I'm automating Microsoft Teams lifecycle (create, add membmers and owners, etc), and I have Teams with a set of Owners and Members (the Owners are also Members). Now when I use the Remove owners endpoint of the Microsoft Graph, I'm noticing some inconsistencies.
Expected behaviour: Owner gets removed as Owner, but stays in place as Member (both in Azure AD as in Microsoft Teams).
Observed behaviour
v1.0 endpoint: In Azure AD, it's as expected. In Microsoft Teams however, the user stays marked as Owner (in the members list) with the associated permissions. I have been waiting for weeks, it just doesn't update.
beta endpoint: In Azure AD, it's as expected. In Microsoft Teams however, the user is removed completely. He doesn't exist in the membership list anymore and he cannot access Microsoft Teams anymore.
It looks like membership changes happening through the Microsoft Graph API don't propagate correctly to Microsoft Teams.
What is supposed to be the correct behaviour? Is it an issue with the Graph or with my approach?
The expected behavior is the /beta variant. This reason for the different behavior isn't clear but it likely stems from the Teams APIs still being in beta and v1.0 not being fully aware of Teams (or the additional attributes it needs to change).
If you are looking to migrate a user from Owner to Memeber, you would make two calls:
Remove the user from the Owners list using DELETE /groups/{id}/owners/{id}/$ref
Add the user to the Members list using POST /groups/{id}/members/$ref
Related
I am writing a .NET desktop app that uses the Microsoft Graph API to access the contents of my OneDrive for Business storage. I am logging in to Graph using my Microsoft work/school account U1, in my organization O1. Another Microsoft work/school account, U2, in a different organization, O2, has shared a folder with me. The folder shows up in "Shared With You" when I browse my OneDrive interactively in a browser, and I can make changes to the folder there. It also shows up as a DriveItem in the returned list when my app uses the "sharedWithMe" API call documented here (with allowexternal set to true).
All good so far. The problem is when I try to actually retrieve the shared folder using the returned DriveItem. I am following the guidance in the doc page to use a call like
GET /drives/{remoteItem-driveId}/items/{remoteItem-id}
to retrieve the folder, and I have the "Files.ReadWrite.All" permission. I believe I am doing this correctly in my code, because it works fine on other items shared with me by users in my organization. However, with the folder shared by U2, this call fails with an "itemNotFound" error. I don't understand why this fails. Is this a problem with my code, or some configuration that needs to be done in my organization O1, or in their organization O2, or a combination? Or is what I'm trying to do just not possible across organizations?
I have found a couple other folks who have had similar problems, but the resolutions are inconclusive: see here, here, and here. These links have suggested a couple directions:
could this be a problem with some sharing setting on the part of organization O2? Unfortunately I don't have any control over this org. But if I can give them a clear request, preferably with some Microsoft docs to back it up, I think they would be receptive. For example, does organization O2 need to add/invite my account U1 as an external/guest user to their Azure AD? I don't know for sure if they've done that.
one of the comments suggested that my app would need to be a multi-tenant app for it to access resources in another tenant. I do not want my app to be multi-tenant in the sense of allowing people in other tenants to login to it, but I do want my account to be able to access resources in other tenants that have been shared with me. I tried changing the app registration for my app to multi-tenant, and that didn't make any difference.
in the multi-tenant vein, I found this Microsoft doc, which states "In the code of your multi-tenant app, get the authentication token for other tenants and store them in the auxiliary headers. The user or application must have been invited as a guest to the other tenants." In my code I am using Microsoft.Identity.Client.PublicClientApplicationBuilder to sign my account in and get an access token, using the authority for my tenant. It sounds like my access token is only valid for resources in my tenant - how do I get a token for another tenant in my code?
Thanks very much for any suggestions, be they pointers to docs, code suggestions, etc!
Is there a method to retrieve SharePoint Groups using Microsoft Graph?
I can get Azure Directory groups using https://graph.microsoft.com/v1.0/groups but what I'm looking for are SharePoint Groups.
I could get a SiteCollection using https://graph.microsoft.com/beta/sites/{id} but I couldn't seem to get the SharePoint Groups in site collection.
This is not very easily accessible in just the Microsoft Graph. If you had some access to the SharePoint API, you could get the GUID from the "User Information List" - which seems hidden from the Microsoft Graph at this time. That SharePoint API call would be
GET HTTP https://sometenant.sharepoint.com/_api/web/lists?$select=title,id&$filter=Title%20eq%20%27User%20Information%20List%27
Once you have that GUID for that list you could do the Graph call:
https://graph.microsoft.com/beta/sites/{site id}/lists/{list ID from the SharePoint API}/items
That will get you the full list of members, including groups. This is still a hack since the groups you'd have to filter by contentType/name eq 'SharePointGroup' - which seems buggy in Graph Explorer anyways. Trying to programmatically access that, would be difficult at this time.
