Is it possible to retrieve a list of co-worker Planner tasks via the API?
For example the graph explorer provides the following GET endpoint:
https://graph.microsoft.com/v1.0/users/coworker-mail/planner/tasks
I can get results back using my own email address in url, but always a 403 failure when using a coworkers email.
I have Group.Read.All as a delegated permission on the app, I am an admin user and have granted consent via the admin consent endpoint to no avail.
Is this possible? If not what am i missing and why does the explorer/api expose that endpoint?
Thanks
Querying other users' data is currently not allowed. You can provide feedback about this behavior here.
The endpoint exists to support reading signed in user's data. "me" segment is simply an alias that in reality executes the request against /users/(signed in user id).
Related
I am trying to get the category names/colours via the API for a user other than myself, the documentation says it is possible, see image below, but returns "Access is denied. Check credentials and try again." even though I do have permission to that mailbox.
Seem this question was also asked almost 3 years ago with no answer, guessing the API documentation describes a scenario that the developers forgot to program for???
Previous posting of the same question
Here is the full request and showing the permissions are allowed.
You can't do it using delegate permissions because there is no MailboxSetting.ReadWrite.Shared permission so that endpoint can only be used to access the current users Mailbox setting when using delegate permission. You an use Application Permissions and the Client Credential flow https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow if you need to limit the scope of your application to a number of Mailboxes you can do that as well https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access
My application wants to access all users' mailboxes. For that, I am getting permission from Admin consent. Now I want to get the user details of the admin who consented to the application. I know we can't use Me context ('/me' API end-point) as we are getting consent without a signed-in user.
Is there any way by which we can get user details of the admin who consented to our application using the access token?
Thanks in advance.
To the best of my knowledge, the access token does not contain user details of the admin who consented to your application. One way to get this information is by viewing activity reports in the Azure portal. You might also consider working with the activity reports API provided by Microsoft Graph.
Please let me know whether this helps and if you have further questions.
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I am trying to read a person's Out of Office text with MSGraph. I understand the only way to do this is by getting the person's mailbox settings as indicated here.
Is there another way to read a person's Out of Office Message?
Assuming there is no other way I then have read for example in this link that to call GET /users/{id|userPrincipalName}/mailboxSettings you need to have Application Permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. Is this still the case? It does not make sense to me that you need Application level permissions. Is there not a delegated (admin consent required) MailboxSettings.Read.All??? The problem is that most IT departments will be hesitant (or pigs are going to fly before some IT departments) give an application this permission to run without a signed in user.
Alternatively, I see that there is a User property of mailboxsettings, thus using the $select query parameter you can call this https://graph.microsoft.com/v1.0/users/{id}?$select=mailboxSettings does or should this work with the User.Read.All.
UPDATE in accordance with the suggestion below I have added 2 suggestions to the MSGraph user voice.
A person's out of office information should be included with their calendar / freebusy (getschedule) information.
There should be a Mailboxsettings.Read.All permission.
Please click on the link and vote them up if you agree.
No, there is no MailboxSettings.Read.All or MailboxSettings.Read.Shared. You can see the list at https://learn.microsoft.com/graph/permissions-reference#mail-permissions. I encourage you to request this as a feature at https://microsoftgraph.uservoice.com.
One possible approach given the currently available permissions around this API is to use app permissions and configure an app access policy to limit the mailboxes it can access - if that's the concern you're mentioning. I'm not clear on why it would be preferable to give a user account access to this info for all mailboxes in an org but not an app service principal.
It isn't included as part of User.Read.All by design. It's not really a property on the user, it's config stored in the mailbox. It's abstracted as a property in Graph, but it requires additional permissions to access.
I have a question about handling permission grants of inboxes via Microsoft Graph API.
Is it possible via Microsoft Graph API to grant another user the access permission to my inbox messages?
I dont found any suitable operation until now.
Retrieving relased mailboxes from another user works fine, but how to make my own inbox visible to specific user that he has the grant to access my inbox?
I dont found a operation under:
https://graph.microsoft.com/v1.0/users.....
or https://graph.microsoft.com/v1.0/me.......
Thanks for your help
According to the documentation, you'll need delegated access.
If the app has the appropriate delegated permissions from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user.
At this moment you have no way to share your mailbox by using the api. If you however shared your mailbox with some other user, they will be able to access it.
I think it's a good thing that you cannot share your mailbox from an app, because it would be easy to compromise a mailbox of some user by a malicious app. If you really want you might be able to share the users mailbox by using EWS (that is the same connection the Outlook app uses).