I have created an app in azure AD, in my company tenant.
In application permissions, I have added Calendars.Read and Calendars.ReadWrite (Read and write calendars in all mailboxes) with application permission type, and I have grant admin consent.
In users, I have added user with personal Microsoft account (outlook.com) as a guest user.
When I am calling a graph for Member users, I am able to receive calendar events (and create a new ones),
but when I am calling a graph for a Guest users I get exception MailboxNotEnabledForRESTAPI.
Message: REST API is not yet supported for this mailbox.
Is there some limitation that I can create event only to a Member user, or I have miss-configured something?
You can only read mails/calendar events of users in your tenant only. So, it's better to filter users using userType eq 'member'.
https://graph.microsoft.com/v1.0/users?$filter=userType eq 'member'
Related
In my application, I need to get user data like user name and email, also using API, I use find meeting time and create calendar event. Users those will use application will not be in my AD group.
Is there some scenario for making API workable for external users?
There are certain limitations and for guest users in the organizations:https://learn.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0#user-and-group-search-limitations-for-guest-users-in-organizations
For inviting or adding the Add a guest user and send an invitation please refer :https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal
I need to construct a Microsoft Graph URL so that when an admin clicks on the authorize button my application can read the user's list and inbox. I was successful in reading my own users list and their inboxes but when I tried to read the users list and inboxes of different third-party accounts after admin approval, I was getting an error. The URL which I created for authorization is given below
https://login.microsoftonline.com/<my_tenant_id>/v2.0/adminconsent?client_id=<my_client_id>&state=<state_id>&redirect_uri=<some_url>&scope=Directory.Read.All%20Mail.ReadWrite%20User.Read.All%20offline_access
The error i am getting when an third party admin tries to authorize it
User account '{EmailHidden}' does not exist in tenant 'Company' and
cannot access the application ''() in that tenant.
The account needs to be added as an external user in the tenant first.
Sign out and sign in again with a different Azure Active Directory
user account
I am trying to call the graph api using c# and a app registration to get the list of team meeting participants for another user.
https://learn.microsoft.com/en-us/graph/api/onlinemeeting-get?view=graph-rest-beta&tabs=http
GET /users/{userId}/onlineMeetings/{meetingId}
I can create an online meeting using my app registration but I cannot retrieve the meeting participants. I keep getting a 403 error. I have granted my app registration OnlineMeetings.Read.All and OnlineMeetings.ReadWrite.All. What other permissions are needed to get the meeting participants on behalf of another user?
I'm trying to create Planner Plan using Microsoft Graph API. As documented it requires groupId. I also create Group, but when i create a Planner plan using Graph Explore it returns a 403 with the message
"You do not have the required permissions to access this item, or the item may not exist."
I'm aware that in order to create a plan, It required Group.ReadWrite.All permission on Delegated (work or school account). I granted these in the Azure Portal but still get same error.
One thing is I don't know how to determine if my account is a "work or school account". My account was created by the admin of my tenant and it uses the of my organization so I guest it is Work account.
What do I have wrong here, do I need another API to assign plan to group before create?
EDIT1:
Here is the request body when i'm create a Planner Group, I'm also tried to toggle "securityEnabled" to true but it still fail when create a plan
And Here is the Request body when I create Planner Plan
EDIT2:
I also tried to update Planner plan by this API and it still failed. It seems Group.ReadWrite.All permissions does not apply to my account
Your request is failing because you are not a member of the group in which you are trying to create a plan. Changing group content requires the calling user to be a member. Owners of the group currently cannot edit the Planner content in the group, unless they are also members.
Although you have requested Group.ReadWrite.All, you cannot authorize this permission until you have received "Consent" from an Administrator.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about he Consent Framework in Integrating applications with Azure Active Directory.
So, basically I have a multi-tenant App that makes numerous calls to Graph API. The problem is with the call to assign license to a user - POST /users/{id | userPrincipalName}/assignLicense.
In the Azure App registration portal , in the permissions section, I have given all the delegated permissions under Azure AD and Graph API.
Permissions Assigned screenshot.
Then, I made an global admin consent to this app for all the users in the organization using admin consent flow through the link such as below :-
https://login.microsoftonline.com/common/oauth2/authorize?client_id=ffa835f3-417f-415c-b8f5-6f8833f93901&response_type=code&redirect_uri=http%3a%2f%2flocalhost%3a8910%2f&nonce=1234&resource=https://graph.microsoft.com&prompt=admin_consent
The admin consent was successful which means that all users from this directory have been authorized.
Now, when I log to my multi-tenant application through a global admin, the call to assignLicense endpoint is a success which means my code is working well.
However, when a non Global Admin logs in to the application , he is able to login too ( due to the consent given above ) but when I call is made to the graph api to AssignLicense, I get a 403 Forbidden error.
I am not able to understand what should I do to get rid of this error.
This looks like an effective permissions issue. From https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
For Delegated permissions, the effective permissions of your app will
be the least privileged intersection of the Delegated permissions the
app has been granted (via consent) and the privileges of the currently
signed-in user. Your app can never have more privileges than the
signed-in user. Within organizations, the privileges of the signed-in
user may be determined by policy or by membership in one or more
administrator roles. For more information about administrator roles,
see Assigning administrator roles in Azure Active Directory.
For example, assume your app has been granted the User.ReadWrite.All
Delegated permission. This permission nominally grants your app
permission to read and update the profile of every user in an
organization. If the signed-in user is a global administrator, your
app will be able to update the profile of every user in the
organization. However, if the signed-in user is not in an
administrator role, your app will be able to update only the profile
of the signed-in user. It will not be able to update the profiles of
other users in the organization because the user that it has
permission to act on behalf of does not have those privileges.