We are trying to fetch a list of rooms in the organization via user_findrooms on the beta API.
I am using the php-connect-sample and was directed here after creating an issue there.
Our application is registered, and has the required permissions. The user is logged in and redirected correctly. I can successfully get the /me endpoint
When I try to get the /me/findRooms endpoint like this:
$graph = new Graph();
$graph->setApiVersion('beta');
$graph->setAccessToken($_SESSION['access_token']);
$rooms = $graph->createRequest("get", "/me/findRooms")
->setReturnType(Model\EmailAddress::class)
->execute();
Then I get the following error:
Client error: GET https://graph.microsoft.com/beta/me/findRooms
resulted in a 403 Forbidden response: { "error": { "code":
"ErrorAccessDenied", "message": "Access is denied. Check credentials
and try again.", (truncated...)
So it seems to be a permissions error.
We have the following Graph permissions for our app:
Delegated Permissions: User.ReadBasic.All and User.Read.All
Application Permissions: Calendars.ReadWrite and User.Read.All
Which additional permissions are required to access /me/findRooms?
In your auth flow, you will need to specify User.Read.All instead of User.Read in your scopes since this API requires reading all users in your directory to find conference room availabilities. Here is more information about how to request such scopes during the /authorize and /token requests.
Related
I am trying to add a member via this MS Graph API: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http but am running into permission issues. The request returns back
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
I am able to call APIs like https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http with no permission problem, and I have Group.ReadWrite.All and User.ReadBasic.All permissions. Is there a special permission or role I need to be to call this API?
Yes you also need GroupMember.ReadWrite.All and Directory.ReadWrite.All Application permission.
PostMan Request URL:
https://graph.microsoft.com/v1.0/groups/93d96b98-YourGroupId_3ede399/members/$ref
PostMan Request Body:
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/b33ce735_YourUserId_15337c469076"
}
Postman Test:
Added On Group:
Note: Make sure after adding permission you have accepted grant admin consent.
Please refer to Official Document
I am attempting to get a list of room resources from the Microsoft Graph API using the list places endpoint at https://graph.microsoft.com/beta/places/microsoft.graph.room (see docs).
I am getting a response back that says: {"code":"invalid_permissions","message":"place.read.all permission is required to read company places, scopes/roles provided: Calendars.ReadWrite IsAppOnly:True"}
I am getting this error from both the Microsoft Graph API Explorer and from a backend service using client credentials to access the data in a another tenant that has approved the requested scopes.
I have inspected the OAuth token and it includes the "Place.Read.All" scope from both the Microsoft Graph API Explorer and from my service:
For the Graph API Explorer
> jwt {access_token}
* Payload
{
...
"scp": "
Calendars.ReadWrite
Contacts.ReadWrite
Directory.Read.All
Directory.ReadWrite.All
Files.ReadWrite.All
Mail.ReadWrite
Notes.ReadWrite.All
openid
People.Read
Place.Read.All
profile
Sites.ReadWrite.All
Tasks.ReadWrite
User.ReadBasic.All
User.ReadWrite
email"
...
}
For my service
> jwt {access_token}
* Payload
{
...
"roles": [
"Place.Read.All",
"User.Read.All",
"Calendars.ReadWrite"
],
...
}
You can use another api to get the locations.
GET https://graph.microsoft.com/beta/me/findRoomLists
GET /me/findRooms(RoomList='{room_list_emailAddress}')
It responsed a simple result, have not capacity info and the others.
I am attempting to use the "List Contacts" Microsoft Graph v1.0 API (https://learn.microsoft.com/en-us/graph/api/user-list-contacts?view=graph-rest-1.0) to retrieve the contacts of various users in my organization. In other words I want to list contacts in a delegated fashion.
My problem is that this API only seems to work for the user associated with the access token, e.g.:
Get Microsoft Graph API token for user "A"
Request to https://graph.microsoft.com/v1.0/users/USER_A_ID/contacts works fine
Request to https://graph.microsoft.com/v1.0/users/USER_B_ID/contacts fails
The error returned by the API is:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "[REQUEST_ID]",
"date": "[DATE]"
}
}
}
I have verified that the token contains the "Contacts.Read" scope by decoding the JWT token and examining the "scp" field, so I do not understand why the APIs saying that access is denied. Any ideas as to why this is failing?
