Is there way to customize the Microsoft App permission? The add-in we have built needs read-only access, however, Microsoft permission says our add-in can see and update data anytime. We don't need update access.
We have a windows add-in that subscribes to all calendar events through Graph API. However, our customers have strongly came back on the "Access Data Anytime" permission.
We have now changed our Calendar Permission from "Calendars.ReadWrite" to "Calendars.Read.Shared", however, we still see "Access Data Anytime" which is fine, however, the description is wrong about the update access, we need only to display read access.
"Access Data Anytime" simply means you've requested the offline_access scope so your app receives a Refresh Token. Scopes are not interconnected so it has no way of knowing what other scopes you requested or what data access they may or may not grant.
There is no way to update/customize the description the user sees. Supporting this would expose users to malicious manipulation (i.e. request Users.ReadWrite.All and change the description to 'Only read your username').
Related
Recently the Teams API has been extended so that applications can set the availability / presence for a user logged into Teams: https://learn.microsoft.com/en-us/graph/api/presence-setpresence
However, the permissions for this API do not allow access with delegated permissions, only with permission type application:
https://learn.microsoft.com/en-us/graph/api/presence-setpresence?view=graph-rest-1.0&tabs=http#permissions
Am I right in assuming, that this means I will need an administrators consent from every tenant if I intend to build an application using this API?
Is it therefore impossible / impractical to implement this into my app that allows a user to set their presence based on the activity in my app? Because, and please correct me if I am mistaken, a user by themself cannot actually give my app the permission to do this. Right?
(Doesn't this make this api point sort of nearly useless?)
This API supports only Application permission, so on behalf of user token, you can not change the status where as using application token, you can update the status: https://learn.microsoft.com/en-us/graph/api/presence-setpresence?view=graph-rest-1.0&tabs=http#permissions
I am trying to get the category names/colours via the API for a user other than myself, the documentation says it is possible, see image below, but returns "Access is denied. Check credentials and try again." even though I do have permission to that mailbox.
Seem this question was also asked almost 3 years ago with no answer, guessing the API documentation describes a scenario that the developers forgot to program for???
Previous posting of the same question
Here is the full request and showing the permissions are allowed.
You can't do it using delegate permissions because there is no MailboxSetting.ReadWrite.Shared permission so that endpoint can only be used to access the current users Mailbox setting when using delegate permission. You an use Application Permissions and the Client Credential flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow if you need to limit the scope of your application to a number of Mailboxes you can do that as well https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
I am trying to read a person's Out of Office text with MSGraph. I understand the only way to do this is by getting the person's mailbox settings as indicated here.
Is there another way to read a person's Out of Office Message?
Assuming there is no other way I then have read for example in this link that to call GET /users/{id|userPrincipalName}/mailboxSettings you need to have Application Permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. Is this still the case? It does not make sense to me that you need Application level permissions. Is there not a delegated (admin consent required) MailboxSettings.Read.All??? The problem is that most IT departments will be hesitant (or pigs are going to fly before some IT departments) give an application this permission to run without a signed in user.
Alternatively, I see that there is a User property of mailboxsettings, thus using the $select query parameter you can call this https://graph.microsoft.com/v1.0/users/{id}?$select=mailboxSettings does or should this work with the User.Read.All.
UPDATE in accordance with the suggestion below I have added 2 suggestions to the MSGraph user voice.
A person's out of office information should be included with their calendar / freebusy (getschedule) information.
There should be a Mailboxsettings.Read.All permission.
Please click on the link and vote them up if you agree.
No, there is no MailboxSettings.Read.All or MailboxSettings.Read.Shared. You can see the list at https://learn.microsoft.com/graph/permissions-reference#mail-permissions. I encourage you to request this as a feature at https://microsoftgraph.uservoice.com.
One possible approach given the currently available permissions around this API is to use app permissions and configure an app access policy to limit the mailboxes it can access - if that's the concern you're mentioning. I'm not clear on why it would be preferable to give a user account access to this info for all mailboxes in an org but not an app service principal.
It isn't included as part of User.Read.All by design. It's not really a property on the user, it's config stored in the mailbox. It's abstracted as a property in Graph, but it requires additional permissions to access.
Scenarios for accessing the Calendar usually involve the user signing in and granting consent to give delegated permissions. This seems to apply to both Office 365 and Graph APIs.
I have seen solutions here for accessing Calendar without UI, but it involves storing the username and password which is less than desired. The other option is using the Graph API with application permission - unfortunately, the Calendars.ReadWrite permission is for all users: "Read and write calendars in all mailboxes". It's unlikely I can get this access granted by an admin as I work in a large company, not to mention I simply don't need that much access.
So my question is, is there any way to get application permission (or any other way to access outlook calendar without UI) for only a handful of users?
You can use scoping https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/concepts/auth-limit-mailbox-access.md which allows application permissions to be limited to a subset of user. What type of application are you actually trying to create ? Something like getSchedule https://learn.microsoft.com/en-us/graph/api/calendar-getschedule?view=graph-rest-1.0&tabs=http can be used by the logged on user to query another users FreeBusy permission and retrieve a limited subset of information about appointments eg Start,End,Subject,location which is often ample for a lot of calendar applications.
I have a question about handling permission grants of inboxes via Microsoft Graph API.
Is it possible via Microsoft Graph API to grant another user the access permission to my inbox messages?
I dont found any suitable operation until now.
Retrieving relased mailboxes from another user works fine, but how to make my own inbox visible to specific user that he has the grant to access my inbox?
I dont found a operation under:
https://graph.microsoft.com/v1.0/users.....
or https://graph.microsoft.com/v1.0/me.......
Thanks for your help
According to the documentation, you'll need delegated access.
If the app has the appropriate delegated permissions from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user.
At this moment you have no way to share your mailbox by using the api. If you however shared your mailbox with some other user, they will be able to access it.
I think it's a good thing that you cannot share your mailbox from an app, because it would be easy to compromise a mailbox of some user by a malicious app. If you really want you might be able to share the users mailbox by using EWS (that is the same connection the Outlook app uses).