In outlook I can lookup all users in my organisation, including phone number, address etc.
I guess using EWS I could do the same...
With Azure AD graph (https://graph.windows.net) I can get ALL(!) properties on all (GAL) users as well - without the option to select a smaller property subset…
In Microsoft Graph (https://graph.microsoft.com) I can get all users (GAL), but not (all) properties like phone number, title etc. without an admin allows access… Why is this different (more restricted) than the other APIs ?
ex. the permission; Directory.AccessAsUser.All (Access the directory as the signed-in user)
In Microsoft Graph user is UNABLE to consent
In Azure AD Graph - does NOT require admin
Using the /me/people (in preview) in Microsoft Graph I can get all properties on a lot of users in my organisation - but not all. And I might get some users that my nearest colleague can’t (why? - is it still buggy)
Every one tell you to use Microsoft Graph but it seems to be more restricted than the old APIs
I'd be interested to know a little more about the restrictive nature that you are describing. For the most part (with respect to Directory/Azure AD), Microsoft Graph exposes the same data secured by the same permissions model as Azure AD Graph. Please see https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions for more details on the available user permissions and what they allow.
What you might be seeing with Microsoft Graph is the fact that when you query the /users entity set in v1.0 (i.e. GET https://graph.microsoft.com/v1.0/users) Microsoft Graph will return only a key set of user properties by default. The user entity type is pretty big, and growing all the time - it has more than 40 properties and 25 navigation properties. Serializing and de-serializing large objects, especially when paging collections can be expensive and non-performant, both for the client and for the Microsoft Graph service. Hence we return a default set. If you want other properties then you need to use the $select parameter. For example: GET https://graph.microsoft.com/v1.0/users?$select=displayName,givenName, officeLocation,postalCode,state. This is documented here: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_get for example, but we are working on making some improvements to the documentation in this area too. If you want to see the full set of properties exposed by the Microsoft Graph user entity type, please look at the schema here: https://graph.microsoft.com/v1.0/$metadata.
[NOTE: $select is not supported in Azure AD Graph API, so we always return the full set].
The people API - ../me/people is about the people who you (the signed-in user) communicate with most often - it could also contain people outside of your organization. Hence, the list of people is likely specific and different for each user (even colleagues). It also is not the full directory of users in your organization.
I'd also like to get to the bottom of why you are seeing a difference in terms of consent - Directory.AccessAsUser.All always requires admin consent for web apps (for both Microsoft and Azure AD Graph).
Hope this helps,
Office 365 administration center allows to create organizational contacts which are shared with all users in organization.
In MS Graph documentation API of this functionality is badly documented and located in BETA section. Moreover, there is no command to create such a contact: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/orgcontact
It looks like in Graph this functionality was not implemented. Using typical POST request to the /beta/contacts ends with an error response in Json structure: Unsupported resource type 'Contact' for operation 'Create'.
Note 1: I don't have any user logged in. My application uses service/daemon authentication.
Is there any other way to create organizational contact?
At this time, creating new orgContact objects isn't supported by the Graph API. You also cannot create organizational contacts with the Azure AD Graph API. For more information about organizational contacts, including how they are created in your tenant, see the Contact Entity documentation.
Organization Contacts are documented in the beta section because this API is in fact still in beta. I'm sorry you ran into issues here but with any beta endpoint there is always likelihood of missing/broken features and sparse documentation. There is also a substantial likelihood of breaking changes being rolled out to beta endpoints. As such, we do not recommend using them in production scenarios.
I'm creating an office group using Microsoft Graph API. After that I would like to create a Microsoft Team which is associated with the group. I can do this step manually, but I'm wondering if it's also possible to do so via API.
Graph API doesn't seem to support Microsoft Teams yet. Am I correct?
You are correct, Teams is not yet part of the Graph API, nor do we yet have support for creating Teams. Both are on the road map, but I do not have an ETA for you at this time.
Actually you can do this semi-automatically using the beta API on Skype. Here is a GitHub project doing this from PowerShell: https://github.com/sanderdewit/teams-module
This approach is semi-automatically, because you need a user to sign-in once via a pop-up window. And for sure this is not a supported scenario.