Resetting a User's Password with Microsoft Graph - microsoft-graph-api

I also would like reset a user password using Microsoft Graph from a windows service using admin permissions. Using PATCH request to the user's profile
seemed promising but the required Directory.AccessAsUser.All permission is not on the list at apps.dev.microsoft.com so I get a "Insufficient privileges to complete the operation." error.
I had promised to replace PowerShell cmdlets with Microsoft Graph in our application and this small but essential feature now becomes a blocker.
Is there a plan to add this permission to the list?
Is there any way I can assign this permission? perhaps by editing the manifest? If so does anyone know the correct info
"resourceAppId": "????",
"resourceAccess": [
{
"id": "????",
"type": "Scope"
,
What's with the office portal Azure Directory Admin, app registration (preview)? I can see the app I registered at apps.dev.microsoft.com. Is it now an alternative to apps.dev? I like the interface better and the built-in admin consent button.

There is no application permission (yet) that allows you to reset a user's password using Microsoft Graph.
Is there a plan to add this permission to the list?
Yes, but that's about all there is to share, at the moment.
Is there any way I can assign this permission?
The only way to achieve this today (2019-01-17) is to assign the "Company Administrator" role to the ServicePrincipal object for your app — a very risky move (which is not recommended), as it will give your app full admin permissions.
What's with the office portal Azure Directory Admin, app registration (preview)? [...] Is it now an alternative to apps.dev?
Yes, though it's still in preview and it's possible some things might not work (as with all things in preview).

Related

Teams: Can I have access to my Files (Sharepoint) using resource-specific consent permissions?

We have a published app in the Teams App Store.
We want to let the bot to have access to Teams Files. This is possible using Graph Application Permissions.
But there's a small problem, the "Files.Read.All" and "Files.ReadWrite.All" seems like overkill to our clients and they are not going to let us access all SharePoint resources just to upload a file into Teams Directory.
Resource-specific consent looks like a solution for our purposes.
However, after checking the documentation and samples we've found out that there are no "Files.ReadWrite.Group" and "Sites.ReadWrite.Group" resource-specific consent permissions.
Despite that, we tried to add them but got an error during the app installation process.
When we're requesting the channel information from graph api using resource-specific consent permissions we get:
{
...
"filesFolderWebUrl": "https://example.sharepoint.com/sites/RSC/Shared Documents/General",
...
}
If we try to request GET {filesFolderWebUrl} with auth token we get 401 UNAUTHORIZED.
We also tried to use https://example.sharepoint.com/_api/ and it fails with:
{
"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
The GET https://graph.microsoft.com/beta/sites/ request returns blank response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
"value": []
}
Is there a way to get access to Teams Files using resource-specific consent? Any help would be appreciated.
As an alternative to RSC you could use SharePoint Site collection Level Permission
aka "The SharePoint flavour of RSC"
using the ``Sites.Selected` Graph permission.
This will allow a Customer Admin to grant your app/bot access to specific SharePoint SiteCollections.
While this does not give the 'automagical' permissions when a Teams App is installed in a team, it will allow you to use App Permissions with a scope that is both controllable, and smaller than 'entire tenant'
See:
PG Blog Bost & Demo:
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
Blogpost with samples : https://dev.to/svarukala/use-microsoft-graph-to-set-granular-permissions-to-sharepoint-online-sites-for-azure-ad-application-4l12
Create Site Permission: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
Team (group) resource-specific consent doesn't currently support access to the team's files.
There are some new graph scopes (preview) you could try:
Files.Read.Selected - allows read access to files user can select.
Files.ReadWrite.Selected - allows read/write access to files user can select
Files.ReadWrite.AppFolder - allows access to files in the "app folder". This one looks promising in your case.
These are new, and in "preview" state at the moment of writing, but already available for the apps. Disclaimer: I have not tried them myself yet, just discovered recently.

What am I doing wrong to get group.selected working in graph API?

I'm currently trying implement an app to read calendars only for a group that's permitted to the app. The idea behind this is that when I want to add a another calendar all I'd have to do is add the object to a specific o365 group. I'm taking the application approach over delegation that way I don't have anything actually logging in to utilize the app. Ultimately I'd like to stay away from any of the *.All permissions for security reasons.
Steps taken :
- created o365 group
- added resource objects and one user service account (just for testing) to the group
- registered app
- generated secret
- assigned group to the app
- granted admin consent to groups.selected via the azure portal
When I run a GET for group/{id}/members :
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'request-id': '473410a8-4db4-49d6-8d2c-92b9fbd4edb1', 'date': '2020-03-05T14:59:28'}}}
As per the docs
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
If you are using Application permissions to Get Members for a group. you will need User.Read.All, Group.Read.All, Directory.Read.All.
The usual issue is not granting that permissions to the application in Portal.azure.com and admin consenting it.
If you're confident with that. Then I'd eliminate your code as being the issue by using something like postman with your app id and client secret. We have a sample Postman collection here https://learn.microsoft.com/en-us/graph/use-postman . for delegated permissions you can use our Graph Explorer playground.
MS docs says:
Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change.
https://learn.microsoft.com/en-us/graph/permissions-reference

Graph API update user.preferredLanguage not working because of insufficient privileges

