When I try to list channel messages I get:
[...] "code": "UnknownError", "message": "Failed to execute backend request." [...]
This error is for all teams I don't belong to.
I have this error when trying to call the API from Microsoft Flow (with HTTP GET) but also with Graph Explorer: the account I used has FULL permission but still asks to check my permission:
Failure - Status Code 403, 656ms Looks like you may not have the permissions for this call. Please modify your permissions
And the registered application has the delegated permission needed to call this endpoint regarding the documentation:
GET /teams/{id}/channels/{id}/messages
https://learn.microsoft.com/en-us/graph/api/channel-list-messages?view=graph-rest-beta
Is it a bug because of the "beta" or something I've missed?
After searching and testing I can confirm that I was miss understanding how the delegated permission works.
The user need to have the permission to read the chat message meaning that the user need to be at least a member of the team who is concerned by the call.
I confirmed it by testing on a teams/groups where the account is not member of (result = Satus code 403) and everything is working with success after adding the account in the teams/groups
Does this mean that at the moment to be able to List channel messages from all teams in organisation we need to have a unique account member of each teams (=account used in the microsoft-graph call) ?
if anyone faced same situation this video helps to understand more easly the concept : https://www.youtube.com/watch?v=UPkHvy3eRCM
Related
I have a office 365 account and Iwant to access my emails
I followed Microsoft graph documentation
https://learn.microsoft.com/en-us/graph/api/user-list-mailfolders?view=graph-rest-1.0&tabs=http
I have selected the permissions asked as you see below :
Permissions Image
I have requested the token and the following request does not work :
GET https://graph.microsoft.com/v1.0/me/mailFolders
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
But when I use the next one , it works :
GET https://graph.microsoft.com/v1.0/users('xxx.yyy#zzz.onmicrosoft.com')/mailFolders('Inbox')/messages
I need to use the first endpoint which everybody is using on the internet , I can't get why I doesn't work for me
In Graph, the /me/ endpoint is an alias for the currently signed in user (based on the token). An application without a user present will not be able to query /me/, and should instead specify the user id of the user of interest (/users/user id).
If you call this endpint /me/mailFolders which means listing the mailFolders of the currently signed in user. So you need to add delegated permissions and use the flow except client credential flow to get access token.
If you still would like to use application permissions, you need to call this endpoint /users/{id | userPrincipalName}/mailFolders.
About the error(Resource does not exist or one of its queried reference-property objects are not present.), see the code sample of this issue.
I'm trying to access reports from Graph API using the Graph Explorer. However, it throws 403 Unauthorised errors.
For example the request:
GET https://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageDetail(period='D30')
throws the following error
{
"error": {
"code": "S2SUnauthorized",
"message": "Invalid permission.",
"innerError": {
"request-id": "fda8c3ec-1949-46a9-b179-e1017f7e94ab",
"date": "2020-04-02T01:01:08"
}
}
}:
According to the documentation this requires the permissions 'Reports.Read.All'
When looking at the permissions I have in the explorer it says that Reports.Read.All permission is 'consented'
This worked without issues in early December when I was first testing this, so unless something changed I don't know what is going on.
Am I misunderstanding what consented means in this context, or is this a problem with the Graph Explorer as this permission is marked as 'preview'?
Regardless of the source of the problem, does anyone know a way around this/how to fix it?
Please make sure,
try repro the above using MS Graph Explorer with your tenant!!
if you're using delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user the appropriate Azure AD limited administrator role
Let me know still you can repro the issue.
I want to use microsoft graph API in my application without user. For I got access token by tenant id (a8ef7dd1-217d-430f-9ba0-4dd465b9098d) using this url
https://login.microsoftonline.com/a8ef7dd1-217d-430f-9ba0-4dd465b9098d/oauth2/v2.0/token
I see correct result after this request.
Afte that I try to get user using this url
https://graph.microsoft.com/v1.0/users
It also works fine for me.
Example response: {"#odata.context":"https://graph.microsoft.com/v1.0/$metadata#users","value":[{"businessPhones":[],"displayName":"IOTA CLM","givenName":"IOTA","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"CLM","userPrincipalName":"clm-iota_outlook.com#EXT##clmiotaoutlook.onmicrosoft.com","id":"50ecbaed-9cee-411f-abb6-5e53e2a1051a"}]}
But if I try to get mailFolders using next get request
https://graph.microsoft.com/v1.0/users/50ecbaed-9cee-411f-abb6-5e53e2a1051a/mailFolders
I see 404 error :
"code": "ResourceNotFound",
"message": "Resource could not be discovered."
What I missed?
Are you sure that that user has a mailbox?
Make sure you have the correct permissions? To access mail, you require Mail.Read application permissions that have been admin consented. https://learn.microsoft.com/en-us/graph/api/user-list-messages?view=graph-rest-1.0
You can admin consent where you've registered the application in the portal in the "Permissions" tab of the application. https://aad.portal.azure.com
I've had the same error.
