Unable to add members to the group with Group.ReadWrite.All permission.
I created a bearer token for graph having a scope of Group.ReadWrite.All & User.Read. I tried calling below graph API which adds a member to the group. The token is generated with a user principal having owner membership to the requested group.
But I am able to do other activity on the group, except adding/removing members.
POST https://graph.microsoft.com/v1.0/groups/{groupid}/members/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/users/{userid}"
}
also tried with below body
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{userid}"
}
error received: Insufficient privileges to complete the operation.
To add or remove a group member (or owner), you currently need both Group.ReadWrite.All and User.ReadBasic.All (at minimum, though you could also do this with User.Read.All).
One way you can look at it is that you need permission to update the group and permission to read the object you're adding to the group.
Related
I am trying to rech the endpoint
https://graph.microsoft.com/v1.0/users/{emailaddress}/mailFolders('InBox') but am receiving
Error Access Denied response.
I have granted both Mail.Read.Shared and Mail.ReadWrite.Shared on delegated permission.
The scenario I have is that in Azure AD there are a number of users , Manager#acme.com and Tests#acme.com , so they exist under the same tennant /organization.
I have an app whereby I login as Manager#acme.com as the current user. I the create a connection to the App using client id , secret etc and receive an Auth toke n to use in my api calls.
but when i try to call
https://graph.microsoft.com/v1.0/users/Tests#acme.com/mailFolders('InBox') with that token I
get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
Do i ned to grant both Mail.Read.Shared and Mail.ReadWrite.Shared on Application level ?
Or do i need to create a shared folder in Outlook ?
I don't believe Mail.Read.Shared or Mail.ReadWrite.Shared exist as assignable application permissions.
The only permission your App Registration should need is Mail.Read, unless you're intending on the using Graph to delete / send emails etc.
You will likely also need an ApplicationAccessPolicy. You can either create one in the Exchange Online Admin Center, or through PowerShell. I recommend you create a mail enabled security group for all addresses which you need to access and grant restricted access to your app through that policy.
I prefer PowerShell, so in that case you would need the ExchangePowerShell module, and connect to Exchange Online. You'll need some Exchange admin role to be able to do this.
So, let's assume you've created a mail enabled security group called GraphAccessibleUsers#acme.com. You can set the property to hide this from the GAL so users can't see it.
You would then create a policy as follows:
New-ApplicationAccessPolicy -AccessRight RestrictAccess -AppId "<Your-App-Registration-Id" -PolicyScopeGroupId GraphAccessibleUsers#acme.com -Description "Allow App access to users in GraphAccessibleUsers#acme.com"
The -PolicyScopeId parameter will accept:
Name
Distinguished name (DN)
Display name
Email address
GUID
If you only have a few addresses, you may opt to create an individual ApplicationAccessPolicy for each email address.
Finally, I don't think your Graph API URI is correct.
If you want to access the Inbox of Tests#acme.com, then try this instead:
https://graph.microsoft.com/v1.0/users/Tests#acme.com/mailFolders/Inbox
Please refer to mailFolder Resource Type here.
I have been trying to access a user's data using the MS graph API. I have been following the official documentation and I have correctly configured the apps and the permission.
I am also following this code_sample and using this I have been able to fetch the daemon token for the application.
Using the token I am able to successfully fetch the data against the following endpoint:
https://graph.microsoft.com/v1.0/users/204e3e4f-xxxx-xxxx-xxxx-509934e1
The data looks like:
{"#odata.context":"https://graph.microsoft.com/v1.0/$metadata#users/$entity","businessPhones":[],"displayName":"developers#outlook.com Tiwari","givenName":"developers#outlook.com","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"Tiwari","userPrincipalName":"developers_outlook.com#EXT##webdevelopers.onmicrosoft.com","id":"204e3e4f-x-xxxxx-xxxxxxx-509934e14fa8"}
However, I can't fetch any more data than this. All the other endpoints throw a 401 Unauthorised exception even when I have checked all the Application permission for my app.
I am trying to hit the following endpoints for fetching calendar of the above user:
https://graph.microsoft.com/v1.0/users/204e3e4f-xxxx-xx-xxxxz-509934e14fa8/calendar
https://graph.microsoft.com/v1.0/users/204e3e4f-xxx-xxx-xxxxx-509934e14fa8/calendars
both of these give 401.