Your need Contacts.Read.Shared or Contacts.ReadWrite.Shared, Your current Contacts.Read scope will only allow you to access the current users Contacts Folder. The other thing is the user requesting will still need to be granted the underlying delegate rights to the Target Mailbox Folder ( via Outlook delegation or Add-MailboxFolderPermission eg they need to be able to access the folder via Outlook or OWA).
I have registered the application in Azure portal and i have generated the client_secret.
I require the client grant flow and i have given application permissions also. I have granted the admin consent also as I am the admin myself.
I am able to generate the access token with the given url:
https://login.microsoftonline.com/47be0abf-c6a1-4f04-a665-dceb081c4ff1/oauth2/v2.0/token?client_id=********&client_secret=******&grant_type=client_credentials&scope=User.ReadBasic.All%20User.Read%20User.ReadWrite%20User.Read.All%20User.ReadWrite.All%20Directory.Read.All%20Directory.ReadWrite.All%20Directory.AccessAsUser.All
However, when i use the token generated to access the following url, I get the insufficient privileges message.
https://graph.microsoft.com/v1.0/users
Authorization Bearer eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEQ29NcGpKWHJ4VHE5Vkc5dGUtN0ZYNndkRlV3aTBKbGlHcWhEWkgybFRlYWh6SUhUX0VsazFaYTFuUHRzNWo3SW5xMDBmbnNNRkpNUWRYdWdVZnpaZ0cxT19uenNPTXpwN2tpUFFIR2VHTnlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiQ3RmUUM4TGUtOE5zQzdvQzJ6UWtacGNyZk9jIiwia2lkIjoiQ3RmUUM4TGUtOE5zQzdvQzJ6UWtacGNyZk9jIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80N2JlMGFiZi1jNmExLTRmMDQtYTY2NS1kY2ViMDgxYzRmZjEvIiwiaWF0IjoxNTYwMjUzMDE1LCJuYmYiOjE1NjAyNTMwMTUsImV4cCI6MTU2MDI1NjkxNSwiYWlvIjoiNDJaZ1lQajhVdnBwWGMySEU1WGZwbnZxSG43akFnQT0iLCJhcHBfZGlzcGxheW5hbWUiOiJUdXRvcmlhbCBTYW1wbGUgQXBwIiwiYXBwaWQiOiI2NzMxZGU3Ni0xNGE2LTQ5YWUtOTdiYy02ZWJhNjkxNDM5MWUiLCJhcHBpZGFjciI6IjEiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80N2JlMGFiZi1jNmExLTRmMDQtYTY2NS1kY2ViMDgxYzRmZjEvIiwib2lkIjoiNjg0ZjkzMjUtNjUyNS00Yjk5LTgwNzktOTEyOGZjZWNlNGViIiwic3ViIjoiNjg0ZjkzMjUtNjUyNS00Yjk5LTgwNzktOTEyOGZjZWNlNGViIiwidGlkIjoiNDdiZTBhYmYtYzZhMS00ZjA0LWE2NjUtZGNlYjA4MWM0ZmYxIiwidXRpIjoiSkZjUE9SSHRGVTJMMWludEpkY2RBQSIsInZlciI6IjEuMCIsInhtc190Y2R0IjoxMzQ0Njc5MzA0fQ.fXEs7eClm5SYXychcKXbTfcc5gtvyyMa5fDWuGu2vqQ4Zc6V0jJSHSeksRiOzYE8SOJXRTmI9vJtbs2XIMFr0CRHeTgoCDReV8JWJ8yhOKiDnc-_2AHtSoBnqt6ibF0eX4AzkyioJd24-uYTSkheC_zDpd6GS3T5T077BU_1M7kpngXDfEICi38VkddcpdBUG8FgHUSPq0S9fCosIB4_JPwspq3QC6jJyoRrj1Yj2oR8FwBA1dpgWq_e0QoGnWXgT6EhBKedjY0hwHGY-F73ndvRlAKKW63JYucdOtRyC2zFDc4DPwhN1nyPlh86_Y0Zru8UTb0QgWRFKbGZwQcEOg
I have tried changing the permission and added and removed the permissions.
