I created an app on https://apps.dev.microsoft.com
with the following Application Permissions:
Calendars.Read (Admin Only) Calendars.ReadWrite (Admin Only) User.Read.All (Admin Only)
Admin Consent
Admin consent was then successfully granted via this URL
https://login.microsoftonline.com/strixtechnology.onmicrosoft.com/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth
Get access token
An access token was then obtained from
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
with headers
Content-Type=application/x-www-form-urlencoded
and body with key-value pairs
grant_type=client_credentials
client_id=bbb35336-faee-4c10-84b4-34136634db41
client_secret=xxx
scope=https://graph.microsoft.com/.default
This returns an access token.
Subscribe to notifications
Using that access token, I then try to subscribe to the events on a certain resource mailbox:
POST https://graph.microsoft.com/beta/subscriptions
with headers
Content-Type=application/json
Authorization=Bearer <access_token_here>
and body
{
"changeType": "created,updated,deleted",
"notificationUrl": "https://dashmeetings.com/microsoft/notify",
"resource": "users/mahogany#strixtechnology.com/events",
"expirationDateTime":"2017-12-01T11:00:00.0000000Z",
"clientState":"1234"
}
This returns a 401 Unauthorized with
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Unauthorized; Reason: Unauthorized]",
"innerError": {
"request-id": "98ce5e5e-1ce4-4417-8c35-456a3cc0e696",
"date": "2017-11-30T10:59:28"
}
}
}
This question seems similar to “Resource not found for the segment” using Graph subscription beta, but I follow the same steps without any luck
The admin consent URL had to be
https://login.microsoftonline.com/common/adminconsent?client_id=bbb35336-faee-4c10-84b4-34136634db41&state=1234&redirect_uri=https%3A%2F%2Fdashmeetings.com%2Fmicrosoft%2Foauth
and the access token address:
https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
Related
I have setup a work account on Azure and add permissions "User.ReadBasic.All", "MailboxSettings.Read", "Calendars.ReadBasic.All" with application type
I can use client credential flow to get the access token successfully
https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
the token can be parsed by https://jwt.ms with proper role
"roles": [
"User.ReadBasic.All",
"MailboxSettings.Read",
"Calendars.ReadBasic.All" ]
I can query user information successfully using the token
https://graph.microsoft.com/v1.0/users/{userid}
But it returns error 401 when query calendar or mailboxSettings
https://graph.microsoft.com/v1.0/users/{userid}/calendar/calendarView?startdatetime=2021-12-23T08%3A00%3A00.000Z&enddatetime=2022-12-23T18%3A00%3A00.000Z
https://graph.microsoft.com/v1.0/users/{userid}/mailboxSettings
Both return error below
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2023-01-05T11:06:14",
"request-id": "xxx",
"client-request-id": "xxxx"
}
} }
Is "MailboxSettings.Read" and "Calendars.ReadBasic.All" enough for the above query, or need more permissions like Calendars.Read / Calendars.ReadWrite / MailboxSettings.ReadWrite ?
Also for permission of calendar, which one is a higher permission, is the below correct?
Calendars.Read < Calendars.ReadBasic.All
Could you please try by providing user.ReadAll permission instead of User.ReadBasic.All
I am trying to migrate my app from Office 365 REST v2.0 to Microsoft Graph (v1.0). The token exchange seems to be working but as soon as I am trying to call an API, I am getting the following error:
(
[errorNumber] => 401
[error] => Request returned HTTP error 401
[message] => {
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2021-03-16T15:36:21",
"request-id": "dda1e33a-2774-4986-8c45-1487404fbb72",
"client-request-id": "e842d9a8-d71b-0563-f1ce-e58052e5bdb9"
}
}
}
)
The access_token has the following audience:
"aud": "https://outlook.office.com"
Here is the endpoint that I am using:
https://login.microsoftonline.com/common/oauth2/v2.0/token
Payload:
grant_type=authorization_code
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=https%3A%2F%2Fxxx.com%2Fproxy%2Foffice365authorize
&client_id=e2147faf-87f0-4e7f-xxxx-xxxxxxxxxxx
&client_secret=xxxxxxxxxxxx
Any hint would be greatly appreciated, thanks!
This means your token has the wrong audience, to call the Micrsoft Graph API, you need to get the token for Microsoft Graph i.e. the access token needs the "aud": "https://graph.microsoft.com".
