Develop Reference

Microsoft Graph API - List Contacts for user users does not work?

I am attempting to use the "List Contacts" Microsoft Graph v1.0 API (https://learn.microsoft.com/en-us/graph/api/user-list-contacts?view=graph-rest-1.0) to retrieve the contacts of various users in my organization. In other words I want to list contacts in a delegated fashion.
My problem is that this API only seems to work for the user associated with the access token, e.g.:
Get Microsoft Graph API token for user "A"
Request to https://graph.microsoft.com/v1.0/users/USER_A_ID/contacts works fine
Request to https://graph.microsoft.com/v1.0/users/USER_B_ID/contacts fails
The error returned by the API is:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "[REQUEST_ID]",
"date": "[DATE]"
}
}
}
I have verified that the token contains the "Contacts.Read" scope by decoding the JWT token and examining the "scp" field, so I do not understand why the APIs saying that access is denied. Any ideas as to why this is failing?

Your need Contacts.Read.Shared or Contacts.ReadWrite.Shared, Your current Contacts.Read scope will only allow you to access the current users Contacts Folder. The other thing is the user requesting will still need to be granted the underlying delegate rights to the Target Mailbox Folder ( via Outlook delegation or Add-MailboxFolderPermission eg they need to be able to access the folder via Outlook or OWA).

List Channel Messages using Application Permissions

I have an Application which accesses channel messages in Microsoft Teams. We have been using the "Group.Read.All" permission for the last few months to access these messages, but just today we have started getting 403 for these requests? Has something changed?
I appreciate the docs flag this as "Not supported" but it has been working with no issue until today.
We are trying to use the following request;
https://graph.microsoft.com/beta/teams/{id}/channels/{id}/messages
However we are now getting a 403 Forbidden response;
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "xxx",
"date": "xxx"
}
}
}

It looks as though Microsoft has locked down these particular permissions and you'll need to request access to them for your particular app. See their documentation here: https://learn.microsoft.com/en-us/graph/teams-protected-apis

How to diagnose Graph permission issues with Contact and Calendar resources

Having issues accessing graph resources for a specific user. Most have no issues. This specific user authenticates with our client via their school Outlook account which I am assuming is where the issue lies.
Our service attempts to create a specific folder using the /me/contactFolders endpoint. When we make the post, we get the error that the resource could not be discovered. Digging in a bit, I decided to login with their account to the Graph explorer and could not query endpoints such as, /me/contacts, /me/contactFolders, /me/events, etc.. None of the examples provided worked to fetch any data. I am assuming this has to do with permissioning of the users account, but I am not sure what permissions they would need to access both calendars and contacts (we are setting scopes and delegated permissions correctly as this problem is only associated with a couple users).
This is the error message that I received when trying to query graph:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"request-id": "5cfd7b28-a915-42cf-9bce-a8a2509c3f1f",
"date": "2018-12-20T18:48:34"
}
}
}
Any help in diagnosing this issue would be greatly appreciated!!

If you couldn't decode the token then you're most likely facing one of the following issues:
You obtained the token incorrectly
You're attempting to decode the Authorization Code rather than the Access Token (i.e. the string you get from 1st OAuth step rather than the 2nd).
The token is for Microsoft Account (a.k.a. MSA, lesser aka as an Xbox or Outlook.com account).
You can only decode tokens issued by Azure AD (AAD). School accounts (i.e. those ending in .edu) are basically the same as Work accounts, they're owned and managed by an Azure Active Directory.
In terms of checking which services are provisioned for the current User, you can obtain these from the /me endpoint so long as you have requested either the User.Read or User.ReadWrite scope. Note that this information isn't included by default so you'll need to specifically request the provisionedPlans. For example, the following query will return the current user's id, userPrincipalName, and their list of provisionedPlans (i.e. services):
https://graph.microsoft.com/v1.0/me/?$select=id,userPrincipalName,provisionedPlans
The results are pretty self-explanatory but in your particular case you're looking for a service named exchange (there are often more than one but they should all reflect the same status):
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,userPrincipalName,provisionedPlans)/$entity",
"id": "48d31887-5fad-4d73-a9f5-3c356e68a038",
"userPrincipalName": "MeganB#M365x214355.onmicrosoft.com",
"provisionedPlans": [
{
"capabilityStatus": "Enabled",
"provisioningStatus": "Success",
"service": "exchange"
},

Microsoft Graph API Unknown Error when retrieving user's calendars - Client Credentials Flow

I'm trying to get a user's calendars list using Microsoft Graph via Postman. I am using Client Credentials flow and I have Admin Consent for these permissions:
Calendars.Read
Calendars.ReadWrite
Directory.Read.All
Directory.ReadWrite.All
Mail.Read
Mail.ReadWrite
User.Read.All
User.ReadWrite.All
When calling:
https://graph.microsoft.com/v1.0/users/{my_user_id_here}/calendars
I'm getting this response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "b0214447-98f6-42e7-9424-d3ee4862a25b",
"date": "2018-09-11T09:05:05"
}
}
}
Also, the HTTP status code is 401. I would say that I have all the required permissions. What am I missing?

The 401 means Unauthorized. Where have you set the permission? The permission need to config with the app we use(
GraphScopes: in the Web.Config file of MVC project/appsettings.json file in the NETCore project
)
Or just for Postman test, you need to register the app in the Azure Active Directory Application Registration(not in http://apps.dev.microsoft.com/)
And blog from Azure Active Directory Developer Support Team: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/using-postman-to-call-the-microsoft-graph-api-using-client-credentials/

I have also added an azure directory application and the result is the same. I added all the possible permissions in AD app.

UnknownError when retrieving a Plan via Groups or Planner API methods

I'm getting the same error as "Unknown Error" in Microsoft Graph Explorer, hitting the v1 and the beta api directly. E.g. beta/groups/<group id>/planner/plans or, beta/planner/plans/<plan id>
It shows as a 401, but error code is UnknownError. I know the plan exists because I can visit it in the browser. Any thoughts/suggestions?
Full output:
{
"error": {
"code": "**UnknownError**",
"message": "...401 - Unauthorized: Access is denied due to invalid credentials....
You do not have permission to view this directory or page using the
credentials that you supplied...",
"innerError": {
"request-id": "02fde3c3-a56c-4134-b483-0b53aee88410",
"date": "2017-09-13T05:51:31"
}
}
}

I'm afraid Application permissions (which are used the client_credentials flow) are not supported with Planner. In order to interact with Plans, you'll need to use a flow that supports Delegated permissions.
From the documentation:
Delegated (work or school account): Group.Read.All, Group.ReadWrite.All
Delegated (personal Microsoft account): Not supported
Application: Not supported