I'm still not able to access the Graph API when using my developer API key from the Microsoft App Registration Portal (Azure AD v2.0 endpoint) as the "client_secret" and I receive the following error message when using the below URL in my web browser to test manually:
Error message:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Bearer access token is empty.",
"innerError": {
"request-id": "902fec23-3ac7-433a-952c-4b0c4213869",
"date": "2018-06-05T15:23:11"
}
}
}
URL:
https://graph.microsoft.com/v1.0/sites/<tenant_name>.sharepoint.com/_api/web/lists?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=xxXXxxxxxxxxx
I'm trying to do test this without authenticating with my O365 account as this will go into a script to perform callouts to Sharepoint Online.
You cannot use Microsoft Graph without authenticating. Every call to the Graph must include a valid access token in the Authorization header:
From the documentation:
To call Microsoft Graph, your app must acquire an access token from Azure Active Directory (Azure AD), Microsoft's cloud identity service. The access token contains information (or claims) about your app and the permissions it has for the resources and APIs available through Microsoft Graph. To get an access token, your app must be able to authenticate with Azure AD and be authorized by either a user or an administrator for access to the Microsoft Graph resources it needs.
Related
I'm trying to post subscription request to graph api via https://graph.microsoft.com/v1.0/subscriptions endpoint. However, I keep getting this error:
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: InternalServerError; Reason: Expected 1 response for tenant lookup for tenant id ... but received 0]
My request:
{
"changeType": "created,updated",
"notificationUrl": "https://.../notification",
"resource": "communications/callRecords",
"expirationDateTime": "2021-03-24T18:23:45.9356913Z",
"clientState": "secretClientValue"
}
I'm able to get token with my tenant id as grant_type = client_credentials (OAuth 2.0 client credentials grant flow). I do not understand why my tenant gives error when subscribing, although token creation is successful.
What am I doing wrong? Please help!
Thanks.
Update:
Permissions of my application:
Calendars.ReadWrite Application
CallRecords.Read.All Application
Directory.ReadWrite.All Application
OnlineMeetings.Read.All Application
Admin consent is granted for all.
I assume since you say "grant_type = client_credentials (OAuth 2.0 client credentials grant flow)" you are using Delegated CallRecords.Read.All permission.
If you read this page, it says that CallRecord subscriptions only support the Application CallRecords.Read.All permission. So you have to use application client for authentication and not client credentials.
===== UPDATE =====
Based on the comments I can guess I number of possible problems:
Since the "free" azure accounts don't have teams licenses, one guess that the subscription call will fail with something. This may be why it's failing for you with a weird message.
The other setup is that your azure application is in the "free" account and the subscription is for another tenant (like your work tenant). For this to work you would need:
azure application set to multi-tenant
admin consent in the work tenant by their admin
in the generate token call the "myTenantId" has to be the tenantid of the work tenant
I have a Microsoft Graph & MSA/AAD v2 daemon which is exclusively for Server Side API access. In the Azure Portal I have granted admin consent for my Microsoft account (MSA) for User.Read.All and Files.Read.All.
I can successfully get a token, and I have tried both /me/drive/root and /users/{user_guid}/drive/root with the same return result:
GraphError {
statusCode: 400,
code: 'BadRequest',
message: 'Tenant does not have a SPO license.',
requestId: 'guid',
date: 2020-06-08T09:53:12.000Z,
body: '{"code":"BadRequest","message":"Tenant does not have a SPO license.","innerError":{"request-id":"guid","date":"2020-06-08T02:53:12"}}'
}
Note: I'm aware SPO refers to SharePoint Online & OneDrive for Business, however this is for a Microsoft account user, and I am intending to access their OneDrive Consumer (i.e. http://onedrive.live.com).
Is the Graph incapable of accessing OneDrive for Consumers? Or is it only possible with Delegated permissions? I did not see any reference in both the Graph and OneDrive dev docs.
After talking with the Microsoft Identity team, it is not currently a supported scenario to access a Microsoft account user's personal OneDrive (or other Microsoft Graph) content using the client_credentials grant type.
You can obtain admin consent for an MSA user, however those scenarios are limited to the MSA user operating as a guest user in your AAD tenant, or requires them to otherwise have an M365 license and associated SharePoint Online instance.
If you are looking to access an MSA user's content from a service, persisting the refresh token in the service and obtaining consent for offline_access currently appears to be the recommended method.
I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.
In my app I have the following permissions:
I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.
