delegated permissions?
There are a couple of things going on here:
"Resource not found for the segment 'assignments'" Error
You're receiving this error because you're attempting to call the Assignments endpoint in v1.0. Assignments is still in Beta, so you need to use /beta, not /v1.0.
Once you get past the segment error, you will still have a permissions issue. The Assignments endpoint only supports Delegated scopes. The inverse is true for Classes which only return limited information using Delegated scopes. In order to call both endpoints, you'll want to have two separate tokens (one delegated, one application):
For /education/classes/{id}, use the Application scope EduRoster.Read.All.
For /education/classes/{id}/assignments/, use the Delegated scope EduAssignments.Read.
I am currently struggling with security dilemma how to pass securely the OAuth token from parent page in Outlook O365 to dialog window. According to Microsoft documentation there are only two ways how to achieve that:
localStorage
query parameter
What I don't understand why Microsoft has a methods(*) for communication from dialog to parent page and not from parent page to dialog?
*
from documentation:
dialog.addEventHandler(Office.EventType.DialogMessageReceived, processMessage);
dialog.addEventHandler(Office.EventType.DialogEventReceived, processMessage);
So my questions are:
Is there any way how to pass the OAuth token from parent page to dialog with the internal methods of Office JS?
Why Microsoft has developed only one way communication between parent page and dialog?
Edit:
I refer the parent page as a New Meeting window in Outlook and as a dialog I refer the dialog as iFrame (Office.context.ui.displayDialogAsync()). I have skipped the taskpane step and firing up the dialog directly when the addin button is clicked. My intention is to send the OAuth (bearer) token from parent page (since user is already validated to access O365 mailbox) to dialog.
As Rick noted, the data can be passed from parent to dialog by localStorage or query parameter. But my question is why Office JS Api is missing the methods for communication from parent to dialog (when the opposite way has methods for that).
There are three actors that need to be kept distinct: The dialog, the parent page (usually in a taskpane), and the Office host application (e.g., Excel, Word, etc.). The current wording of your question makes it difficult to discern which two actors you are talking about. The parent page can pass things, including tokens if that's ever required, to a dialog with query parameters or local storage. But ordinarily you would use a dialog to get an access token and pass the token in the other direction, from dialog to parent page. You do this using the messageParent API.
When you refer to the "host" in your question are you talking about the parent page (probably in a taskpane)?
EDIT:
OK. I think I understand the question now. You are asking for an API in Office.JS that can be called in the parent page and sends info to a PREVIOUSLY OPENED dialog. We've gotten requests for that and you can vote up the request here on Office Developer User Voice. However, I can't give a timeline about when such an API will be available. In the meantime, the only way I know of to communicate from parent page to an already opened dialog is to use LocalStorage. Search for "how to communicate between windows using local storage?" and you'll find info on techniques for doing this.
I know it's an old question, but maybe there are people reading this nowadays.
With regard to your question about ways of communication from parent page to dialog: you could pass information from parent page to dialog using the Office API's messageChild method as described here.
I am trying to use the Desire2Learn REST API to return semesters, but I'm getting a 403 Not Authorized error.
The request I am making is:
GET /d2l/api/lp/1.1/outypes/semester
I am making this call while authenticated to the system as a student user.
This is a test environment, so I have full control of the student user's permission, but I haven't found which permission setting controls access to the semester org unit. Is it possible for someone with lower level permissions to make this call?
What permission would this user need to be able to make this call?
Thanks!
Student-type user roles are not typically given permission to make calls like this one.
The particular permission at play here is likely Org Unit Type Editor > Can Create and Edit Org Unit Types at the root organization level (you'll notice that the same behaviour is at play around the API call to retrieve the entire catalog of known org-unit types); however, you almost certainly do not want to grant this role permission to a student role: the role permissions for this tool bind together the ability to create and edit org unit types with the ability to see their definitions.