We have an issue accessing the attachment(s) of an event created in a O365 Group when using the Graph. The event is created in the group calendar, the group is set to public and can be accessed by the user requesting the event. Using the Graph Explorer we can access the event by using the following:
https://graph.microsoft.com/v1.0/groups/groupid/events/eventid
However using the: https://graph.microsoft.com/v1.0/groups/groupid/events/eventid/attachments results in a 403 error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "af65c3ce-6f00-4137-817b-fa1a069d820e",
"date": "2018-08-06T09:02:26"
}
}
}
The issue can be replicated in either using the Graph Explorer or any other method. Obviously we have checked the permissions and Calendar.Read has been applied, but even after checking all permissions boxes available in the Graph Explorer (or AD App Registration) a 403 still occurs regardless of the selected permissions.
Any call to the attachment endpoint results in a success for events that are in a user’s calendar and it seems to be only occurring when retrieving events for a group. There seems no changes in behavior whether the group is public or private, nor using either the /beta or the /v1.0 endpoint.
The intellisense in the graph explorer does shows /attachment to be an option but always return a 403 when requested.
Any insights or tips on how to retrieve attachements for events created in a group would great.
I can reproduce your scenario from my end as well.
Tried using Graph Explorer, Console project and ASP.NET MVC (can download the sample from this link)
I have read through the attachment_get Microsoft document, however I can't find any API for your case. I presume there is no such function atm.
I recommend you to raise a ticket from your end to the OfficeDev.
PS: I had an unusual access is denied error when I tried to access group in ASP.NET MVC sample although I'm logged in with admin account, and it still shows access request is denied.
https://learn.microsoft.com/en-us/graph/api/resources/attachment?view=graph-rest-1.0
Events in group calendars do not support attachments.
Last year (an entire year after this question was asked) Microsoft finally clarified in the Graph docs that group events do not support attachments.
Related
I am currently using the Microsoft graph API to get events from Outlook, but I would like to change to the calendarView endpoint instead. However, I am facing a number of challenges when using delta links on other users calendars with delegated access.
My first call to the delta endpoint works as intended, but when I try to use the link in #odata.nextLink for next delta data I get an permission error - and can't see what should cause this error
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2022-12-06T18:03:31",
"request-id": "961ca04c-0000-0000-0000-000000000000",
"client-request-id": "2dc7f5ea-0000-0000-0000-000000000000"
}
}
}
Delta querying works fine when done on the events endpoint so I am a bit lost in what to check for?
As you said you are facing challenges while using delta links on other users calendars with delegated access. For accessing other user data ,which required application permission , where as delegated permission required user to signIn , please check the doc for more info regarding delegated permission vs application permission .
Could you please try adding Calendars.Read application permission instead of delegated permission - https://learn.microsoft.com/en-us/graph/api/event-delta?view=graph-rest-1.0&tabs=http.
Hope this helps
Thanks
I ran into this issue recently and found a partial answer at https://learn.microsoft.com/en-us/answers/questions/587998/deltatoken-for-calendar-events-requiring-elevated.html
I asked my Active Directory admin to give manage access for the account associated with my bearer token, and the delta events are now working. That is, myuser#example.com now has manage permissions for shared-calendar-user#example.com. This isn't ideal, but it's acceptable for my use case.
We are trying to identify Sharepoint sites user has access to using Graph API. This is working just fine for internal users. However when we try this for external user (already guested in Azure AD), we are getting below error -
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2022-06-20T16:28:01",
"request-id": "cde68280-5538-40c3-af60-6602bd7c1214",
"client-request-id": "ef1f7a56-caf4-e1f2-b2b0-57577fa96f03"
}
}
We have tried to use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer and it's the same error there as well.
if you are using the /common endpoint a guest user has its own shadow tenant and wont be pointing to the AAD tenant it has been invited into, thus they cannot access resources like a normal member could, plus they have limitied default permissions and that does not include groups/site access unless they have been added to the area as a direct member.
However, if you are defining the tenant id in the authority then the above is not relevent.
You are right, I tried to do the same thing.
My workaround solution is testing with MS Graph Explorer, its worked for me, then you can code the same requests to talk to Graph API. Here are the steps:
Get your tenant Id using this site : https://www.whatismytenantid.com/
Open MS Graph Explorer like this : https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantId
Sign in to MS Graph Explorer with the guess account
You should see the name of your guess signed in with your tenant if not sign out and sign in again.