This is the response I got from the token endpoint:
{
"token_type": "Bearer",
"scope": "Mail.Read User.Read User.Read.All profile openid email",
"access_token": "<token>",
"expires_in": 3599,
"ext_expires_in": 3599
}
When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
"date": "2018-11-26T15:20:37"
}
}
}
However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.
But I would like to access the mailboxes of all users in the organization via Microsoft Graph.
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
When using Implicit or Authorization Code grants, Delegated scopes are applied.
When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".
I'm trying to create an account for a user, and provision it with OneDrive. The application has all the required rights, and the user has a license which includes OneDrive for Business.
When using /v1.0/users/username/drive endpoint from Microsoft Graph to provision the OneDrive, as stated in the documentation under 'Get a user's OneDrive', the following error presents itself:
{
"error": {
"code": "ResourceNotFound",
"message": "User's mysite not found.",
"innerError": {
"request-id": "996c75c0-19d5-416e-8070-e9af593ae1d7",
"date": "2017-11-08T08:23:22"
}
}
}
The OneDrive doesn't get provisioned, not even if I check after some time. When I go to provision it manually by logging into OneDrive for the user however, it does.
So my question is; why doesn't the user's OneDrive get provisioned?
Found a related question just now.
As mentioned in the Documentation:
If a user's OneDrive is not provisioned but the user has a license to use OneDrive, this request will automatically provision the user's drive, when using delegated authentication.
The key bit here being "delegated authentication". This is stating that the API will only provision a Drive when there is a user in context. In other words, your app must be using either the authorization_code or implicit OAUTH grant for automatic provisioning to be triggered.
If you're using "application authentication" (i.e. the client_credentials grant), automatic provisioning won't be triggered.
I'm trying to retrieve the policies created for my tenant on the Azure AD portal using the Microsoft Graph API. As I understand from the graph API documentation, all the policy CRUD operations require a scope of Directory.AccessAsUser.All.
This scope translates to the permission Access directory as the signed-in user as mentioned here - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes
I have been trying to configure my application on the both the new Azure portal and the old one with different failure points.
On the new portal:
I have created a Web Application in my tenant following instructions on https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal.
When configuring access control, the only subscription for my tenant is Access to Azure Active Directory and I'm not able configure access control on this in the new portal. From the browser, when I select Access Control (IAM), I see the error - "Call to ARM failed with httpCode=BadRequest, errorCode=DisallowedOperation, message=The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription., reason=Bad Request."
The "Add" roles button is disabled as well.
Can I not configure Access control on the subscription Access to Azure Active Directory? If so, is there no other way to retrieve the policies for my tenant using the API?
On the old portal:
For my app, I configured permissions for:
Microsoft Graph
Windows Azure Active Directory
I verified on the portal that both the APIs are configured with the permission Access directory as the signed-in user. Even in this case, I keep getting a 403 Forbidden when I try to access the https://graph.microsoft.com/beta/policies endpoint to list the policies on my tenant.
Here is the payload on my access token I obtained (https://login.microsoftonline.com/{my tenant name}/oauth2/token)
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"iat": 1491256764,
"nbf": 1491256764,
"exp": 1491260664,
"aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==",
"app_displayname": "test-app",
"appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",
"appidacr": "1",
"idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"oid": "7ccea836-d389-4328-a155-67092e2805e9",
"roles": [
"Device.ReadWrite.All",
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityRiskEvent.Read.All"
],
"sub": "7ccea836-d389-4328-a155-67092e2805e9",
"tid": "8b49696d-462a-4a71-9c5c-f570b2222727",
"uti": "4fmUDNWWHkSoTn2-7gtTAA",
"ver": "1.0"
}
Obviously the Directory.AccessAsUser.All role is missing on this token which is causing the 403 error. So either I'm missing something here or there is a bug in the API that is preventing all the permissions from being correctly configured. Greatly appreciate any help/pointers on this!
Please note:
I'm only using the beta APIs because I didn't find the corresponding endpoint for policies on the v1.0 APIs and the Azure Graph API documentation recommends using the Microsoft Graph API.
With the same configuration, using the Azure Graph API endpoints also returns a 403 Forbidden error for the policies endpoint(https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy-operations#list-policies)
Based on the claims in the access token, you were acquire the access token using the client credentials flow which the token used to delegate the app. There is no such delegate permission for user in this kind of token.
To get the access token for the delegate permission for users, you need to using the other flows like Authorization code grant flow. You can refer this link for the detail.