Develop Reference

Get list of keySets (policy keys) in a given Azure AD B2C tenant with Microsoft Graph API

I'm trying to figure out how to use Microsoft Graph API in order to get information on an Azure AD B2C tenant's Policy Keys. It seems like it should be possible given the following documentation, but I keep getting an InvalidAuthenticationToken error.
Documentation link: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
What exactly do I need to do to call the endpoint shown in here (the /trustFramework/keySets endpoint)? https://learn.microsoft.com/en-us/graph/api/trustframework-list-keysets?view=graph-rest-beta&tabs=http
In postman, I'm simply firing off the get request with Basic auth using my Portal credentials. Am I going about this the right way?

I tried to reproduce the same in my environment. and received similar error *InvalidAuthenticationToken*
Then , I checked that I missed to give authorization header with bearer token ,
Which Is required parameter to query that as per : List keySets - Microsoft Graph beta | Microsoft Learn
Below are the scopes , I have given admin consent to. delegated and application permissions like openid offline_access profile User.ReadWrite.All TrustFrameworkKeySet.Read.All Policy.ReadWrite.TrustFramework AuditLog.Read.All
Do a get request at https://login.microsoftonline.com/xxxxxx063/oauth2/v2.0/token to receive a token for the application endpoint in postman with the scope for graph i.e; https://graph.microsoft.com/.default , for that particular tenant (here used tenantId of azure ad b2c).
Give required values like client_id, client_secret for client_credential flow
Then try to query graph using that token :
GET https://graph.microsoft.com/beta/trustFramework/keySets ,
Following above steps with correct values and granting admin consent , I could successfully query the keySets

Requested API is not supported in Admin On-Behalf-Of mode

We have recently started getting a 401 response with "Requested API is not supported in Admin On-Behalf-Of mode" when calling certain Microsoft endpoints. Specifically,
GET https://graph.microsoft.com/beta/chats/{channelId}/messages/{messageId}
GET https://graph.microsoft.com/v1.0/users/{userId}/joinedTeams
GET https://graph.microsoft.com/v1.0/me/joinedTeams
However this one works
GET https://graph.microsoft.com/v1.0/me
Some information about the setup:
We are using a token with delegated scopes
The token has the required permissions:
AppCatalog.ReadWrite.All
ChannelMessage.Send Chat.Create Chat.Read Chat.ReadWrite
ChatMember.ReadWrite Files.Read.All Files.ReadWrite Sites.Read.All
Sites.ReadWrite.All Team.ReadBasic.All User.Read User.Read.All
User.ReadBasic.All User.ReadWrite.All profile openid email
This has previously worked with the same token
This is happening on the v1.0 and beta endpoints
We tried removing admin consent from each scopes but still faced the
same issue
I cannot find any information in the MS documentation regarding Admin On-Behalf-Of mode and wondered if anyone could shed any light on what we could be doing wrong?
Further Update.
We have now been able to reproduce this on a tenant and has to do with external guest users. These users are able to authenticate into the tenant but you cannot use the token obtained to call some of the Graph API endpoints - Anyone know why this is?
We have tried changing all the settings in External Identities in AAD but still getting the same response on the Graph API endpoints

Error Access Denied on mailboxSettings for users

I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.

Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.

I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.

As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.

Is Outlook.com blocking EWS connections coming from Heroku/AWS?

Our service is connecting to https://outlook.office365.com using EWS on behalf of an #outlook.com user. We're getting status 403 and the header X-BackEndHttpStatus : 403.
What does it mean?
EWS connections seem to work for other #outlook.com users just fine.
Thank you.
Update Apr'19: What we see is that EWS for #Outlook.com accounts is refusing connections from Heroku/AWS IP addresses. Not sure why.

According to my search, do you have a Authentication with your EWS application.
You could make a authentication with the below link:
Authenticate an EWS application by using OAuth
EWS must have the "Full access to user's mailbox" permission.
If your Outlook account has multi-factor authentication, please refer to this link:
Set up multi-factor authentication for Office 365 users

Microsoft Graph API .NET not able to read shared mail

First post...here goes. I am trying to display email from a shared mailbox but run into "ErrorAccessDenied Access is denied. Check credentials and try again".
The user does have permission to the mailbox, I can access/read email in Outlook and in O365 portal. In my app I have also assigned Mail.Read.Shared and Mail.ReadWrite.Shared scopes.
At first I tried Graph Explorer
https://graph.microsoft.com/beta/users/<userPrincipalNameOfSharedMailbox>/messages
but same ErrorAccessDenied, assumed Graph Explorer did not have Mail.Read.Shared scope.
Next I tried to modify Microsoft Graph Snippets Sample for ASP.NET 4.6
I added Mail.Read.Shared and Mail.ReadWrite.Shared and was prompted to accept these permissions
• Read and write mail you can access
• Read mail you can access
but I get the same error when I try get mail from the shared mailbox
IUserMessagesCollectionPage messages = await graphClient.Users["userPrincipalNameOfSharedMailbox"].Messages.Request().GetAsync();
There was a similar post here Microsoft Graph API SDK .NET Issues getting other users emails and the answer implies this is possible. If it is can anyone provide some insight as to what I am missing? thanks

Right now, accessing shared messages is not supported for the authorization_code flow, but it is supported for the client_credentials flow. In order to incorporate this functionality, you will have to change your flow to incorporate this.
Here is an article on creating a client_credentials flow app if you are interested in going this route.