I'm trying to read emails from Microsoft Graph but I get the following error when calling /v1.0/me/messages:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token has expired.",
"innerError": {
"request-id": "06e1edb9-cb8d-4371-807e-2795e60b15a2",
"date": "2019-04-16T12:16:54"
}
}
}
When I use the /beta/me/messages endpoint, however, I don't get any errors, just the expected response.
I'm using the same access token for both requests.
The scopes are:
"scp": "Calendars.Read Calendars.Read.Shared email Files.Read
Files.Read.All Files.ReadWrite Files.ReadWrite.All Mail.Read
Mail.Read.Shared Mail.ReadBasic Mail.ReadWrite
Mail.ReadWrite.Shared openid profile User.Read User.ReadBasic.All"
Does somebody know thy it works with the beta endpoint but not with v1.0 endpoint?
Currently Mail.ReadBasic only works on /beta. It will throw that error. If you remove that permission, whihc you don't need if you have Mail.Read scope anyway, this error will go away.
We are working on better ways to introduce fine grained scopes like *basic without it causing this experience.
Related
I am trying to use Microsoft Graph API in Power Automate where I make calls out to perform some actions. I have been successful with all Graph calls up to this one where I get a 503 serviceNotAvailable error.
The call I am trying is below
GET https://graph.microsoft.com/v1.0/groups/b40e54ac-5626-xxxx-xxxx-xxxxxxxxxxxx/drive/root:/filepath.docx
If I paste this directly into Graph Explorer on the Graph API site it works fine so I am happy that the call is syntactically correct.
I can't get the call to work through Power Automate. I also have tried this through Postman and am getting the same 503 error.
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "87725851-77fb-xxxx-xxxx-xxxxxxxxxxxx",
"date": "2020-03-01T16:55:43"
}
}
}
Permissions in my app registration are
Directory.AccessAsUser.All
Directory.Read.All
Directory.Read.All
Directory.ReadWrite.All
Directory.ReadWrite.All
Files.Read.All
Files.ReadWrite.All
Group.Create
Group.Read.All
Group.ReadWrite.All
Group.Selected
Sites.FullControl.All
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All
TeamsActivity.Read.All
TeamsActivity.Send
TeamsApp.Read.All
TeamsApp.ReadWrite.All
TeamsTab.Create
TeamsTab.Read.All
TeamsTab.ReadWrite.All
User.Read
User.ReadWrite.All
Am pulling my hair out ... and there's barely anything left!
If you remove "Group.Create" permission completely and test, it should work.
Seems it doesn't like "Group.Create" with "Group.ReadWrite.All"
If it works in Graph Explorer, but doesn't in Postman. That typically means that your access token in Postman is not correct.
Have you looked at the Postman collection I put together? It puts on rails fetching the access token based on your application id and secret. https://learn.microsoft.com/en-us/graph/use-postman
With regards to PowerAutomate. How are you entering the application id and secret for the the flow to get the application access token? We do have a tutorial here from start to finish to show the approach we recommend here https://learn.microsoft.com/en-us/graph/tutorials/flow
In this topic, the author explains how to get an access token based on users login and password, skipping the authorization dialog.
I could hit the endpoint and get an access token, and refresh token:
GET https://login.microsoftonline.com/348a...6e4/oauth2/token?grant_type=password&\
client_id=6d5f...64f&client_secret=g...f2&username=user#Domain.com&\
password=P#ssW0RD&resource=https://graph.microsoft.com/&\
scope=user.read%20calendars.read%20MailboxSettings.Read%20Mail.read%20Mail.Send
//RESPONSE
{
"token_type": "Bearer",
"scope": "User.Read",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1559602338",
"not_before": "1559598438",
"resource": "https://graph.microsoft.com/",
"access_token": "eyJ0eXAiOiJKV...KJmNhyz5bvhzCWiFA",
"refresh_token": "AQABAAA...VkgAA",
"id_token": "eyJ0...xLjAifQ."
}
But when I tried to get the userĀ“s email, I get an error:
GET https://graph.microsoft.com/v1.0/me/messages?\
$select=sender,subject,ReceivedDateTime&\
$filter=ReceivedDateTime%20ge%202019-05-01&$top=20
RESPONSE
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "e35f...94",
"date": "2019-06-03T21:39:40"
}
}
}
Is this authentication method still valid to Microsoft Graph API? If not, Is there any another way to get the user authorization using only login and password, without any user interaction, just getting his login and password?
