Using Flow I am trying to create a Team and then a Planner to add to the Team as a Tab.
I'm trying to create a new Planner in Flow with the Group ID generated from creating a Team.
Following the MS Graph API I've tried using an HTTP in Flow to make a POST to
POST https://graph.microsoft.com/v1.0/planner/plans
with body
{
"owner": "GROUP ID HERE",
"title": "Planner"
}
But I get an error of Unauthorised. Can anyone please advise what I'm doing wrong?
Below is what my permissions on Azure Active Directory looks like to authenticate my API calls:
While I can create a planner through the Microsoft Graph API:
Request ID
Timestamp
I can't do the same thing on Flow using HTTP:
Almost every time, the issue with not having authorization to create a plan in a newly created group is because the calling user is not a member in the group. By default, when a group is created, the creator is an owner, but not a member. You'll need to add the user to the members.
If this isn't addressing your issue, you'll need to provide a bit more information on the error. The request id and the timestamp from the failed requests would allow us to directly diagnose the problem.
Related
The Azure port still uses the Azure AD Graph API in some places. One thing it uses this for is to list API permissions. For this, the portal uses the REST API target GET https://graph.windows.net/myorganization/applicationRefs/c5393580-f805-4401-95e8-94b7a6ef2fc2?api-version=2.0 (example shown for Office 365 Management API). I've searched and cannot seem to find a way to list similar permission sets using the Microsoft Graph API. Is there a way to access this using the Microsoft Graph API?
Ok, was going to upvote one of the previous answers, but my profile is too new. :( You can do this by reading the MS Graph service principal in your tenant as described above. This PowerShell code gives an example (it's used in a command called Find-GraphPermission in the autographps and autographps-sdk modules.
Basic approach is:
Get app-only permissions from the appRoles property of the servicePrincipal
Get delegated permissions from the publishedPermissionScopes property
Each element of appRoles has an id that can be read or written from a given appRoleAssigment object on an app's servicePrincipal in your tenant. Note that each appRole element has a value property that is the common friendly name of the app-only permission (e.g. BitlockerKey.ReadBasic.All
A similar id and value pair exists for each element of publishedPermissionScopes which gives you the delegated permissions. You can use those ids with oauth2PermissionGrant objects under the segment /oauth2PermissionGrants to enumerate consent grants for a given servicePrincipal (and thus app) in your tenant or grant or remove consent
Note that the ids for both appRoles and publishedPermissionScopes are the same in all tenants, so you can actually perform this same mapping of friendly names to ids for any tenant, and use a static snapshot. This can be useful as your application may not be able to read the Microsoft Graph servicePrincipal object. If you store a static version, you'll have the mapping regardless and you'll only miss any new permissions that get added to Microsoft Graph for new APIs.
This file contains a snapshot of the MS Graph servicePrincipal as a fairly readable JSON-like PowerShell hash table: https://github.com/adamedx/autographps-sdk/blob/main/src/common/DefaultScopeData.ps1
For this requirement, you can use this microsoft graph api: https://graph.microsoft.com/v1.0/applications/<object id of the application>
It will response the result like below screenshot(please pay attention to the field requiredResourceAccess):
The content under requiredResourceAccess is the API permissions of this application. The type scope means the permission is Delegated type and the type role means the permission is Application type.
Then please refer to steps below to know which permission does the id under resourceAccess field refer to.
Copy the resourceAppId, in my screenshot is 00000003-0000-0000-c000-000000000000. And request the graph api: https://graph.microsoft.com/v1.0/serviceprincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
Copy one of the id under resourceAccess field in the response of first graph api. For example copy the first id a154bxxxxxxxxxxx59 in my first screenshot. And then search this id in the response of second graph api, we can find this id refer to User.Read.All permission.
We need to read out distribution lists from a contact folder of a dedicated exchange/outlook mailbox (O365). The process must run as a service with no user interaction.
