I am unable to upload a file using a valid access token (the token allows me to list groups, drive items etc.). The error that appears is:
invalidRequest: One of the provided arguments is not acceptable.
Using the following PUT request:
https://graph.microsoft.com/v1.0/groups/{my group id}/drive/items/{my item(folder) id}:/test.txt:/content
using content type: text/plain
I tested this exact same request using the graph explorer https://developer.microsoft.com/en-us/graph/graph-explorer and my office 365 user account and the upload worked, so I though it might be an app permissions thing, however this did not work even after granting absolutely every permission to the app and regenerating the access tokem.
Please help as I would rather use an access token than my user account to perform the uploads.
Thankyou
Oliver
Just add a worked endpoint on my side:
PUT https://graph.microsoft.com/v1.0/groups/my-group-id/drive/root:/test.txt:/content
Request body: The contents of the file goes here.
The content type of request header does not need to be configured.
You need to check your folder path too.
I managed to resolve by creating a new app definition in Azure AD with the same permissions and it worked! Perhaps there was some corruption in my original Azure application - maybe the manifest was corrupt (due to a bug)?
Related
We need to create, update or delete product(s) from our catalog.
For doing this programatically we are following Meta's Product Catalog Batch API documentation in which there is an endpoint mentioned as "<product_catalog_id>/batch". We are trying to make request at this endpoint by passing the payload as mentioned in the official documentation.
But I am getting "403 forbidden" error every time. On digging deeper I found that the access token which is making this API call must have 2 permission i.e. "catalog_management" and "business_management".
I have checked the access permission for my access token and it indeed has there 2 permissions.
Can anybody please help here?
I am attaching some links below, which I am using to make the batch API calls for product catalogs.
Using this link to understand the API structure = https://developers.facebook.com/docs/marketing-api/catalog-batch/guides/send-item-updates/
Using this link to make the required payload = https://developers.facebook.com/docs/marketing-api/catalog-batch/reference/
I tried generating new access tokens 2 or 3 times. I also tried changing the payload to check whether the documentation may be outdated but nothing helped me to solve this issue.
I am expecting that the product catalog batch API works, so that we can update the products from our side.
We have a published app in the Teams App Store.
We want to let the bot to have access to Teams Files. This is possible using Graph Application Permissions.
But there's a small problem, the "Files.Read.All" and "Files.ReadWrite.All" seems like overkill to our clients and they are not going to let us access all SharePoint resources just to upload a file into Teams Directory.
Resource-specific consent looks like a solution for our purposes.
However, after checking the documentation and samples we've found out that there are no "Files.ReadWrite.Group" and "Sites.ReadWrite.Group" resource-specific consent permissions.
Despite that, we tried to add them but got an error during the app installation process.
When we're requesting the channel information from graph api using resource-specific consent permissions we get:
{
...
"filesFolderWebUrl": "https://example.sharepoint.com/sites/RSC/Shared Documents/General",
...
}
If we try to request GET {filesFolderWebUrl} with auth token we get 401 UNAUTHORIZED.
We also tried to use https://example.sharepoint.com/_api/ and it fails with:
{
"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
The GET https://graph.microsoft.com/beta/sites/ request returns blank response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
"value": []
}
Is there a way to get access to Teams Files using resource-specific consent? Any help would be appreciated.
As an alternative to RSC you could use SharePoint Site collection Level Permission
aka "The SharePoint flavour of RSC"
using the ``Sites.Selected` Graph permission.
This will allow a Customer Admin to grant your app/bot access to specific SharePoint SiteCollections.
While this does not give the 'automagical' permissions when a Teams App is installed in a team, it will allow you to use App Permissions with a scope that is both controllable, and smaller than 'entire tenant'
See:
PG Blog Bost & Demo:
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
Blogpost with samples : https://dev.to/svarukala/use-microsoft-graph-to-set-granular-permissions-to-sharepoint-online-sites-for-azure-ad-application-4l12
Create Site Permission: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
Team (group) resource-specific consent doesn't currently support access to the team's files.
There are some new graph scopes (preview) you could try:
Files.Read.Selected - allows read access to files user can select.
Files.ReadWrite.Selected - allows read/write access to files user can select
Files.ReadWrite.AppFolder - allows access to files in the "app folder". This one looks promising in your case.
These are new, and in "preview" state at the moment of writing, but already available for the apps. Disclaimer: I have not tried them myself yet, just discovered recently.
I am trying to upload a large (> 4mb) attachment to an existing message in Office 365. I am following these instructions: https://learn.microsoft.com/en-us/graph/outlook-large-attachments?tabs=http
I have successfully created the upload session, and obtained a uploadUrl value that looks legitimate, it roughly matches the example in the documentation. Then I start my PUT to this url, for the first byte range that I've selected. I'm sure I'm setting the Content-Type, Content-Length and Contact-Range headers correctly. My problem is that I get http 401 (Unauthorized) in response. The error header returned is "The audience claim value is invalid for current resource..." and it regurgitates my url and it looks intact.