Unfortunately, You won't be able to lists the SharePoint Sites using https://graph.microsoft.com/v1.0/sites?search=* (honestly I do not know why, maybe because the guest has only a Family account ? Its worked fine with a user in the same org.
You need to know the siteId, then you can list the document libraries, folders, files, etc... using a request like this : https://graph.microsoft.com/v1.0/sites/siteId/drives
I wish I can get the siteId from MS Graph Explorer for a guest user, but looks like it is not possible. BTW, doing the same on Google WorkSpace is a no brainer using shared drives, not like Microsoft at all...
I'm trying to access reports from Graph API using the Graph Explorer. However, it throws 403 Unauthorised errors.
For example the request:
GET https://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageDetail(period='D30')
throws the following error
{
"error": {
"code": "S2SUnauthorized",
"message": "Invalid permission.",
"innerError": {
"request-id": "fda8c3ec-1949-46a9-b179-e1017f7e94ab",
"date": "2020-04-02T01:01:08"
}
}
}:
According to the documentation this requires the permissions 'Reports.Read.All'
When looking at the permissions I have in the explorer it says that Reports.Read.All permission is 'consented'
This worked without issues in early December when I was first testing this, so unless something changed I don't know what is going on.
Am I misunderstanding what consented means in this context, or is this a problem with the Graph Explorer as this permission is marked as 'preview'?
Regardless of the source of the problem, does anyone know a way around this/how to fix it?
Please make sure,
try repro the above using MS Graph Explorer with your tenant!!
if you're using delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user the appropriate Azure AD limited administrator role
Let me know still you can repro the issue.
I'm attempting to get tasks assigned to a specific user from the Graph API, so based off of the sample query in the graph explorer i'm using this endpoint
https://graph.microsoft.com/v1.0/users/<user-email>/planner/tasks
Which works fine for whatever user I'm signed in as, but attempting to get tasks for a user I'm not signed in as will always return with a 403 and say I don't have the required permissions. Group.ReadWrite.All is granted by admin, and according to the graph docs, that should be fine, but no luck.
I've also just created a new demo tenant and one by one granted permissions in the graph explorer with admin and still no luck! So i'm doubting the issue really is permissions. And for the record I've tried v1.0 and beta endpoints, and I've attempted this in a SPFx Web Part, and it doesn't work in practice either.
Not sure that it will help, but this is what is being returned each time:
{
"error": {
"code": "",
"message": "You do not have the required permissions to access this item.",
"innerError": {
"request-id": "b02e3529-a4ae-4825-b4e6-7fc9b1fa228e",
"date": "2019-03-27T12:28:41"
}
}
}
Anyone else ran into this issue or know of a workaround?
Reading tasks for other people is not allowed. We are investigating app-only request support, which should enable this scenario.
I'm using the Graph Explorer on developer.microsoft.com to query shared calendars.
Example:
https://graph.microsoft.com/v1.0/users/user#my.com/calendarview?startdatetime=2018-04-19T19:25:06.250Z&enddatetime=2018-04-26T19:25:06.250Z
This works fine on calendars where I have Reviewer or Full Details access. Calendars where I have Free/Busy, subject, location, I get a 404 and response like this:
{
"error": {
"code": "ErrorItemNotFound",
"message": "The specified object was not found in the store.",
"innerError": {
"request-id": "9f9e950f-038e-4411-b813-10a76d4b94fa",
"date": "2018-04-19T19:42:48"
}
}
}
I can open the same calendar with my Outlook client no problem.
My question is, are all of the different permission levels that you see in the Outlook client not supported by Graph? Or is there something I'm doing wrong?
The permissions are consistent with Outlook and Exchange Web Services the difference is when you have "Free/Busy, subject, location" (or even one of the lesser) you only have rights to view the FreeBusy data of the Mailbox you don't have permissions to query the calendar directly which is what your trying to do so the error your receiving is consistent with that fact (and is what you would see in any of the other API's). Outlook (since 2007) uses the getuseravailability when querying the FreeBusy data for a user (which is where that right is valid) the equivalent in graph would be findMeetingTimes https://developer.microsoft.com/en-us/graph/docs/concepts/findmeetingtimes_example
https://graph.microsoft.com/v1.0/me/findMeetingTimes
(I don't think this is quite there on feature parity with EWS and Outlook on FreeBusy data though but its getting there)