Unfortunately the Graph API does not support distribution lists (not even the Graph beta version does). Because of this we have to use another API - I tried using EWS.
I succeeded by granting full_access_as_app permission to our service. However this allows to read and modify ANY data in ANY mailbox which is a security risk. Granting this permission only to read out some distribution lists from one mailbox is not acceptable.
So I tried to use the ROPC flow that should allow authenticating a user and then accessing the mailbox with the permissions of this user. I followed the information here: How to get OAuth2 access token for EWS managed API in service/daemon application
(Btw I found this post linked in the discussion here: https://github.com/microsoftgraph/microsoft-graph-docs/issues/5659 which has some more information about the topic.)
I exactly followed the steps mentioned above but unfortunately this is not working: I always get a “401 Unauthorized” exception when doing the EWS calls (OAuth calls succeed) and no additional information.
According to https://developer.microsoft.com/en-us/graph/blogs/upcoming-changes-to-exchange-web-services-ews-api-for-office-365/ this is no longer working. So how can I read out distribution lists from a specific mailbox without giving full access and without an interactive login?
EDIT
Here as requested the full code:
string[] ewsScopes = { "https://outlook-tdf-2.office.com/EWS.AccessAsUser.All" };
IPublicClientApplication clientApplication = PublicClientApplicationBuilder.Create(appId).WithAuthority(AzureCloudInstance.AzurePublic, tenantId).Build();
NetworkCredential credentials = new NetworkCredential(appUsername, appPassword);
AuthenticationResult authResult = await clientApplication.AcquireTokenByUsernamePassword(ewsScopes, credentials.UserName, credentials.SecurePassword).ExecuteAsync().ConfigureAwait(false);
ExchangeService exchangeService = new ExchangeService
{
Url = new Uri("https://outlook.office365.com/EWS/Exchange.asmx"),
Credentials = new OAuthCredentials(authResult.AccessToken),
};
ItemView view = new ItemView(int.MaxValue)
{
PropertySet = new PropertySet(ItemSchema.Id),
};
SearchFilter.IsEqualTo filter = new SearchFilter.IsEqualTo(ItemSchema.ItemClass, "IPM.Contact");
FindItemsResults<Item> ewsResult = await exchangeService.FindItems(WellKnownFolderName.Contacts, filter, view).ConfigureAwait(false);
I have also tried with other scopes such as "https://outlook.office.com/EWS.AccessAsUser.All" or "https://outlook.office365.com/EWS.AccessAsUser.All" but without success. I feel the problem might be related to the scope? I can see that the Exchange legacy API that was listed in the Azure UI when adding permissions is now gone...?
The Scope in your code is wrong (I'm not sure where you got that from) it should be
string[] ewsScopes = { "https://outlook.office.com/EWS.AccessAsUser.All" };
Using your code with the scope you had gives a 401 error and if you look at the response headers of the EWS response it actually tells you that the scope is the issue eg
2000003;reason="The audience claim value is invalid for current resource. Audience claim is 'https://outlook-tdf-2.office.com/', request url is 'https://outlook.office365.com/EWS/Exchange.asmx' and resource type is 'Exchange'.";error_category="invalid_resource"
Using your code with the correct scope works fine
But then why is the option to add the Exchange Legacy permission (step 6 in the MS docu mentioned above) gone from the Azure UI?
Its hasn't been removed from the AzureUI they have just moved all the Exchange legacy permissions (including the ones used in the Exchange Admin cmdlets which isn't really a legacy API) under the Graph Permissions. Why they did this way and didn't communicate it well (I'll only just saw it today as well) I'm not sure.
Yesterday Nov 19th Microsoft has updated the documentation: https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
Following the new documentation it works (again). The main difference is to use the shortened scope "EWS.AccessAsUser.All" and not any of the full scopes found in many examples and posts such as “https://outlook.office.com/EWS.AccessAsUser.All”, “https://outlook.office365.com/EWS.AccessAsUser.All” etc.