Can someone suggest if I am missing something. I even decompiled my jwt token and it clearly shows all the following scopes added:
"roles": [
"Schedule.ReadWrite.All",
"OnlineMeetings.Read.All",
"Mail.ReadWrite",
"OnlineMeetings.ReadWrite.All",
"User.ReadWrite.All",
"Calendars.Read",
"Mail.ReadBasic.All",
"Files.ReadWrite.All",
"User.Read.All",
"Schedule.Read.All",
"Files.Read.All",
"Organization.ReadWrite.All",
"Mail.Read",
"Calendars.ReadWrite",
"Mail.Send",
"Organization.Read.All",
"Mail.ReadBasic"
],
Please help.
To get access to calendar events you should call the following endpoint:
GET /users/{id | userPrincipalName}/events
The documentations for calendars is here: https://learn.microsoft.com/en-us/graph/api/user-list-events
From your comment on Chris Johnson's answer, you're using a personal account. App-only tokens won't work to access a personal account, and you shouldn't be able to even obtain one using a personal account, since there's no concept of an admin.
App-only requires an admin to consent, and when she does, she grants access to all resources in her tenant. Personal accounts are not in work/school tenants, so they aren't in scope. Even if you've added that personal account as a guest in the work/school tenant, their calendar is hosted outside of the tenant, and is off limits.
I am trying to add a member via this MS Graph API: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http but am running into permission issues. The request returns back
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
I am able to call APIs like https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http with no permission problem, and I have Group.ReadWrite.All and User.ReadBasic.All permissions. Is there a special permission or role I need to be to call this API?
Yes you also need GroupMember.ReadWrite.All and Directory.ReadWrite.All Application permission.
PostMan Request URL:
https://graph.microsoft.com/v1.0/groups/93d96b98-YourGroupId_3ede399/members/$ref
PostMan Request Body:
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/b33ce735_YourUserId_15337c469076"
}
Postman Test:
Added On Group:
Note: Make sure after adding permission you have accepted grant admin consent.
Please refer to Official Document
We're curretly making a multi-tenant app where admin users can log on Office365 and manipulate other users' emails. We want to add a schema extension on created Message, but I end up with a AccessDenied error.
Note that I use the arxone_path schema extension, that is Available (you can try to use it).
I first set up the delegated permission Mail.ReadWrite on my app registration on Azure (like said on https://learn.microsoft.com/en-us/graph/api/opentypeextension-post-opentypeextension?view=graph-rest-1.0#permissions ). I also added Mail.ReadWrite.Shared permission. Using the user's access token, I can actually fetch, create, delete or update Message of another user. But if I try to update a message to add a schema extension like this:
PATCH https://graph.microsoft.com/v1.0/{{user}}/messages/{{message}}
Content-Type: application/json
{
"arxone_path": {
"path":"some/path"
}
}
I always get this response :
HTTP/1.1 403 Forbidden
Content-type: application/json
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a95b0641-63e9-4601-82f2-d8c4ed6d64d8",
"date": "2020-01-16T16:12:29"
}
}
}
To sum up, I can:
Edit one of the connected user's own message -> OK
Add extension of the connected user's own message -> OK
Edit another user message -> OK
Add extension of another user message -> NOT OK
You cannot add an Open Extension to a users objects using delegated access token for another user. You would need to have that user sign in and use their delegated access token.
The other approach is to use application permissions (app-only) and request User.ReadWrite.All which will require Admin Consent by an Administrator.
I believe this url says you may need additional permissions (depending on the account type) when trying to create an open Extension.
Delegated (work or school)
User.ReadWrite.All
Delegated (personal Microsoft Account)
User.ReadWrite
Application
User.ReadWrite.All
When tried accessing the findMeetingTimes API, I get this following error.
Given a userID or userprincipalname, can we access the findMeetingTimes api to find the meeting time availability of that particular user, along with the meeting room suggestions?
You might be missing to grant the following permissions:
1) Calendars.Read.Shared
2) Calendars.ReadWrite.Shared
ref: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_findmeetingtimes
suggestion: better if you can check your task with graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) so that you don't need to add authorization bearer and permission scopes.