Looks you are using the AAD auth code flow to get the token, so when you request an authorization code, use the scope with https://graph.microsoft.com/.default.
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=xxxxxx
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
Also use scope=https://graph.microsoft.com/.default when requesting the token.
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=xxxxxx
&scope=https://graph.microsoft.com/.default
&code=0.AR8A3XwQy0FAmkSxxxx
&redirect_uri=xxxxxx
&grant_type=authorization_code
&client_secret=xxxxx
To call the API successfully, also make sure you have grant correct Delegated Microsoft Graph API permissions for your client app depends on the API you want to call, e.g. if you want to call List users, you need the permissions here.
I am trying to subscribe to Microsoft Teams Presence API for a particular user.
Request Url:
https://graph.microsoft.com/beta/subscriptions
Request Body
{
'changeType': 'created,updated',
'notificationUrl': 'https://<domain-name>/presence-notify/',
'resource': '/communications/presences/{id}',
'expirationDateTime': '2020-09-10T07:37:13Z',
'clientState': 'secretClientState'
}
Response
{
"error": {
"code": "ExtensionError",
"message": "Operation: Create; Exception: [Status Code: Forbidden; Reason: The request is not authorized for this user or application.]",
"innerError": {
"date": "2020-09-09T11:27:27",
"request-id": "c563f94d-3c10-4c09-be35-0d1993d9a112"
}
}
}
The following delegated permissions were requested and granted by admin:
Presence.Read
Presence.Read.All
Client Certificate Pic
Finally i am able to solve the issue. As the error mentioned The request is not authorized for this user or application. So i thought there might be an issue with Access Token. Actually i was calling API on behalf of App i.e token with grant_type as client_credentials. Rather i should have called API on behalf of User i.e token with grant_type as password as it is clearly mentioned in documentation that
permissions are delegated. I didn't use any encryptionCertificate still subscription was successful.
You need to specify the encryptionCertificate. From the documentation:
presence subscriptions require encryption. Subscription creation will fail if encryptionCertificate is not specified.
I searched for similar questions but did not find answer I was looking for.
My goal is to update all users in AAD with hireDate.
At first I tried to do so using client credentials flow.
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:client_credentials
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
After I got access code I called:
PATCH https://graph.microsoft.com/v1.0/users/[user1]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
Second try was using password flow (client and user credentials). I used my global admin [user1] credentials and called same HTTP request. Response was HTTP 204 (everything OK).
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:password
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
username:{{user1_upn}}
password:{{user1_password}}
Unfortunately, when I tried to update other [user2] it went like this:
PATCH https://graph.microsoft.com/v1.0/users/[user2]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
If I am using [user2] credentials to get access token then I can update [user2] hireDate, but can not update [user1].
Application permissions:
Application permissions
UPDATED:
Decoded access token has these permissions:
"scp": "Directory.AccessAsUser.All Directory.ReadWrite.All User.ManageIdentities.All User.ReadWrite User.ReadWrite.All"
UPDATED[2]:
both [user1] and [user2] has Office 365 E1 licences assigned (including SharePoint Online (Plan 1))
Am I doing something wrong? If anyone has a solution to share, it would be much appreciated.
Apart from the office licenses, the global admin user should have Sites.ReadWrite.All scope permission in the token to update the "hireDate" property for other users.
This "drives" me crazy... I have an AAD app with following application permissions with Admin Consent:
Directory.Read.All
Files.ReadWrite.All
Group.Create
Group.ReadWrite.All
GroupMember.ReadWrite.All
Member.Read.Hidden
Organization.ReadWrite.All
People.Read.All
Sites.FullControl.All
Sites.ReadWrite.All
User.Read
Request:
https://graph.microsoft.com/v1.0/groups/{id}/drive/root
Response:
{
"error": {
"code": "serviceNotAvailable",
"message": "The service is not available. Try the request again after a delay. There may be a Retry-After header.",
"innerError": {
"request-id": "5ad04144-d8af-48ef-b9d3-43dafedb5911",
"date": "2020-02-15T13:28:08"
}
}
}
Decoded Token:
There's no Retry header and I've tried for several hours now.
If I send the query using a token generated with Authorization Code grant and the scope Group.ReadWrite.All User.Read profile openid email, it works like a charm.