I am trying to add a member via this MS Graph API: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http but am running into permission issues. The request returns back
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
I am able to call APIs like https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http with no permission problem, and I have Group.ReadWrite.All and User.ReadBasic.All permissions. Is there a special permission or role I need to be to call this API?
Yes you also need GroupMember.ReadWrite.All and Directory.ReadWrite.All Application permission.
PostMan Request URL:
https://graph.microsoft.com/v1.0/groups/93d96b98-YourGroupId_3ede399/members/$ref
PostMan Request Body:
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/b33ce735_YourUserId_15337c469076"
}
Postman Test:
Added On Group:
Note: Make sure after adding permission you have accepted grant admin consent.
Please refer to Official Document
Related
My company is using Microsoft 365 Business Standard licenses. We are using email through these accounts. We also have a few shared mailboxes. We are trying to create an app that uses the microsoft graph application permissions (rather than the delegated permissions) so the application can access one of the shared mailboxes without needing to be authenticated under the current user.
This is the steps we have taken so far:
Within Microsoft Azure, we have an application in which we have granted application api permissions for Mail.Read, and we have accepted Admin consent.
We authorized as an app, not as a user, in the application using this endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, pointing out the required parameters for sending a request. Then, MS API builds this link:
https://login.microsoftonline.com/{some_string}/oauth2/v2.0/authorize?state={some_string}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&redirect_uri=http%3A%2F%2Flocalhost&client_id={some_string}
When we follow the link, we get to the standard authorization form on the site. After we log in, a link is created, where we take the code and create the token: http://localhost/?code={some_string}&state={some_string}&session_state={some_string}
When we try to hit this endpoint: https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages, we get this response:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2020-09-14T11:22:30",
"request-id": "{some_string}",
"client-request-id": "{some_string}"
}
}
}
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Any help or direction on what needs to be done to make this query work would be greatly appreciated. Thank you!
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Yes you would need to send the AccessToken in the Authorization header, you should also include the x-anchormailbox header which helps route the request to correct mailbox eg
GET https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==
X-AnchorMailbox: sharedmailbox#domain.com
The other thing you might want to check is to ensure you have the correct scopes in your token you can use https://jwt.io/ for that
In order to use application permissions you will need to use the client credentials auth flow (not the authorization code auth flow which uses delegated permissions). To get a token make a request against "/oauth2/v2.0/token" and specify "grant_type=client_credentials" in the request. See examples of client credentials auth flow here for more details: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
I have registered the application in Azure portal and i have generated the client_secret.
I require the client grant flow and i have given application permissions also. I have granted the admin consent also as I am the admin myself.
I am able to generate the access token with the given url:
https://login.microsoftonline.com/47be0abf-c6a1-4f04-a665-dceb081c4ff1/oauth2/v2.0/token?client_id=********&client_secret=******&grant_type=client_credentials&scope=User.ReadBasic.All%20User.Read%20User.ReadWrite%20User.Read.All%20User.ReadWrite.All%20Directory.Read.All%20Directory.ReadWrite.All%20Directory.AccessAsUser.All
However, when i use the token generated to access the following url, I get the insufficient privileges message.