I'm trying to update the preferred language of a user using the /me endpoint or the /users/{currentUserID} endpoint but this always throws:
403 "Insufficient privileges to complete the operation."
I have checked the permissions according to the documentation page and added the permissions for User.ReadWrite, User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All. This does not seem to have any effect. Is the documentation incorrect or are there still permissions missing?
The request works fine if I execute it with an azure ad administrator user.
EDIT: 2019-04-18
I did some more testing:
I have created a new demo tenant using https://demos.microsoft.com
I logged in graph explorer with the tenant admin account and gave admin consent for User.ReadWrite (and other default permissions asked by graph explorer).
I logged in with the Demo User.
I set the preferredlanguage to "en-US" using patch on https://graph.microsoft.com/v1.0/me/. This was successful.
I tried to change the language again to "de-DE". This did not work:
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d1d30483-a3da-4775-af5b-4a3dd9823f11",
"date": "2019-04-18T07:40:27"
}
Therefore it seems to work when setting the language for the first time. But updating it afterwards is impossible.
Neither documentation issue nor Graph permission missing. You need to check the permission in your azure AD but not just the Graph Exploer. My test based on two account(one MS account and one trial account which is test#xx.onmicrosoft). The trial one works well while the MS account cannot.
Within organizations, the privileges of the signed-in user may be
determined by policy or by membership in one or more administrator
roles. For more information about administrator roles, see Assigning
administrator roles in Azure Active Directory.
Based on the test the documentation, not all users can change all profile data, some data have limitation by organization policy which cannot be ignore by the Grape Scopes settings.
For worked case, Directory.AccessAsUser.All is not essential
Just to close this issue:
I did some testing with Microsoft Support. For some reason updating preferredLanguage is only possible when the app has Directory.AccessAsUser.All.
Quite a heavy permission for just updating the user language...

Properly adding permissions to MS Graph API to enable an app to delete users after logging in with admin account

I am writing a .Net Core 2.0 MVC-like app where users log in and then do such operations on an AAD B2C tenant such as add new user, edit user, delete user etc.
Listing and adding users was pretty easy to do, but now when I try to remove certain users, I get a 403 Forbidden error. I'm assuming it's because I missed permissions somewhere, but I don't really know where.
I have enabled literally ALL possible App permissions in my AAD B2C Tenant b2c-extensions-app and most of the ones that sound right (30 app+30 delegated) in apps.dev.microsoft.com. I added the account I log in to test to owner list, too. Any clues on why I keep getting those errors would be much appreciated. What are the things I could have missed?
// I found out that to delete users, Directory.AccessAsUser.All is required. I already have it in delegated permissions but I keep getting the same error.
// Yes, I did add myself as owner to b2c-extensions-app and I also added literally every possible permission to it. Windows Azure Active Directory has 7+9, Microsoft Graph has 37+78.
// Okay it seems that the same error occurs when I try to edit a user's password (or any contents, really), too.
Did you setup your permissions through Azure portal or PowerShell?
Delete permissions for a B2C application must be created using PowerShell.
You can find instructions on this page of Microsoft Docs, under the section 'Configure delete permissions for your application'.
Let me know if it helped!

Microsoft Graph API Problems iOS : Unable to Complete Request Validation Error

I have registered my application here.
I have given all permissions to my App in that panel as well.
I specifically need Groups.ReadWrite.All which requires an admin ? requirement I am not sure what this even means.
https://apps.dev.microsoft.com/#/application/
Okay App is registered and redirect url has been copied.
Now I take that redirect url copy it and paste it into the admin panel for apps. At this link at App Registrations
https://portal.azure.com/
I am not sure why I have to register in two different panels, one which gives me a redirect url for my native app and the other that leaves it blank.
Great So then I setup my iOS app to make a graph request. This scope
https://graph.microsoft.com/Calendars.ReadWrite
I need to readwrite groups so I add this permission
https://graph.microsoft.com/Group.ReadWrite.All
It fails to authenticate.
I have checked that I have added the permissions to my app, and I have at this app registration panel https://apps.dev.microsoft.com/#/application/
Then I try to add the same permissions in the
https://portal.azure.com/
it gives me
Unable to Complete Request Validation Error, then doesn't do anything.
I tried to add a non admin permission same error.
So what is going on here ... ?
So even though they told me use the Graph API from now on moving forward in the docs I tried to go back to their office 365 SDK for iOS, it also has problems as I cannot get the pods to work as per instructions.
I am 100% sure after this issue is resolved I will need permissions
Note: I work at as a consultant for a bank so if someone can tell me what the azure administrator at the bank has to do to get my permissions escalated to admin status that would be great....
Thanks
Those are 2 different registrations,
Per this documentation (https://graph.microsoft.io/en-us/docs/authorization/auth_overview), for personal accounts like live.com or outlook.com, use the Azure AD v2.0, and for the enterprise, use the Azure AD.
So, for your case, I believe you need the latter, the azure AD.
For this to happen, as you said, go https://portal.azure.com/ and add the app registration.
In order to do so, you would need to
select "Azure Active Directory" and go "App registrations".
Once you create an app, you would need to select "native" for the iOS, and then under app access, under "required permissions" add "Microsoft Graph" followed by selected permissions you would like.
To answer the note, you would need permissions to create an app at the portal, otherwise, you would need to ask for that permission or have the admin create an app for you.
Some samples are available at https://github.com/microsoftgraph/ios-objectivec-connect-sample and https://github.com/microsoftgraph/ios-swift-connect-sample for iOS samples.
Hope this helps!

Resources