When tried accessing the findMeetingTimes API, I get this following error.
Given a userID or userprincipalname, can we access the findMeetingTimes api to find the meeting time availability of that particular user, along with the meeting room suggestions?
You might be missing to grant the following permissions:
1) Calendars.Read.Shared
2) Calendars.ReadWrite.Shared
ref: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_findmeetingtimes
suggestion: better if you can check your task with graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) so that you don't need to add authorization bearer and permission scopes.
Related
Hi I am trying to access the microsoft graph endpoint https://graph.microsoft.com/v1.0/me/contacts but I receive a 404.
** ISSUES IT SHOULDN'T BE **
it should not be the problem with the exchange mailbox, since it works for the user in the explorer
it's not the code, since the token from the graph explorer works in the code
both tokens seems to have the same permissions
The image below is a picture of the decoded accesstoken, one is from the graph explorer and one is a token received from my own Oauth flow (auth code grant), they are trying to access the same users contacts.
Anyone know what I am doing wrong?
To access the https://graph.microsoft.com/v1.0/me/contacts, I think "Contacts.ReadWrite" permission is also required which is missing in the scopes of the above image. Can you please check the permissions here:https://learn.microsoft.com/en-us/graph/api/user-list-contacts?view=graph-rest-1.0&tabs=http#permissions.
Hope this resolves the issue. If not please share Client request id and timestamp of the query.
So I would like to prevent the usage of delegated user authentication flow but still want to use the findMeetingTimes endpoint. But it doesn't seem available for client credential flow, right?
I simply tried to post on this endpoint:
https://graph.microsoft.com/v1.0/findMeetingTimes
But it seems like it doesn't exist. Wrror response message:
"message": "Resource not found for the segment 'findMeetingTimes'."
Is there any workaround for using it with the application flow?
According to the documentation findMeetingTimes is not supported for Application permission type
Resources:
findMeetingTimes
My main purpose is to get User's calender by single admin access token.
i am trying to get access token by following these steps.
URL :https://login.microsoftonline.com/{tenentId}/oauth2/v2.0/token Body
client_id:client_ID
scope:https://graph.microsoft.com/.default
client_secret:client_secretID
grant_type:client_credentials
this give me an access token
but when i change the scope to scope:https://graph.microsoft.com/Calendars.Read
it gives error
URL :https://login.microsoftonline.com/{tenentId}/oauth2/v2.0/token Body
client_id:client_ID
scope:https://graph.microsoft.com/Calendars.Read
client_secret:client_secretID
grant_type:client_credentials
it did not return access token and says
"error": "invalid_scope",
i will be very thankfull if anyone can help.
thanks in advance
For Client Credential Flow you need to specify the Application permission - Calendars.Read and grant admin consent to it. As you are using scope:https://graph.microsoft.com/.default this would get all the permissions you specified in the Azure AD App you created. Then it will include the Calendars.Read permission in your access token which would allow to get usier's calendar.
https://graph.microsoft.com/v1.0/users/{user_id/UPN}/calendars
My company is using Microsoft 365 Business Standard licenses. We are using email through these accounts. We also have a few shared mailboxes. We are trying to create an app that uses the microsoft graph application permissions (rather than the delegated permissions) so the application can access one of the shared mailboxes without needing to be authenticated under the current user.
This is the steps we have taken so far:
Within Microsoft Azure, we have an application in which we have granted application api permissions for Mail.Read, and we have accepted Admin consent.
We authorized as an app, not as a user, in the application using this endpoint https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, pointing out the required parameters for sending a request. Then, MS API builds this link:
https://login.microsoftonline.com/{some_string}/oauth2/v2.0/authorize?state={some_string}&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&redirect_uri=http%3A%2F%2Flocalhost&client_id={some_string}
When we follow the link, we get to the standard authorization form on the site. After we log in, a link is created, where we take the code and create the token: http://localhost/?code={some_string}&state={some_string}&session_state={some_string}
When we try to hit this endpoint: https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages, we get this response:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"date": "2020-09-14T11:22:30",
"request-id": "{some_string}",
"client-request-id": "{some_string}"
}
}
}
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Any help or direction on what needs to be done to make this query work would be greatly appreciated. Thank you!
I am thinking that hitting this endpoint https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages requires us to pass the token previously generated and/or specify which application is making the query?
Yes you would need to send the AccessToken in the Authorization header, you should also include the x-anchormailbox header which helps route the request to correct mailbox eg
GET https://graph.microsoft.com/v1.0/users/sharedmailbox#domain.com/messages HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==
X-AnchorMailbox: sharedmailbox#domain.com
The other thing you might want to check is to ensure you have the correct scopes in your token you can use https://jwt.io/ for that
In order to use application permissions you will need to use the client credentials auth flow (not the authorization code auth flow which uses delegated permissions). To get a token make a request against "/oauth2/v2.0/token" and specify "grant_type=client_credentials" in the request. See examples of client credentials auth flow here for more details: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
I have been trying to access a user's data using the MS graph API. I have been following the official documentation and I have correctly configured the apps and the permission.
I am also following this code_sample and using this I have been able to fetch the daemon token for the application.
Using the token I am able to successfully fetch the data against the following endpoint:
https://graph.microsoft.com/v1.0/users/204e3e4f-xxxx-xxxx-xxxx-509934e1
The data looks like:
{"#odata.context":"https://graph.microsoft.com/v1.0/$metadata#users/$entity","businessPhones":[],"displayName":"developers#outlook.com Tiwari","givenName":"developers#outlook.com","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"Tiwari","userPrincipalName":"developers_outlook.com#EXT##webdevelopers.onmicrosoft.com","id":"204e3e4f-x-xxxxx-xxxxxxx-509934e14fa8"}
However, I can't fetch any more data than this. All the other endpoints throw a 401 Unauthorised exception even when I have checked all the Application permission for my app.
I am trying to hit the following endpoints for fetching calendar of the above user:
https://graph.microsoft.com/v1.0/users/204e3e4f-xxxx-xx-xxxxz-509934e14fa8/calendar
https://graph.microsoft.com/v1.0/users/204e3e4f-xxx-xxx-xxxxx-509934e14fa8/calendars
both of these give 401.
Can someone suggest if I am missing something. I even decompiled my jwt token and it clearly shows all the following scopes added:
"roles": [
"Schedule.ReadWrite.All",
"OnlineMeetings.Read.All",
"Mail.ReadWrite",
"OnlineMeetings.ReadWrite.All",
"User.ReadWrite.All",
"Calendars.Read",
"Mail.ReadBasic.All",
"Files.ReadWrite.All",
"User.Read.All",
"Schedule.Read.All",
"Files.Read.All",
"Organization.ReadWrite.All",
"Mail.Read",
"Calendars.ReadWrite",
"Mail.Send",
"Organization.Read.All",
"Mail.ReadBasic"
],
Please help.
To get access to calendar events you should call the following endpoint:
GET /users/{id | userPrincipalName}/events
The documentations for calendars is here: https://learn.microsoft.com/en-us/graph/api/user-list-events
From your comment on Chris Johnson's answer, you're using a personal account. App-only tokens won't work to access a personal account, and you shouldn't be able to even obtain one using a personal account, since there's no concept of an admin.
App-only requires an admin to consent, and when she does, she grants access to all resources in her tenant. Personal accounts are not in work/school tenants, so they aren't in scope. Even if you've added that personal account as a guest in the work/school tenant, their calendar is hosted outside of the tenant, and is off limits.