https://graph.microsoft.com/v1.0/users
Authorization Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEQ29NcGpKWHJ4VHE5Vkc5dGUtN0ZYNndkRlV3aTBKbGlHcWhEWkgybFRlYWh6SUhUX0VsazFaYTFuUHRzNWo3SW5xMDBmbnNNRkpNUWRYdWdVZnpaZ0cxT19uenNPTXpwN2tpUFFIR2VHTnlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiQ3RmUUM4TGUtOE5zQzdvQzJ6UWtacGNyZk9jIiwia2lkIjoiQ3RmUUM4TGUtOE5zQzdvQzJ6UWtacGNyZk9jIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80N2JlMGFiZi1jNmExLTRmMDQtYTY2NS1kY2ViMDgxYzRmZjEvIiwiaWF0IjoxNTYwMjUzMDE1LCJuYmYiOjE1NjAyNTMwMTUsImV4cCI6MTU2MDI1NjkxNSwiYWlvIjoiNDJaZ1lQajhVdnBwWGMySEU1WGZwbnZxSG43akFnQT0iLCJhcHBfZGlzcGxheW5hbWUiOiJUdXRvcmlhbCBTYW1wbGUgQXBwIiwiYXBwaWQiOiI2NzMxZGU3Ni0xNGE2LTQ5YWUtOTdiYy02ZWJhNjkxNDM5MWUiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80N2JlMGFiZi1jNmExLTRmMDQtYTY2NS1kY2ViMDgxYzRmZjEvIiwib2lkIjoiNjg0ZjkzMjUtNjUyNS00Yjk5LTgwNzktOTEyOGZjZWNlNGViIiwic3ViIjoiNjg0ZjkzMjUtNjUyNS00Yjk5LTgwNzktOTEyOGZjZWNlNGViIiwidGlkIjoiNDdiZTBhYmYtYzZhMS00ZjA0LWE2NjUtZGNlYjA4MWM0ZmYxIiwidXRpIjoiSkZjUE9SSHRGVTJMMWludEpkY2RBQSIsInZlciI6IjEuMCIsInhtc190Y2R0IjoxMzQ0Njc5MzA0fQ.fXEs7eClm5SYXychcKXbTfcc5gtvyyMa5fDWuGu2vqQ4Zc6V0jJSHSeksRiOzYE8SOJXRTmI9vJtbs2XIMFr0CRHeTgoCDReV8JWJ8yhOKiDnc-_2AHtSoBnqt6ibF0eX4AzkyioJd24-uYTSkheC_zDpd6GS3T5T077BU_1M7kpngXDfEICi38VkddcpdBUG8FgHUSPq0S9fCosIB4_JPwspq3QC6jJyoRrj1Yj2oR8FwBA1dpgWq_e0QoGnWXgT6EhBKedjY0hwHGY-F73ndvRlAKKW63JYucdOtRyC2zFDc4DPwhN1nyPlh86_Y0Zru8UTb0QgWRFKbGZwQcEOg
I have tried changing the permission and added and removed the permissions.
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "aa38f822-7325-44ad-9127-3cb4779578bf",
"date": "2019-06-11T11:42:16"
}
}
}
Updated : Included the permission screenshot configuration
JWT Debugger output for tokens:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/f77804fb-8607-4e96-9fae-231360cc82b7/",
"iat": 1560273380,
"nbf": 1560273380,
"exp": 1560277280,
"aio": "42ZgYKjulnV3u/vJZNN0gz3ld2ZpAwA=",
"app_displayname": "clmapp",
"appid": "82ad79f2-27c7-4304-92f6-e3ffdb637e72",
"appidacr": "1",
"idp": "https://sts.windows.net/f77804fb-8607-4e96-9fae-231360cc82b7/",
"tid": "f77804fb-8607-4e96-9fae-231360cc82b7",
"uti": "BpTbRLEb5ECSO3qjslIgAA",
"ver": "1.0",
"xms_tcdt": 1376441181
}
You could try following way:
Permission:
Make sure you have following permission:
Grant permission On Azure Portal:
Step:1
Select Application Permission On API permissions menu
Step:2
Select User.ReadWrite.All under Application Permission part But User.Read.All also alright.
Token Request Format:
URL:https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/token
For V2.0 URL:https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
HTTP Verb: POST
grant_type:client_credentials
client_id:b603c7be-a866-4-e6921e61f925
client_secret:Vxf1SluKbguf3wE5oGl/2XDSeZ8wL/Yp8ns4sc=
resource:https://graph.microsoft.com
For V2.0 scope Will be : scope:https://graph.microsoft.com/.default
See the screen shot below:
Decode Token & Confirm permission:
You can use https://jwt.io/ to decode your token to make sure you have required permission: See the below screen shot:
Request For User List:
With your Token Request on this endpoint https://graph.microsoft.com/v1.0/users. See the screen shot below. I have successfully get all the user list.
When using the OAuth 2.0 Client Credentials Grant flow, your scope value should use the built-in .default scope for the resource your are trying to access. This is mentioned in the reference article: Microsoft identity platform and the OAuth 2.0 client credentials flow
In your case, the resource you are trying to access is Microsoft Graph, so your scope value in the token request should be https://graph.microsoft.com/.default:
https://login.microsoftonline.com/{tenant-id-or-domain}/oauth2/v2.0/token
&grant_type=client_credentials
&client_id={client-id}
&client_secret={client-secret}
&scope=https%3a%2f%2fgraph.microsoft.com%2f.default
Note that for this to succeed, the app's required permissions must be configured (Azure portal > Azure Active Directory > App registrations > API permissions) and granted:
I'm trying to get a user's calendars list using Microsoft Graph via Postman. I am using Client Credentials flow and I have Admin Consent for these permissions:
Calendars.Read
Calendars.ReadWrite
Directory.Read.All
Directory.ReadWrite.All
Mail.Read
Mail.ReadWrite
User.Read.All
User.ReadWrite.All
When calling:
https://graph.microsoft.com/v1.0/users/{my_user_id_here}/calendars
I'm getting this response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "b0214447-98f6-42e7-9424-d3ee4862a25b",
"date": "2018-09-11T09:05:05"
}
}
}
Also, the HTTP status code is 401. I would say that I have all the required permissions. What am I missing?