You probably didn't assign a license while adding users at https://admin.microsoft.com
If you go to the Microsoft site, you will find that you need to license Exchange Online to use the Exchange Online feature.
https://learn.microsoft.com/en-us/exchange/exchange-online
Check it out!
We have an issue accessing the attachment(s) of an event created in a O365 Group when using the Graph. The event is created in the group calendar, the group is set to public and can be accessed by the user requesting the event. Using the Graph Explorer we can access the event by using the following:
https://graph.microsoft.com/v1.0/groups/groupid/events/eventid
However using the: https://graph.microsoft.com/v1.0/groups/groupid/events/eventid/attachments results in a 403 error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "af65c3ce-6f00-4137-817b-fa1a069d820e",
"date": "2018-08-06T09:02:26"
}
}
}
The issue can be replicated in either using the Graph Explorer or any other method. Obviously we have checked the permissions and Calendar.Read has been applied, but even after checking all permissions boxes available in the Graph Explorer (or AD App Registration) a 403 still occurs regardless of the selected permissions.
Any call to the attachment endpoint results in a success for events that are in a user’s calendar and it seems to be only occurring when retrieving events for a group. There seems no changes in behavior whether the group is public or private, nor using either the /beta or the /v1.0 endpoint.
The intellisense in the graph explorer does shows /attachment to be an option but always return a 403 when requested.
Any insights or tips on how to retrieve attachements for events created in a group would great.
I can reproduce your scenario from my end as well.
Tried using Graph Explorer, Console project and ASP.NET MVC (can download the sample from this link)
I have read through the attachment_get Microsoft document, however I can't find any API for your case. I presume there is no such function atm.
I recommend you to raise a ticket from your end to the OfficeDev.
PS: I had an unusual access is denied error when I tried to access group in ASP.NET MVC sample although I'm logged in with admin account, and it still shows access request is denied.
https://learn.microsoft.com/en-us/graph/api/resources/attachment?view=graph-rest-1.0
Events in group calendars do not support attachments.
Last year (an entire year after this question was asked) Microsoft finally clarified in the Graph docs that group events do not support attachments.
I'm trying to leverage the beta api for assigning azure users to applications.
I looked at the documentation and tried a variety of attempts in a C# console app using HttpClient and WebClient and couldn't succeed. I then went to the Microsoft graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer . I couldn't get it to work.
I looked at the documentation
https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/approleassignment_get
The document's actual documentation of the HTTP request which doesn't match the Example. The Graph Explorer seems to hint that the example is correct, but through various attempts, I can only get a response of
{
"error": {
"code": "Request_UnsupportedQuery",
"message": "Direct queries to this resource type are not supported.",
...
}
}
My essential url is
https://graph.microsoft.com/beta/appRoleAssignments/
The example says {id} but I have no idea what to put in. I put in several guids, user ids, object ids, resource ids, and none worked.
It isn't saying any access denied messages so I assume it has nothing to do with Scopes (all though the documentation is a little empty regarding that as well).
Ideally, I'd be able to see if for a given Guest Azure User has access to a particular App, then I'd be able to go and Update the assignment. I'll probably also need to delete the assignment as well.
[Edit (2021-07-06): Use Microsoft Graph v1.0 for all of this.]
It looks like the Microsoft Graph API's beta endpoint doesn't currently allow you to list AppRoleAssignments.
[Edit (2018-10-11): The Microsoft Graph beta endpoint now supports the ability to list AppRoleAssignments, though you should still use Azure AD Graph for any production application, until it gets to v1.0.] Fortunately, the Azure AD Graph API does work for this (plus, it's not a beta endpoint, so it's more likely to be stable).
To list all app roles a user is assigned with Microsoft Graph:
https://graph.microsoft.com/v1.0/users/{id}/appRoleAssignments
To list all app roles a group is assigned:
https://graph.microsoft.com/v1.0/groups/{id}/appRoleAssignments
To do the reverse, and list all users or groups assigned to an app:
https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Azure AD Graph is deprecated and all support for it will cease in June 2022. The equivalent requests were (in the same order as above):
https://graph.windows.net/{tenant-id}/users/{id}/appRoleAssignments?api-version=1.6
https://graph.windows.net/{tenant-id}/groups/{id}/appRoleAssignments?api-version=1.6
https://graph.windows.net/{tenant-id}/servicePrincipals/{id}/appRoleAssignedTo?api-version=1.6
In the new Azure portal, under "Enterprise applications" > (your app) > "Users and groups", you'll see the list of users who are assigned to the application, as well as the app role they are assigned to. After testing , you could do the equivalent thing using Microsoft Graph API request :
https://graph.microsoft.com/beta/servicePrincipals/d0790296-0a14-4ab1-8f6c-4e4d3eb03036/appRoleAssignments
Your could get the service principal under "Enterprise applications" > (your app) >Properties>Object ID .Here is sample of the response :
id is the role id , In your scenario ,you could check whether record exists when the principalId matches the object id of the specific user , and principalType is user .