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "aa38f822-7325-44ad-9127-3cb4779578bf",
"date": "2019-06-11T11:42:16"
}
}
}
Updated : Included the permission screenshot configuration
JWT Debugger output for tokens:
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/f77804fb-8607-4e96-9fae-231360cc82b7/",
"iat": 1560273380,
"nbf": 1560273380,
"exp": 1560277280,
"aio": "42ZgYKjulnV3u/vJZNN0gz3ld2ZpAwA=",
"app_displayname": "clmapp",
"appid": "82ad79f2-27c7-4304-92f6-e3ffdb637e72",
"appidacr": "1",
"idp": "https://sts.windows.net/f77804fb-8607-4e96-9fae-231360cc82b7/",
"tid": "f77804fb-8607-4e96-9fae-231360cc82b7",
"uti": "BpTbRLEb5ECSO3qjslIgAA",
"ver": "1.0",
"xms_tcdt": 1376441181
}
You could try following way:
Permission:
Make sure you have following permission:
Grant permission On Azure Portal:
Step:1
Select Application Permission On API permissions menu
Step:2
Select User.ReadWrite.All under Application Permission part But User.Read.All also alright.
Token Request Format:
URL:https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/token
For V2.0 URL:https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
HTTP Verb: POST
grant_type:client_credentials
client_id:b603c7be-a866-4-e6921e61f925
client_secret:Vxf1SluKbguf3wE5oGl/2XDSeZ8wL/Yp8ns4sc=
resource:https://graph.microsoft.com
For V2.0 scope Will be : scope:https://graph.microsoft.com/.default
See the screen shot below:
Decode Token & Confirm permission:
You can use https://jwt.io/ to decode your token to make sure you have required permission: See the below screen shot:
Request For User List:
With your Token Request on this endpoint https://graph.microsoft.com/v1.0/users. See the screen shot below. I have successfully get all the user list.
When using the OAuth 2.0 Client Credentials Grant flow, your scope value should use the built-in .default scope for the resource your are trying to access. This is mentioned in the reference article: Microsoft identity platform and the OAuth 2.0 client credentials flow
In your case, the resource you are trying to access is Microsoft Graph, so your scope value in the token request should be https://graph.microsoft.com/.default:
https://login.microsoftonline.com/{tenant-id-or-domain}/oauth2/v2.0/token
&grant_type=client_credentials
&client_id={client-id}
&client_secret={client-secret}
&scope=https%3a%2f%2fgraph.microsoft.com%2f.default
Note that for this to succeed, the app's required permissions must be configured (Azure portal > Azure Active Directory > App registrations > API permissions) and granted:
I'm trying to get a user's calendars list using Microsoft Graph via Postman. I am using Client Credentials flow and I have Admin Consent for these permissions:
Calendars.Read
Calendars.ReadWrite
Directory.Read.All
Directory.ReadWrite.All
Mail.Read
Mail.ReadWrite
User.Read.All
User.ReadWrite.All
When calling:
https://graph.microsoft.com/v1.0/users/{my_user_id_here}/calendars
I'm getting this response:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"request-id": "b0214447-98f6-42e7-9424-d3ee4862a25b",
"date": "2018-09-11T09:05:05"
}
}
}
Also, the HTTP status code is 401. I would say that I have all the required permissions. What am I missing?
The 401 means Unauthorized. Where have you set the permission? The permission need to config with the app we use(
GraphScopes: in the Web.Config file of MVC project/appsettings.json file in the NETCore project
)
Or just for Postman test, you need to register the app in the Azure Active Directory Application Registration(not in http://apps.dev.microsoft.com/)
And blog from Azure Active Directory Developer Support Team: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/using-postman-to-call-the-microsoft-graph-api-using-client-credentials/
I have also added an azure directory application and the result is the same. I added all the possible permissions in AD app.