The 401 means Unauthorized. Where have you set the permission? The permission need to config with the app we use(
GraphScopes: in the Web.Config file of MVC project/appsettings.json file in the NETCore project
)
Or just for Postman test, you need to register the app in the Azure Active Directory Application Registration(not in http://apps.dev.microsoft.com/)
And blog from Azure Active Directory Developer Support Team: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/using-postman-to-call-the-microsoft-graph-api-using-client-credentials/
I have also added an azure directory application and the result is the same. I added all the possible permissions in AD app.
I'm trying to POST or PATCH an education class using Microsoft Graph but always get and error.
Request
https://graph.microsoft.com/V1.0/education/classes
{
"description": "Health Level 1",
"classCode": "Health 501",
"displayName": "Health 1",
"externalId": "11019",
"externalName": "Health Level 1",
"externalSource": "sis",
"mailNickname": "fineartschool.net"
}
Response
{
"code": "AccessDenied",
"message": "Required scp claim values are not provided.",
"innerError": {
"request-id": "e1183015-d942-491a-9949-4aa73bbef893",
"date": "2018-06-21T08:44:35"
}
}
My App has the needed permissions for creating an education class. (for testing, my app has all the application and delegated permissions possible). Posting users, groups etc is no problem.
More specific the needed permission:
After assigning the permission in the AD portal I did the following:
Get admin consent for the app https://login.microsoftonline.com/myTenant/adminconsent?client_id=myClientID&redirect_uri=MyRedirectURI
Get the authorization code https://login.microsoftonline.com/myTenant/oauth2/authorize?client_id=myClientID&response_type=code&redirect_uri=MyRedirectURI&response_mode=query&resource=https://graph.microsoft.com/
Get the access token
All with success.
After getting the Access Token I have the following scopes:
.....
EduRoster.Read
EduRoster.ReadBasic
EduRoster.ReadWrite
...
The Graph documentation says you need the permission Application EduRoster.ReadWrite.All
Also tested a POST and PATCH in Graph Explorer but get the same response.
This API requires "Application" rather than "Delegated" scopes. As you mentioned, it specifically requires the EduRoster.ReadWrite.All scope.
Which scopes get applied to a token depends entirely on which OAuth Grant you used to obtain the token:
Authorization Code Grant = Delegated
Implicit Grants = Delegated
Client Credentials Grant = Application
The reason you're not getting this scope in your Access Token is that you're using the Authorization Code grant (response_type=code) which will always result in Delegated scopes getting assigned.
In order to make this call, you'll need to obtain a token using the Client Credentials grant.
You might also find this article helpful (full disclosure, I am the author): Application vs Delegated Scopes.
We are trying to fetch a list of rooms in the organization via user_findrooms on the beta API.
I am using the php-connect-sample and was directed here after creating an issue there.
Our application is registered, and has the required permissions. The user is logged in and redirected correctly. I can successfully get the /me endpoint
When I try to get the /me/findRooms endpoint like this:
$graph = new Graph();
$graph->setApiVersion('beta');
$graph->setAccessToken($_SESSION['access_token']);
$rooms = $graph->createRequest("get", "/me/findRooms")
->setReturnType(Model\EmailAddress::class)
->execute();
Then I get the following error:
Client error: GET https://graph.microsoft.com/beta/me/findRooms
resulted in a 403 Forbidden response: { "error": { "code":
"ErrorAccessDenied", "message": "Access is denied. Check credentials
and try again.", (truncated...)
So it seems to be a permissions error.
We have the following Graph permissions for our app:
Delegated Permissions: User.ReadBasic.All and User.Read.All
Application Permissions: Calendars.ReadWrite and User.Read.All
Which additional permissions are required to access /me/findRooms?
In your auth flow, you will need to specify User.Read.All instead of User.Read in your scopes since this API requires reading all users in your directory to find conference room availabilities. Here is more information about how to request such scopes during the /authorize and /token requests.