I'm attempting to get tasks assigned to a specific user from the Graph API, so based off of the sample query in the graph explorer i'm using this endpoint
https://graph.microsoft.com/v1.0/users/<user-email>/planner/tasks
Which works fine for whatever user I'm signed in as, but attempting to get tasks for a user I'm not signed in as will always return with a 403 and say I don't have the required permissions. Group.ReadWrite.All is granted by admin, and according to the graph docs, that should be fine, but no luck.
I've also just created a new demo tenant and one by one granted permissions in the graph explorer with admin and still no luck! So i'm doubting the issue really is permissions. And for the record I've tried v1.0 and beta endpoints, and I've attempted this in a SPFx Web Part, and it doesn't work in practice either.
Not sure that it will help, but this is what is being returned each time:
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item.",
"innerError": {
"request-id": "b02e3529-a4ae-4825-b4e6-7fc9b1fa228e",
"date": "2019-03-27T12:28:41"
}
}
}
Anyone else ran into this issue or know of a workaround?
Reading tasks for other people is not allowed. We are investigating app-only request support, which should enable this scenario.
Related
I am currently using the Microsoft graph API to get events from Outlook, but I would like to change to the calendarView endpoint instead. However, I am facing a number of challenges when using delta links on other users calendars with delegated access.
My first call to the delta endpoint works as intended, but when I try to use the link in #odata.nextLink for next delta data I get an permission error - and can't see what should cause this error
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2022-12-06T18:03:31",
"request-id": "961ca04c-0000-0000-0000-000000000000",
"client-request-id": "2dc7f5ea-0000-0000-0000-000000000000"
}
}
}
Delta querying works fine when done on the events endpoint so I am a bit lost in what to check for?
As you said you are facing challenges while using delta links on other users calendars with delegated access. For accessing other user data ,which required application permission , where as delegated permission required user to signIn , please check the doc for more info regarding delegated permission vs application permission .
Could you please try adding Calendars.Read application permission instead of delegated permission - https://learn.microsoft.com/en-us/graph/api/event-delta?view=graph-rest-1.0&tabs=http.
Hope this helps
Thanks
I ran into this issue recently and found a partial answer at https://learn.microsoft.com/en-us/answers/questions/587998/deltatoken-for-calendar-events-requiring-elevated.html
I asked my Active Directory admin to give manage access for the account associated with my bearer token, and the delta events are now working. That is, myuser#example.com now has manage permissions for shared-calendar-user#example.com. This isn't ideal, but it's acceptable for my use case.
We have created a WP that we have published to Teams that would give owners the possibility to modify the external sharing setting ("AllowToAddGuests") from a tab in their Teams.
We are experiencing a problem when we try to do the set of AllowToAddGuests using an owner account.
The Teams app has :
{
"resource": "Microsoft Graph",
"scope": "Directory.ReadWrite.All"
}
As per MS Graph docs
https://learn.microsoft.com/en-us/graph/api/directorysetting-update?view=graph-rest-beta&tabs=http
should work fine with delegated.
If I execute the graph call in the graph explorer using the owner user it gives the same access error.
All permissions are granted at admin level.
If a global admin is used, then all works fine.
The error I am receiving is the following:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-07-02T15:18:56",
"request-id": "84fe9be9-a4b0-4023-93e6-68dd780ce2ea"
}
}
}
Has the owner the possibility to change the flag AllowToAddGuests or should I do this via an App reg?
Thanks for the answers.
Alex
I am posting this here so that if anybody looks for the same information, they have it here.
At the time of this writing, the answer we got from Microsoft is that for this call to work, the user performing the call (in our case one of the owners) needs to also be a Group Administrator. For our use case this was not doable as any user in the company can potentially be an owner of a MS Teams.
The solution we have chosen is to use application permission with Directory.ReadWrite.All to perform the call. This works as expected now.
Microsoft has also promised they will update the documentation in order to include the current information.
I'm trying to access reports from Graph API using the Graph Explorer. However, it throws 403 Unauthorised errors.
For example the request:
GET https://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageDetail(period='D30')
throws the following error
{
"error": {
"code": "S2SUnauthorized",
"message": "Invalid permission.",
"innerError": {
"request-id": "fda8c3ec-1949-46a9-b179-e1017f7e94ab",
"date": "2020-04-02T01:01:08"
}
}
}:
According to the documentation this requires the permissions 'Reports.Read.All'
When looking at the permissions I have in the explorer it says that Reports.Read.All permission is 'consented'
This worked without issues in early December when I was first testing this, so unless something changed I don't know what is going on.
Am I misunderstanding what consented means in this context, or is this a problem with the Graph Explorer as this permission is marked as 'preview'?
Regardless of the source of the problem, does anyone know a way around this/how to fix it?
Please make sure,
try repro the above using MS Graph Explorer with your tenant!!
if you're using delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user the appropriate Azure AD limited administrator role
Let me know still you can repro the issue.
I'm using Microsoft Graph API v1 with Administrator credentials via my software to create Events in a Group. However the response I get is a 403 with the following:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "c4754c79-5e3a-4f63-9f88-404100513796",
"date": "2018-07-11T10:11:27"
}
}
}
on a POST request to https://graph.microsoft.com/v1.0/groups/{idGroup}/events/
I have checked all rights provided to the app via Azure AD and everything is fine (tokens, code and scope with Group.Read.All Group.ReadWrite.All). The Group is also created, the users are added to it and the owner is the admin I use for the create request.
I have also tried on the Microsoft Graph API Explorer but i have the same error.
Yesterday morning the creation was possible but I think some rights were corrupted. Is anybody has got this problem before? How to fix it?
After a few days without any changes in the code the problem dissapeared.
I am still not sure of what happened, anyway thanks guys !
I am trying to create a worksheet using the Graph API and getting the below error. Everything on the URL seems right and I am unable to figure out what is causing the error. There is little help on the Graph API documentation also!
URL:
https://graph.microsoft.com/v1.0/me/drive/items/01FUAEYJMWQZF5VGFFL5G27P5AGS5M2FXD/workbook/worksheets
Error:
{
"error": {
"code": "AccessDenied",
"message": "Could not obtain a WAC access token.",
"innerError": {
"request-id": "44990b81-a8ee-489f-9fd8-d5f7c9a31bf1",
"date": "2018-05-07T14:02:08"
}
}
}
Microsoft documentation:
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/worksheetcollection_add
Any pointers to the solution or what I might be doing wrong is appreciated. Thanks.
According to this post, "WAC is basically a designation for the Office web apps".
So this error probably means that something is tripping up the Graph server (in the file access authentication logic?), but the reported error is not specific enough, hence the generic "WAC Access Token" error.
This worked for me:
Make sure the file is in Sharepoint, not OneDrive (Microsoft Graph doesn't seem to play well with Excel files stored in OneDrive - I think I saw this on Reddit)
Is the file extension .xlsx? (According to this answer, .xltm can cause this error)
Does your user have the Files.Read permission?
Make sure you're using Delegated User permissions from and not Application permissions (GitHub issue)