Is there a way we can differentiate between a user mailbox and a shared mailbox using Microsoft graph API or EWS API?
Related
I have an Outlook Add-in that uses the Outlook Rest API and we're migrating to the Graph API. It does things like downloads attachments, mime-type, and can add attachments, add recipients, and create a draft and send a message on behalf of the user. We support customers that have both Office 365 accounts and on-premise Exchange. Does the Graph API work for on-premise Exchange servers?
Aside, are there known platforms that the Graph API does not work on? I've seen errors with the authentication popups Outlook desktop as well as lack of support for the OfficeRuntime.auth.getAccessToken() in Outlook web.
Thank you.
I have a Microsoft Graph & MSA/AAD v2 daemon which is exclusively for Server Side API access. In the Azure Portal I have granted admin consent for my Microsoft account (MSA) for User.Read.All and Files.Read.All.
I can successfully get a token, and I have tried both /me/drive/root and /users/{user_guid}/drive/root with the same return result:
GraphError {
statusCode: 400,
code: 'BadRequest',
message: 'Tenant does not have a SPO license.',
requestId: 'guid',
date: 2020-06-08T09:53:12.000Z,
body: '{"code":"BadRequest","message":"Tenant does not have a SPO license.","innerError":{"request-id":"guid","date":"2020-06-08T02:53:12"}}'
}
Note: I'm aware SPO refers to SharePoint Online & OneDrive for Business, however this is for a Microsoft account user, and I am intending to access their OneDrive Consumer (i.e. http://onedrive.live.com).
Is the Graph incapable of accessing OneDrive for Consumers? Or is it only possible with Delegated permissions? I did not see any reference in both the Graph and OneDrive dev docs.
After talking with the Microsoft Identity team, it is not currently a supported scenario to access a Microsoft account user's personal OneDrive (or other Microsoft Graph) content using the client_credentials grant type.
You can obtain admin consent for an MSA user, however those scenarios are limited to the MSA user operating as a guest user in your AAD tenant, or requires them to otherwise have an M365 license and associated SharePoint Online instance.
If you are looking to access an MSA user's content from a service, persisting the refresh token in the service and obtaining consent for offline_access currently appears to be the recommended method.
On a project, I'm using app-only tokens and Graph API to perform various operations on data in Office 365 (this is how the app is registered). When it comes to SharePoint, certain operations are not available through the Graph API but are available through SharePoint REST API.
My question is: is there a way to use Graph API tokens with SharePoint REST API?
The closest answer I could find is this:
To access the http:///site/_api/lists endpoint, Graph API token wont work.
Taken from here.
However, the answer is about a specific endpoint and is pretty old, so I wonder whether this is (still) true.
Update
Here's how I'm calling the various endpoints.
The token you are using to access the graph is in fact an azure active directory token. Lots of other APIs accept those in office 365.
The procedure is more or less the same expect instead of selecting the Microsoft graph API when requesting the scopes, you have to select the SharePoint API.
Also note that some actions (mostly the tenant related things) do require you to present a token generated with a client id + certificate and not client id +secret.
EDIT: if you are using AAD v2 endpoints the requested scope has to be https://tenantName.sharepoint.com/.default when requesting an access token for SharePoint REST API
I am developing a console app in .net which will send mail using the Azure AD application. I followed all the step from generating the certificates to registered an application in Azure AD. Then provided the application permission (Send mail as any user) using Microsoft graph API and provided it “grant permission” as an admin consent.
In my console app code I uses the below outlook api to send mail as
resourseurl — https://outlook.office.com/api/v1.0/users/{my email account}/sendmail. After providing grant permission to my app I am still facing the 401:unauthorized error.
You gave permissions to Microsoft Graph API, so you need to use it.
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_sendmail
The URL that you need to use is thus:
POST https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/sendMail
Internally the graph API does call the API you mentioned. But your token is for the graph. Not the outlook API.
You also mentioned the resource URL. The graph API resource URL is https://graph.microsoft.com.
Is there a way to impersonate a user in office 365 using the new Microsoft Graph API?
I am currently using EWS API to impersonate office 365 users to add calendar events.
The Microsoft Graph uses OAuth2.0, and so you can have your app operate as the signed-in user, if the user grants the app the ability (in your case) to read/write calendar events. (In OAuth2.0 this flow is known as the code flow). If you need your app to create events on behalf of many users, where the user is not actually signed in to your app - say your app is a daemon service of some sort - then you could use the OAuth2.0 app-only (client credential) flow.
Acquiring delegated access token to call Microsoft Graph is documented here: https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Hope this helps,