Thank you MS for wasting my time.
Distribution groups are only exposed in Exchange PowerShell today, and are not currently supported via the Microsoft Graph API.
Please vote on this feature request on UserVoice:
I am trying to create a flow process to automate creating CSV files which contains the student, teacher assignment, submissions, and submission outcomes. I have registered an app in Azure AD and I can connect to this fine via PowerShell with delegate permissions and see all of the data I need.
However, when I try to connect with application permissions EduAdministration.Read.All, EduAssignments.Read.All and EduRoster.Read.All, I can only see basic Class and Student information. So calling https://graph.microsoft.com/v1.0/education/classes works but calling https://graph.microsoft.com/v1.0/education/classes/CLASSID/assignments does not (I get a "Resource not found for the segment 'assignments'").
As I have an admin account which is a member of the CLASSID team, I can see all of this information if running from graph explorer with delegated permissions.
So, is there something else I need to do to get the application .Read.All permissions working or are there a tutorial of how to connect to graphs with Flow using delegated permissions?
There are a couple of things going on here:
"Resource not found for the segment 'assignments'" Error
You're receiving this error because you're attempting to call the Assignments endpoint in v1.0. Assignments is still in Beta, so you need to use /beta, not /v1.0.
Once you get past the segment error, you will still have a permissions issue. The Assignments endpoint only supports Delegated scopes. The inverse is true for Classes which only return limited information using Delegated scopes. In order to call both endpoints, you'll want to have two separate tokens (one delegated, one application):
For /education/classes/{id}, use the Application scope EduRoster.Read.All.
For /education/classes/{id}/assignments/, use the Delegated scope EduAssignments.Read.
I am trying to use 'Get /organization' api to fetch the tenant name, tenant id and list of domains in the tenant. If there are many domains (say 300-400) in the tenant, would all of them be included in the response? or would the response be paginated? In that case how should I handle pagination?
My app is Java based and I am directly using the REST interfaces.
Are you seeing issues getting all the data back? AFAIK Organization is a singleton, so specifying $top won't help here. My assumption is that you will get all the data back in the single response.
Hope this helps,
Has anyone successfully created an non-interactive workflow. Basically, what I am trying to accomplish is this. From my CRM, I am trying to do a Valance API callout to my LMS that will create an LMS user when the user is created in the CRM.
This needs to occur without any "human interaction".
I am using the Valance Java SDK (https://github.com/Desire2Learn-Valence/valence-sdk-java) as a framework for my code, at at its core, am executing this Flow:
D2LAppContext DAC = new D2LAppContext(aid,key);
URL targetURL = new URL(protocol+endpt + actiontype);
URL authEP = DAC.createWebUrlForAuthentication(endpt , hport,
targetURL);
httprequest (Get) authEP (which returns a 200 status code - OK)
ID2LUserContext DUC = DAC.createUserContext(authEP, endpt, hport,
true); ( I have also tried this with passing the userid and userkey
generated from the API test application, based on logging in as an
interactive user.
URL userURL = DUC.createAuthenticatedUri(actiontype, 'GET');
httprequest (Get) userURL (which returns a 403 status code -
Forbidden)
Does anyone have a suggestion on how to accomplish this? One question I have is which userid and userkey is the API expecting? The one I use to login to the LMS with via the UI? Or something returned from the Authorization call?
Thanks!
Jim
This question is similar to a question that I asked recently:
Consuming the Valence API as an application
This is how we solved this problem over at Learning Objects.
Basically, what you need to do is create a service account (a user that your application will masquerade as) with the correct permissions needed to create a user on your D2L server. Then you must requisition a userId and userKey for that user by using one of the sample applications available on D2L's github repo, or their API test tool (kind of hack-ish, but it's the only way).
Once you have the userId and userKey it is only a matter of using them to create signed requests to your D2L server.