I am trying to list the Outlook Task Folders using Microsoft Graph with POSTMan.
Following is the URL I am using:
https://graph.microsoft.com/beta/me/outlook/taskFolders
After adding the Bearer Token in the request header, I am getting the following response Graph:
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood.",
I have already enabled the following permissions:Tasks.ReadWrite.
What am I missing here?
I can reproduce your issue while using client credentials flow to get access token. I decode the access token and do not see the permission I assigned. As the article said:
The permission is delegated from the user to the application, usually during the consent process. However, in the client credentials flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action and not the user.
So, I suggest that you could use OAuth 2.0 authorization code flow to get the access token. And add your Tasks.Read permission in scope.
https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=https://localhost:123
&response_mode=query
&scope=https://graph.microsoft.com/Tasks.Read
For more details to get access token with auth code flow you could refer to this article.
Related
I am trying to call Microsoft graph API (ListUsers) with Auth Code grant flow where after authorization I am unable to get the granted permissions in the scope of returned access token thus leading to permission issues.
After some time when I fetch the new access token it has all the permission we granted during authorization and I am successfully able to execute the graph API call. The issue could be seen here in the video: https://drive.google.com/file/d/1jmdAb8vrvqkIiYBLccSIPbdUbhxM9JgC/view?usp=sharing
This issue is happening only when I try add the following scopes in the request for auth flow.
https://graph.microsoft.com/.default
offline_access
When I don't use offline_access for refresh token, it works completely fine.
Please help me understand the issue and guide me to the resolution.
This is my app's api permissions
api permissions
This is my postman settings
postman settings
I can get token successfully using an AD admin account
I can get all users successfully
user list
I can create calendar event successfully using this AD admin' user id
enter image description here
I can not create calendar event using another user id
enter image description here
First, this is the document api for introducing the api permission, you can see Permission type with Delegated and Application.
The second, this is the section for introducing the request example, you can see that there are 2 types /me and /users/{id | userPrincipalName}.
The difference between the 2 kinds of api permission is that, using Delegated permission means we need to make users sign in first to generate the access token and call the api, while Application permission not. So when we use Delegated api permission, we can use api request like /me because the token contained the user information so graph api knows who is me and me is authorized to access this api. So we can also use users/user_principle_name_of_the_signed_in_user here. But it doesn't mean we can use another user principle name here, because other users aren't authorized in the access token.
How can we put any user of your tenant into the request and call the api successfully? We need to use Application permission here. When you add api permission, you may notice it and please add application api permission. Then we need to use client credential flow to generate access token with application permission. Then you may try yor failed request with the new token.
Application permission means you are calling the graph api on behalf the application, so it doesn't require users to sign in, but using delegated permission is much more safe since it will generate access token with limited scope(the api permission you defined in the token generating request), but client credential flow uses /.defalut as the scope, this means all the application api permission in the azure ad application will be added to the generated token, you can't control which application permission is allowed and which is not allowed in one token.
I'm trying to make a call to the Graph API from an Azure Logic App.
I can make a call to the authentication endpoint and get a bearer token.
However, when I use that bearer token to make the call to Graph API, I get the error message:
Access token validation failure. Invalid audience.
I've tried various examples from the MS website and other websites, but none work.
Where am I supposed to specify the audience?
In the first action I have made a HTTPS request to token endpoint with the details as shown below.
Then I parsed the JSON content and picked the access_token and created a new request to call MS Graph as shown below.
Since this is a client credential flow, we will be getting an App token so make sure you have configured Calendars.Read or Calendars.ReadWrite Application permissions and hit https://graph.microsoft.com/v1.0/users/{userid}/events. You should not use /me because there is no user here.
It worked for me.
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.
I am trying to get an access token to upload large files as described in the docs.
I am using client credentials grant flow to get access token per the documentation. I got an access token using that flow.
I tried to use that access token with this URI:
/v1.0/users/{userId}/drive/items/{itemId}/createUploadSession
but it gives me an error that "AccessDenied Either scp or roles claim need to be present in the token"
I have granted admin permission for the app. I have tried this flow in both postman and in coding but both give the same error.
Well as Marc pointed out Sites.ReadWrite.All was the only permission i needed, it was just that permission had not been accepted by admin.so the roles were not visible in my access token.Now i am able to call graph api using that access token.