I am trying to trigger the PIM selfActivate endpoint in my code. I'm able to query other endpoints (e.g. for the user's assigned roles), but when I issue the POST for selfActivate I receive a 401: Elevation requires Multi-Factor Authentication error. How does one trigger an MFA challenge inline with MSAL to handle this response? I thought maybe I could pass along &amr_values=mfa in the query parameters, but when I do so I receive an error that the query is not currently supported.
There is an issue right now with MSGraph PIM api's that it won't work if your role requires MFA. This should be fixed soon and I will post back once its working.
Related
Hi I am trying to access the microsoft graph endpoint https://graph.microsoft.com/v1.0/me/contacts but I receive a 404.
** ISSUES IT SHOULDN'T BE **
it should not be the problem with the exchange mailbox, since it works for the user in the explorer
it's not the code, since the token from the graph explorer works in the code
both tokens seems to have the same permissions
The image below is a picture of the decoded accesstoken, one is from the graph explorer and one is a token received from my own Oauth flow (auth code grant), they are trying to access the same users contacts.
Anyone know what I am doing wrong?
To access the https://graph.microsoft.com/v1.0/me/contacts, I think "Contacts.ReadWrite" permission is also required which is missing in the scopes of the above image. Can you please check the permissions here:https://learn.microsoft.com/en-us/graph/api/user-list-contacts?view=graph-rest-1.0&tabs=http#permissions.
Hope this resolves the issue. If not please share Client request id and timestamp of the query.
I am testing Get Chat Microsoft Graph API (which is still in Beta) and it seems to work successfully when it is called from Graph Explorer (which uses an user token), instead when I call this API from Postman with an application token, I get 401 Unauthorized with an Unknown Error as response.
https://graph.microsoft.com/beta/users/<user-id>/chats/<conversation-id>
My App Registration on Azure has these permissions:
And the decoded application token contains:
"aud": "https://graph.microsoft.com",
"roles": ["User.Read.All", "Chat.Read.All" ]
The same token it works for the Get User API
https://graph.microsoft.com/beta/users/<user-id>
Basically, it seems to have problems only the GET Chat API when called with an application token, although the documentation says it is supported. Am I missing something in the App Registration configuration?
EDIT
As I have already explained in the comments, this question doesn't help me, since:
audit is correct
permissions are present in the token and are granted by the admin in the App registration
scope is correct
Should I check something else?
Have you seen this message on the (English) documentation page?
Before calling this API with application permissions, you must request access. For details, see Protected APIs in Microsoft Teams.
It seems like Microsoft has implemented an extra layer of security for apps accessing "Teams" endpoints.
I have made a slack app in which I have a bot. I have selected channels:history, channels:read, channels:write under my permission scope, and also I have passed scopes
"scope":"bot channel:history channel:read channel:write"
while doing my oauth2 verification (using python), and I got a response where the scope is
"scope":"identify,bot,channels:history,channels:read,channels:write"
along with client and bot access tokens.
Now when I do an api call to fetch history of a channel in which my bot is invited to, I get
{
ok: false,
error: 'missing_scope',
needed: 'channels:history',
provided: 'identify,bot:basic'
}
Can someone please tell me where I am going wrong. How can I PROVIDE the channels:history scope in my api call. This is really driving me nuts. Should I be using the client access token, ie xoxp-xxxx, instead of bot token, ie xoxb-xxxx ?'
Thanks!
For people having this problem in the future;
your integrated bot has full access to the slack api, whereas a bot in a slack app don't, as it will used publicly. When you successfully finish oauth2, you should get 2 tokens, user access token and bot token. The user token is used to read history from any channel/groups, and the bot access token is used to write to them. This means you constantly have to be switching from user token to bot access token in your app.
Also, remember that bot-user MUST be a member of a private channel which you want him to connect to.
Hope that helps.
Ps, if any found a better way going about this, feel free to answer below.
Since you did not mention it: You also need to specify all required scopes on the admin page for your Slack app under "Oauth & Permission Scopes".
I'm writing a Slack app that adds Slash commands.
Every time I go through the OAuth flow, when I try to exchange a temporary auth code for an access token, I get the following JSON response:
{"ok"=>false, "error"=>"code_already_used"}
and despite that error message, the two slash commands provided by my app do get installed on the target Slack team.
The desired outcome is: I get a successful response from Slack's API, which contains the access_token and scopes for which the token is valid.
Troubleshooting I've tried so far:
Revoked permissions from my app & uninstalling from target team before trying again
Requesting additional scopes (e.g, commands,channels:history,users.profile:read which I don't need, instead of just commands) to see if that would cause the API to return an access token.
I am able to install on other teams outside of the original team I used when creating the app, but with the same api failure
Any suggestions for how to get the API to return an access token? Thanks in advance!
I am playing with client credentials grant flow described here https://msdn.microsoft.com/en-us/office/office365/howto/building-service-apps-in-office-365
Here is my initial authorization request:
https://login.microsoftonline.com/common/oauth2/authorize?nonce=c43a377e-8b75-4c7f-9fab-300f1dbc76c5&prompt=admin_consent&state=35&redirect_uri=http%3A%2F%2Flocalhost%3A6543%2Fcallback%2Foffice365&response_type=code+id_token&client_id=XXXX&scope=openid
According to the documentation I expect to receive a POST callback with a token in the body.
But I actually receive a GET callback like this:
http://localhost:6543/callback/office365#code=XXXXX&id_token=XXXXX&state=35&session_state=3a2e2c61-7e71-4f11-a9a6-f1dd8f50aeb6&admin_consent=True
I actually prefer GET over POST but there is a hash sing # instead of question mark ? in the URL, so the parameters are actually not a GET arguments.
Is there anything I can do to receive a valid callback?
By spec OAuth2 supports different response modes.
Adding response_mode=query solves the problem. This means MS Authorization endpoint uses response_mode=fragment by default which is not explicitly described in the documentation.