This "drives" me crazy... I have an AAD app with following application permissions with Admin Consent:
Directory.Read.All
Files.ReadWrite.All
Group.Create
Group.ReadWrite.All
GroupMember.ReadWrite.All
Member.Read.Hidden
Organization.ReadWrite.All
People.Read.All
Sites.FullControl.All
Sites.ReadWrite.All
User.Read
Request:
https://graph.microsoft.com/v1.0/groups/{id}/drive/root
Response:
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "5ad04144-d8af-48ef-b9d3-43dafedb5911",
"date": "2020-02-15T13:28:08"
}
}
}
Decoded Token:
There's no Retry header and I've tried for several hours now.
If I send the query using a token generated with Authorization Code grant and the scope Group.ReadWrite.All User.Read profile openid email, it works like a charm.
Related
I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All
Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All
I am trying to read emails of user a user in a tenant. The admin has granted consent for the following permissions:
offline_access AccessReview.Read.All AccessReview.ReadWrite.All Channel.ReadBasic.All ChannelMessage.Read.All ChannelSettings.Read.All Chat.Read ChatMessage.Read DelegatedPermissionGrant.ReadWrite.All Directory.Read.All Directory.ReadWrite.All Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadWrite MailboxSettings.Read openid profile TeamMember.Read.All TeamSettings.Read.All User.Read User.Read.All User.ReadBasic.All email
However, both in graph explorer and in PHP code, when I query the endpoint https://graph.microsoft.com/v1.0/users/<user_email>/messages, I get the error:
"error": {
"code": "ErrorItemNotFound",
"message": "The specified object was not found in the store., Default folder AllItems not found.",
"innerError": {
"date": "2022-11-29T09:16:49",
"request-id": "2449c64a-9aa8-479d-8de4-923a2a306583",
"client-request-id": "5eb26a2e-54da-bba2-0adf-4fa7bca43df2"
}
}
What could I be doing wrong?
I would like to build an app which add events to calendars of an organization users.
I have an azure accaunt which is an office365 accaunt also.
I get an access token with the help of this article: https://learn.microsoft.com/en-us/graph/auth-v2-service
These are the params and end point which i use to get the token:
https://login.microsoftonline.com/{my_tenant_id}/oauth2/v2.0/token
grant_type - client_credentials
client_secret - {the generated client secret}
client_id - {the app client id}
scope - https://graph.microsoft.com/.default
And I tired it out on this end-point: https://graph.microsoft.com/v1.0/users/{my_user_object_id} It seems the token is working correctly.
But when I try to add an event with this end-point: https://graph.microsoft.com/v1.0/users/{my_user_object_id}/events I get this error:
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"date": "2022-07-14T12:50:53",
"request-id": "382c2807-2aa6-4b54-b686-55051f809e3b",
"client-request-id": "382c2807-2aa6-4b54-b686-55051f809e3b"
}
}
I gave this premmissions and granted them:
Calendars.Read Application
Calendars.ReadWrite Application
User.Read Delegated
User.Read.All Application
Any idea what should i do?
POST /users/{id | userPrincipalName}/events is not a valid endpoint for adding an event to a user's calendar.
You have to use POST /users/{id | userPrincipalName}/calendar/events for the default calendar.
Or for a specific calendar: /users/{id | userPrincipalName}/calendars/{id}/events.
See here.
I have created a test application which is requesting adminconsent from a MS teams admin with the following scopes :
openid offline_access channelmessage.read.group channelmessage.read.all chat.read chat.readbasic chat.readwrite user.read.all channel.readbasic.all directory.read.all group.read.all groupmember.read.all organization.read.all people.read.all presence.read.all team.readbasic.all
I am using an application token to fetch ms teams organization data like users, channels, teams etc. I have managed to fetch with Graph API the user, channel, teams data of an organization,
but when I tried to fetch messages
with
https://graph.microsoft.com/v1.0/teams/team_id/channels/channel_id/messages
I am getting the following error:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2021-03-03T22:23:47",
"request-id": "a279044a-ab9e-4c18-af71-5a65ea7cee86",
"client-request-id": "a279044a-ab9e-4c18-af71-5a65ea7cee86"
}
}
}
When you are using application permissions you need to you must request access.For details, see Protected APIs in Microsoft Teams.
I created an app on https://apps.dev.microsoft.com
with the following Application Permissions:
Calendars.Read (Admin Only) Calendars.ReadWrite (Admin Only) User.Read.All (Admin Only)
Admin Consent
Admin consent was then successfully granted via this URL
https://login.microsoftonline.com/strixtechnology.onmicrosoft.com/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth
Get access token
An access token was then obtained from
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
with headers
Content-Type=application/x-www-form-urlencoded
and body with key-value pairs
grant_type=client_credentials
client_id=bbb35336-faee-4c10-84b4-34136634db41
client_secret=xxx
scope=https://graph.microsoft.com/.default
This returns an access token.
Subscribe to notifications
Using that access token, I then try to subscribe to the events on a certain resource mailbox:
POST https://graph.microsoft.com/beta/subscriptions
with headers
Content-Type=application/json
Authorization=Bearer <access_token_here>
and body
{
"changeType": "created,updated,deleted",
"notificationUrl": "https://dashmeetings.com/microsoft/notify",
"resource": "users/mahogany#strixtechnology.com/events",
"expirationDateTime":"2017-12-01T11:00:00.0000000Z",
"clientState":"1234"
}
This returns a 401 Unauthorized with
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Unauthorized; Reason: Unauthorized]",
"innerError": {
"request-id": "98ce5e5e-1ce4-4417-8c35-456a3cc0e696",
"date": "2017-11-30T10:59:28"
}
}
}
This question seems similar to “Resource not found for the segment” using Graph subscription beta, but I follow the same steps without any luck
The admin consent URL had to be
https://login.microsoftonline.com/common/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth
and the access token address:
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token