You cannot dynamically specify scope with the v1 Endpoint. That model is on only supported with the newer v2 Endpoint (see Scopes, not Resources in the documentation).
In order access the user's mailbox, you'll need to add Mail.Read to your application's registration in the Azure Portal.
Keep in mind that you'll either need an Admin to consent to your application for all users in the tenant or have each user sign-in interactively at least once so they can consent themselves.
I'd also be remiss if I didn't point out that using the Password grant is almost always a bad idea. It is fundamentally less secure than every other OAuth Grant.
I've a Node.js API which is authenticated using passport and passport-azure-ad's OIDC strategy.
After User's authentication I get User's profile, access_token, refresh_token, sub and ISS.
Then I use the same access_token to get User's details from Microsoft graph using this API - https://graph.microsoft.com/v1.0/me
When I request, it prompts me this error,
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"request-id": "04048b3a-7636-4197-88ef-1f08d3a07c9e",
"date": "2018-12-26T09:40:58"
}
}
}
When I use OAuth 2.0 and get the access_token and use that access_token to access the same API, the details are returned successfully.
Although even I tried matching the access_tokens returned by Open ID connect and OAuth 2.0, they differ despite logging in as a same user.
I don't understand why the access_token returned by the Open ID connect didn't worked.
I'm trying to get a user's calendars list using Microsoft Graph via Postman. I am using Client Credentials flow and I have Admin Consent for these permissions:
Calendars.Read
Calendars.ReadWrite
Directory.Read.All
Directory.ReadWrite.All
Mail.Read
Mail.ReadWrite
User.Read.All
User.ReadWrite.All
When calling:
https://graph.microsoft.com/v1.0/users/{my_user_id_here}/calendars
I'm getting this response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "b0214447-98f6-42e7-9424-d3ee4862a25b",
"date": "2018-09-11T09:05:05"
}
}
}
Also, the HTTP status code is 401. I would say that I have all the required permissions. What am I missing?
The 401 means Unauthorized. Where have you set the permission? The permission need to config with the app we use(
GraphScopes: in the Web.Config file of MVC project/appsettings.json file in the NETCore project
)
Or just for Postman test, you need to register the app in the Azure Active Directory Application Registration(not in http://apps.dev.microsoft.com/)
And blog from Azure Active Directory Developer Support Team: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/using-postman-to-call-the-microsoft-graph-api-using-client-credentials/
I have also added an azure directory application and the result is the same. I added all the possible permissions in AD app.
I'm trying to POST or PATCH an education class using Microsoft Graph but always get and error.
Request
https://graph.microsoft.com/V1.0/education/classes
{
"description": "Health Level 1",
"classCode": "Health 501",
"displayName": "Health 1",
"externalId": "11019",
"externalName": "Health Level 1",
"externalSource": "sis",
"mailNickname": "fineartschool.net"
}
Response
{
"code": "AccessDenied",
"message": "Required scp claim values are not provided.",
"innerError": {
"request-id": "e1183015-d942-491a-9949-4aa73bbef893",
"date": "2018-06-21T08:44:35"
}
}
My App has the needed permissions for creating an education class. (for testing, my app has all the application and delegated permissions possible). Posting users, groups etc is no problem.
More specific the needed permission:
After assigning the permission in the AD portal I did the following:
Get admin consent for the app https://login.microsoftonline.com/myTenant/adminconsent?client_id=myClientID&redirect_uri=MyRedirectURI
Get the authorization code https://login.microsoftonline.com/myTenant/oauth2/authorize?client_id=myClientID&response_type=code&redirect_uri=MyRedirectURI&response_mode=query&resource=https://graph.microsoft.com/
Get the access token
All with success.
After getting the Access Token I have the following scopes:
.....
EduRoster.Read
EduRoster.ReadBasic
EduRoster.ReadWrite
...
The Graph documentation says you need the permission Application EduRoster.ReadWrite.All
Also tested a POST and PATCH in Graph Explorer but get the same response.
This API requires "Application" rather than "Delegated" scopes. As you mentioned, it specifically requires the EduRoster.ReadWrite.All scope.
Which scopes get applied to a token depends entirely on which OAuth Grant you used to obtain the token:
Authorization Code Grant = Delegated
Implicit Grants = Delegated
Client Credentials Grant = Application
The reason you're not getting this scope in your Access Token is that you're using the Authorization Code grant (response_type=code) which will always result in Delegated scopes getting assigned.
In order to make this call, you'll need to obtain a token using the Client Credentials grant.
You might also find this article helpful (full disclosure, I am the author): Application vs Delegated Scopes.