My theory is that I need to add another API permission to my application. I already have mail read.write, and that allows me to create a < 4mb attachment. If I need another permission, which one? Or do I have some other problem?
According to this documentation page on Resumable Uploads, you'll need any of Files.ReadWrite, Files.ReadWrite.All or Sites.ReadWrite.All permissions for a Delegated Work account.
If you're using an Application token, then you need Sites.ReadWrite.All permission.
What were the permissions you were missing that you had to add out of interest? Was the docs clear from our perspective? I can see the Resumable file upload permissions is specific to SharePoint and can use "Files.ReadWrite, Files.ReadWrite.All, Sites.ReadWrite.All".
For mail message you'd need Mail.ReadWrite as per this doc for large file upload https://learn.microsoft.com/en-us/graph/api/message-post-attachments?view=graph-rest-1.0&tabs=http
I've created a feedback item on the doc to get this updated. https://github.com/microsoftgraph/microsoft-graph-docs/issues/6817
I am trying to integrate Windows Azure AD in to iOS application. I was able to do authentication with common consent framework and also able to access list of users in my active directory.
Format of my request,
URL: https://graph.windows.net/mytenantdomain/users?api-version=2013-04-05
, HTTP Method: GET,
HTTP Header: Authorization: Bearer <'access token'>
I am able to receive various other fields associated with users entity but it fails to return thumbnailPhoto field. Is there anything i need to do or its not supported as of now. Any solution to this issue will be helpful.
That is indeed the default behavior. You need to make an additional call to fetch the thumbnailPhoto property.
HTTP GET https://graph.windows.net/<directory_name_or_id>/users/<users_upn_or_objectid>/thumbnailPhoto?api-version=2013-11-08
Hope this helps
I was having this problem. I assumed the picture I was setting in my O365.com profile was the same as the thumbnailPhoto property. After unsuccessfully trying a couple times, I opted to upload a photo using Powershell: Set-AADUserThumbnailPhoto -Id "xxxx-xxxx-xxxx..." -ThumbnailPhotoFilePath "C:\users\me\Desktop\mypicture.jpg". Then it worked.
We are trying to use google.picker to have our users upload files to our drive account (i.e., the user is not required to have a Google account to upload).
We're trying to use regular Google accounts as application-owned accounts and got our AUTH_TOKEN using OAuth2 and set it using .setOAuthToken(AUTH_TOKEN) . We followed everything described in the docs.
However, when uploading, we got a Server Rejected error. The call to https://docs.google.com/upload/resumableupload?authuser=undefined returned:
{"errorMessage":{"reason":"REQUEST_REJECTED","additionalInfo":{"uploader_service.GoogleRupioAdditionalInfo":{"completionInfo":{"status":"REJECTED"},"requestRejectedInfo":{"reasonDescription":"agent_rejected"}}},"upload_id":"AEnB2Ur64Gb0JDCk_8mg5EhpdcaqL82wBQHumHjcGvDqYibtksmUzhfhBolsmBFzRuvQPRyi43SYfactJZvIWYrQ6xAqzu3L9g"}}
We know we cannot use service accounts since the picker doesn't support it.
Do we miss something in getting the AUTH_TOKEN? Do we need to something in the console?
Give us a little more code, or check the call to gapi.auth.authorize()
Check that you are using the correct scope to obtain the OAuth token.
Scope should be https://www.googleapis.com/auth/drive
Double-Check the scope declaration:
https://developers.google.com/accounts/docs/OAuth2Login#sendauthrequest
Check the call to gapi.auth.authorize()
window.gapi.auth.authorize(
{
'client_id': clientId,
'scope': scope,
'immediate': false
},
handleAuthResult);
from: https://developers.google.com/picker/docs/#hiworld
Without an actual code sample, it is very difficult to say exactly what is going on. Most likely it is the auth token colection. However, it may also be something as simple as not defining a google User (clientID) which in turn impacts the gapi.auth.authorize() call.
maybe this thread can help you: https://groups.google.com/forum/#!topic/Google-Picker-API/PPd0GEESO78
It is about setting the oauth context
or this one:
https://productforums.google.com/forum/#!msg/drive/GDl4uBkkbxM/jRejcxI-EV8J
It is about the type of file you try to upload with autoconvert on..
Use a Google Apps script on Drive with the function doPost to send data to the server. Then write to file with the Drive API. On publish, you have to set the permissions to "accessible to anyone, even anonomous" if doing cross-domain calls. Make the script run under your user name in Google (for testing), but most likely you would want that function moved onto some application-user account in Gmail.
If you need a level of authentication involved, even if the script is made public, you may authenticate against a CloudSQL hosted database and/or with the Jdbc library to connect to an external resource.
The Scope seems to be the problem.OAuth Token must be obtained using correct scope only:
http://tinyurl.com/ldotq4y
Easily replace scope: 'https://www.googleapis.com/auth/drive.readonly' to scope: 'https://www.googleapis.com/auth/drive' . So that you're allow to make change including upload something to your Google Drive account.