I am new to Azure and Microsoft Graph API.
I am trying to access: https://graph.microsoft.com/v1.0/me/messages
and I am getting a `404 Not Found.
I took the access token and decrypted in JWT and I can see the access token contains my name and credentials and the scopes defined are :
Directory.AccessAsUser.All Directory.Read.All email Files.ReadWrite Group.Read.All Mail.Send offline_access openid profil.Read
Can someone please suggest why I am getting a bad request?
In order to list (read) the mail messages (as described here) you need the Mail.Read or Mail.ReadWrite (if you also want to write messages) permission (scope).
With respect to mailing functionality you only have requested (or granted?) Mail.Send permission which only allows you send message (as described here).
The email claim is OpenID Connect specific claim and provides the logged-in user's email as claim. It has nothing to do with Exchange Online and sending/receiving e-mails.
Related
We have recently started getting a 401 response with "Requested API is not supported in Admin On-Behalf-Of mode" when calling certain Microsoft endpoints. Specifically,
GET https://graph.microsoft.com/beta/chats/{channelId}/messages/{messageId}
GET https://graph.microsoft.com/v1.0/users/{userId}/joinedTeams
GET https://graph.microsoft.com/v1.0/me/joinedTeams
However this one works
GET https://graph.microsoft.com/v1.0/me
Some information about the setup:
We are using a token with delegated scopes
The token has the required permissions:
AppCatalog.ReadWrite.All
ChannelMessage.Send Chat.Create Chat.Read Chat.ReadWrite
ChatMember.ReadWrite Files.Read.All Files.ReadWrite Sites.Read.All
Sites.ReadWrite.All Team.ReadBasic.All User.Read User.Read.All
User.ReadBasic.All User.ReadWrite.All profile openid email
This has previously worked with the same token
This is happening on the v1.0 and beta endpoints
We tried removing admin consent from each scopes but still faced the
same issue
I cannot find any information in the MS documentation regarding Admin On-Behalf-Of mode and wondered if anyone could shed any light on what we could be doing wrong?
Further Update.
We have now been able to reproduce this on a tenant and has to do with external guest users. These users are able to authenticate into the tenant but you cannot use the token obtained to call some of the Graph API endpoints - Anyone know why this is?
We have tried changing all the settings in External Identities in AAD but still getting the same response on the Graph API endpoints
We recently migrated from on premise exchange to Microsoft 365 and I'm wanting to turn on 2FA for all users (Enable security defaults). However this disables SMTP authentication which we have been using for sending mail from a distribution group address. (Not achievable via EWS as it doesn't have a physical mailbox)
From what I can see, the only method would be to set up a SMTP relay or send via Microsoft Graph.
I've tried going down the Microsoft Graph route, and here's what I've got so far.
Create application in Azure Active Directory > App Registrations
Add Mail.Send and User.Read.All (Application, not delegated) API Permissions and have granted Admin Consent.
Request token using the following
Generate auth code via https://login.microsoftonline.com/{AzureApi.TenantId}/oauth2/v2.0/authorize?response_type=code&client_id={AzureApi.ClientId}&redirect_uri={WebUtility.UrlEncode(RedirectUrl)}&scope=offline_access%20Mail.Send%20User.Read.All [using admin credentials]
Post request to https://login.microsoftonline.com/{AzureApi.TenantId}/oauth2/v2.0/token with the following request body.
{ "grant_type": "authorization_code", "client_id": "AzureApi.ClientId", "client_secret": "AzureApi.ClientSecret", "code": "insert auth code", "redirect_uri": "insert redirect URL" } to get the bearer token
Once I have the token, Now I perform a request to send some mail
https://graph.microsoft.com/v1.0/users/{fromAddress}/sendMail
This works when fromAddress is the email address of the user that requested the token, however when I try to send from a different address it gives this error {"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
I even tried adding the SendAs permission to the token user for the mailbox I was trying to send as, but this didn't make any difference. Regardless - I want to be able to send as any user without delegating permissions to each mailbox.
Glad of any help. Thanks!!
The behavior you are getting is expected because you are using delegated permissions - authorization code flow. This flow will not allow your app to send email as any user except the user that is signed in/"requested the token".
In your case you can add the permissions as application permissions and then use Client Credentials flow with either secret or certificate(more secure). Your token request will look like the Get Access Token Section. Note that this means two things:
Your app will need to be secured on server side to protect the credentials.
An admin will need to consent to the permissions on Azure AD
Your app will be able to send emails as any user in your tenant so it is very sensitive.
With application permissions you only need Mail.Send
My question is, does Microsoft Graph work without User.Read scope ? I am not able to request the email profile openid permissions directly.
It throws AccessDenied error. So is User.Read pre requisite for email profile or openid ?
User.Read is just the delegated permission for getting the user profile using MS Graph Get User. If your app does not need to read the user profile you don't need this permission but in most cases you do because you app is acting on behalf of the user.
Does Microsoft Graph work without User.Read scope ?
No, but in most cases, you need the scope to read user profile and call /me endpoints.
You should check the api document to see if calling that api required User.Read permission.
For instance: I wanna call this api to list emails, and we can see that this api provides 2 kinds of permissions, one is for delegate, another is for application(this means client credential flow is supported). All the api permissions are listed here and we need to go to azure ad portal to add the api permission to your azure ad application which used to generate access token.
After generating the access token, you can user jwt decode tool to check if your access token contains correct scopes(for delegate permission) or roles(for application permission). Using a correct token to call the api will not lead to AccessDenied error. By the way, newly added permission may be deferrable to take effect.
I am making an application for Microsoft Teams.
Must get the teams in Microsoft Teams that the user is a direct member of.
If I use the same email under which I registered the application in Active Directory, then getting the list on request to /me/joinedTeams is not difficult.
However, if I am using someone else's Teams account, I get an UnknownError when requesting /me/joinedTeams.
I noticed that after consent and authorization in the Microsoft Graph, the user has a token shorter than mine.
However, it works with other endpoints (/me and /drive/root).
Permissions are exposed in accordance with the documentation.
Permissions:
Directory.Read.All
Directory.ReadWrite.All
email
Files.Read
Files.Read.All
Files.Read.Selected
Group.Read.All
Group.ReadWrite.All
offline_access
openid
profile
Team.ReadBasic.All
TeamsAppInstallation.ReadWriteSelfForChat.All
TeamsAppInstallation.ReadWriteSelfForTeam.All
TeamsAppInstallation.ReadWriteSelfForUser.All
TeamSettings.Read.All
TeamSettings.ReadWrite.All
User.Read
User.Read.All
User.ReadWrite.All
enter image description here
Here you are getting the error because the /me/joinedTeams doesn't support personal accounts. See this document.
It works for /me and /drive/root because it supports personal accounts. See this document and this document.
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.