I am trying to read SharePoint lists using the following endpoint (http://url/_api/web/lists) and I am passing the access token, but the response returns Access Denied.
While I use the same access token to call an endpoint from the graph API (https://graph.microsoft.com/v1.0/sites/root/lists) and it works fine.
Should I use a different access token when I work with SharePoint REST APIs? or am I missing something here?
Thanks.
Yes, you should use a different access token since the endpoints are different. The graph api and sharepoint api are different resource, you need to grant the application different permissions.
Note:
SharePoint APIs are available via the Microsoft Graph API. You may
want to consider using Microsoft Graph instead.
Related
We have a Ruby on Rails application and we use the Omniauth gem to set up OAuth access for our users to several APIs. The Microsoft Graph API is one of these. Now we want to add the Microsoft Power BI API.
We usually use a Omniauth "plugin" gem specific to the API. These gems facilitate the process specific for that API by calling specific API methods and using specific attributes in the data provided but the process is the same for all these API's. For Power BI no such plugin gem is available.
The generic process that Omniauth uses to create OAuth access (create an access token) for a user is
request the access token from the API and
request information of the user (using that access token)
create a user specific record containing an identifier for that person (uid), general information of the user (email/name) and the access token
The problem we run into occurs because the Power BI API does not seem to have a method to retrieve user information. This method is available on the Microsoft Graph API (https://graph.microsoft.com/v1.0/me) so we tried using that. This leads to the following two problems:
You need to specify a scope on the API requests and that scope has to also be defined on the app on the Microsoft Azure Portal (AAD). The key and secret of that app is also used on the request to the API. It is possible to add a scope for the Graph API and PowerBI API on the app. However, when combining the scopes of these API's when calling the PowerBI API leads to exceptions
After getting an access token from the Power BI API using a scope that is limited to the Power BI API it is not possible to request user information from the Graph API with that access token
So we see no possibility to finish the Omniauth process to create user specific records with all the data that is needed to do subsequent Oauth authorised API calls for those users.
How can we
either get user identifying information from the Power BI API,
or get the required information from the Graph API using the access token granted by the Power BI API
or is there another way that we can get the Omniauth approach to work for the Power BI API?
I have no experience with either the Microsoft Graph API or the Microsoft Power BI API, so these are general thoughts on how to solve this using OAuth.
How can you get user identifying information from the Power BI API?
You can't. As you said, it doesn't exist: "the Power BI API does not seem to have a method to retrieve user information"
How can we get the required information from the Graph API using the access token granted by the Power BI API
Again, you can't. This is a dead end as the the PowerBI API will not accept a token with the combined scopes.
Is there another way that we can get the Omniauth approach to work for the Power BI API?
Since you can't combine the scopes, I think you will need to request two access tokens, one for each API. So, the thing to be solved here is how do you execute two OAuth sequences in the context of one request? Writing a custom OmniAuth strategy is one approach, but then you lose all the value in the "plugin" gem. I would try to still use the "plugin" gem, but in your callbacks controller, execute a redirect to the second OmniAuth route to step through the OAuth sequence for the Power BI API. You'd need to find an OmniAuth OAuth2 gem that's generic enough to use for the Power BI API (this could use the skip_info option since an info endpoint doesn't exist). You'd also need to persist the OmniAuth hash from the Graph API authentication in a different location, so it's not overwritten when you authenticate to the Power BI API.
I'd like to administer different tenants remotely using the Connect-MicrosoftTeams -AccessTokens option. From what I read, one needs to retrieve the token for the tenant through Microsoft Graph. What I do not understand is how and which permission to request.
Is there anyone who has done this and could point me to some documentation or maybe provide an example request? Thanks!
Use Graph Explorer to determine what are the APIs you want to use. On the “Modify Permissions (Preview)” Tab you will be able to see what kind of permissions are needed for that particular API.
https://developer.microsoft.com/en-us/graph/graph-explorer
See Microsoft Graph permissions reference, Authentication and authorization basics for Microsoft Graph, Authorization and the Microsoft Graph Security API
We are trying to migrate from EWS to Microsoft graph api as Microsoft will no longer support basic authentication from October. While going through few online examples of Microsoft azure I came across below git location.
https://github.com/Azure-Samples/ms-identity-java-desktop/tree/master/Username-Password-Flow
Is it okay if I migrate our web application to use the above method or am I using the wrong flow in our case
Does the Username-Password flow come under Microsoft Oauth
We recommend that you move to an OAuth flow for your application and not bake user name and passwords in. Its unfortunate that the sample is called this because it is in fact using OAuth. The main user experience problem you will have otherwise is that any user with multi-factor auth on will not work.
We have some getting started tutorials for JAVA here https://developer.microsoft.com/en-us/graph/get-started/java specific to Microsoft Graph that you can use to call Exchange APIs to replace your EWS API calls.
I am currently using the old Outlook office REST API v2 to access outlook.com mail of users via oauth (as opposed to microsoft graph, due to a lack of certain desired features)
For authentication scopes, it needs values like
https://outlook.office.com/mail.readwrite
https://outlook.office.com/mail.readwrite.shared
vs microsoft graph's
Mail.ReadWrite
Mail.ReadWrite.Shared
Unfortunately, the documentation that supposedly provides a comprehensive list of supported scopes https://dev.outlook.com/restapi/getstarted has had its links changed to point to microsoft graph's documentation (which doesnt really help at all)
THE FOLLOWING IS FROM THE ABOVE LINK, AND REDIRECTS TO THE BELOW LINK
scope: a space-delimited list of access scopes that your app requires. For a full list of Outlook scopes, see Authenticate Office APIs using the "v2.0" endpoints [https://developer.microsoft.com/en-us/graph/docs/authorization/auth_overview]
I'm not aware of a global list of Outlook scopes but they should be documented along side each REST method under the Minimum Requires Scopes.
I'm using the Google Documents List API to get a list of documents and export their contents. I'm authenticating with OAuth (3-legged). It's been very straightforward, with one exception. I'm not finding a way to request read-only access to documents. I'm using a scope of https://docs.google.com/feeds/ when fetching the oauth request token.
Is there a way to request read-only access to Doc List API? Thanks.
You can try
https://docs.google.com/feeds/#readonly
At least thats the schema used for 2-legged OAuth for Marketplace applications
http://www.google.com/support/a/bin/answer.py?hl=en&answer=162106
I don't know if it will work in your case.