I'm trying to create an account for a user, and provision it with OneDrive. The application has all the required rights, and the user has a license which includes OneDrive for Business.
When using /v1.0/users/username/drive endpoint from Microsoft Graph to provision the OneDrive, as stated in the documentation under 'Get a user's OneDrive', the following error presents itself:
{
"error": {
"code": "ResourceNotFound",
"message": "User's mysite not found.",
"innerError": {
"request-id": "996c75c0-19d5-416e-8070-e9af593ae1d7",
"date": "2017-11-08T08:23:22"
}
}
}
The OneDrive doesn't get provisioned, not even if I check after some time. When I go to provision it manually by logging into OneDrive for the user however, it does.
So my question is; why doesn't the user's OneDrive get provisioned?
Found a related question just now.
As mentioned in the Documentation:
If a user's OneDrive is not provisioned but the user has a license to use OneDrive, this request will automatically provision the user's drive, when using delegated authentication.
The key bit here being "delegated authentication". This is stating that the API will only provision a Drive when there is a user in context. In other words, your app must be using either the authorization_code or implicit OAUTH grant for automatic provisioning to be triggered.
If you're using "application authentication" (i.e. the client_credentials grant), automatic provisioning won't be triggered.
Related
Using Postman, I am trying to retrieve the last emails received in my Outlook mailbox.
To achieve this, I have declared my app in the App Portal. Then, I can do a GET request to get a token from the endpoint:
https://login.microsoftonline.com/[tenantId]/oauth2/token
Next, I try to use the token I received to perform a request at
https://graph.microsoft.com/v1.0/me/mailfolders/inbox/messages
The problem is that the API returns:
{
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood.",
}
In the permissions of my app, I have authorized every action related to reading emails. Am I missing something?
I was actually missing admin approval for the scopes (read.mail in my case). In a App-Only usage, you need to get approval from admin. To do so, admin must use this url:
https://login.microsoftonline.com/common/adminconsent?client_id=[your_client_id]&state=[random_string]&redirect_uri=http://localhost/
Admin will be prompt to approve permissions.
This sounds like you forgot to "Grant permission" (it happens to the best of us :P).
Grant the permission for your tenant. The easiest way is through https://portal.azure.com -> Azure AD -> App Registrations -> Your App -> Settings -> Required permissions -> Button Grant Access.)
Related to this answer
It also helps to take the token, and paste in into https://jwt.ms which will show you all the data in the token (and should also show the claims about the granted permissions).
The exception is the API to find meeting times or send mail, which applies to only Office 365 mailboxes (on Azure AD) and not to Microsoft accounts.
For simplicity of reference, the rest of this article uses Outlook.com to include these Microsoft account domains.
https://learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/calendar-rest-operations
I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.
In my app I have the following permissions:
I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.
This is the response I got from the token endpoint:
{
"token_type": "Bearer",
"scope": "Mail.Read User.Read User.Read.All profile openid email",
"access_token": "<token>",
"expires_in": 3599,
"ext_expires_in": 3599
}
When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
"date": "2018-11-26T15:20:37"
}
}
}
However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.
But I would like to access the mailboxes of all users in the organization via Microsoft Graph.
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
When using Implicit or Authorization Code grants, Delegated scopes are applied.
When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".
I'm still not able to access the Graph API when using my developer API key from the Microsoft App Registration Portal (Azure AD v2.0 endpoint) as the "client_secret" and I receive the following error message when using the below URL in my web browser to test manually:
Error message:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Bearer access token is empty.",
"innerError": {
"request-id": "902fec23-3ac7-433a-952c-4b0c4213869",
"date": "2018-06-05T15:23:11"
}
}
}
URL:
https://graph.microsoft.com/v1.0/sites/<tenant_name>.sharepoint.com/_api/web/lists?client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&client_secret=xxXXxxxxxxxxx
I'm trying to do test this without authenticating with my O365 account as this will go into a script to perform callouts to Sharepoint Online.
You cannot use Microsoft Graph without authenticating. Every call to the Graph must include a valid access token in the Authorization header:
From the documentation:
To call Microsoft Graph, your app must acquire an access token from Azure Active Directory (Azure AD), Microsoft's cloud identity service. The access token contains information (or claims) about your app and the permissions it has for the resources and APIs available through Microsoft Graph. To get an access token, your app must be able to authenticate with Azure AD and be authorized by either a user or an administrator for access to the Microsoft Graph resources it needs.
I have an error while trying to use Microsoft Graph to write a script to upload an Excel file to OneDrive then read the Excel file.
I followed Microsoft documentation to obtain the access token without user. I successfully got an access token but I got an error while using the access token to call the OneDrive API.
Here is the response:
{
"error": {
"code": "BadRequest",
"message": "Tenant does not have a SPO license.",
"innerError": {
"request-id": "5ec31d17-3aea-469f-9078-de3608f11d0d",
"date": "2017-10-10T04:34:05"
}
}
}
I don't understand why I need to have SPO license while calling graph API and how to get it. Because of this error message so I'm trying to buy a SPO license.
According to this document, I think I should see many products in the license pages but while logging in with Azure Portal and go to the License page, I see only 2 products: Azure AD Premium and Enterprise Mobility Suite:
In case anyone else has a similar issue, I was getting the same error message when using an Office 365 Home license. It turns out SPO stands for SharePoint Online, and you need an Office 365 Business account to have it. So as far as I can tell, you can't use the Microsoft Graph API to access OneDrive without having SharePoint (which only comes with the business licenses). This isn't really made clear anywhere that I could find.
Answering a couple of things here.
Background: Microsoft Graph is the developer gateway or API to many Microsoft cloud services, like Office 365, Azure Active Directory, EMS (Enterprise Mobility Suite), personal Outlook, personal OneDrive and more. Use of the API is free, but to access the data behind it, you need to actually have those services - in some cases they may be free and in other cases you may need to pay for them.
As for adding Office 365 to your existing tenant. I believe you've signed up for Azure using a Microsoft Account. This means that you already have an Azure Active Directory tenant. You can still purchase/acquire Office 365 for that tenant. All you need to do is create a new Azure AD user (not a Microsoft Account) in your tenant, and make them a company admin. Then you should be able to sign-up for Office 365 - if it asks if you already have a tenant or account, sign in with the AAD account you just created. And voila, you should have an Azure AD tenant with a subscription to Azure AND now a subscription to Office 365.
Hope this helps,
In case anyone else has a similar issue, I was getting the same error message when using a personal Microsoft account, just like OP.
So, if you are using a personal account in a registered Azure Active Directory(AAD) app, that type isn't Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) you will get this error. Also, you need to use the correct endpoint to avoid errors.
The main problem is our account type. As a personal account, there are some restrictions to access one drive files. These restrictions are:
You can only use Oauth2 Code Flow or Oauth2 Token Flow. Both are interactive approaches. [1][2]
Your application registered in AAD needs be Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and each one have a different endpoint to acquire the access token (That you can saw clicking on endpoint button, near the delete app button in app page). [3]
Enable these delegated permissions to your application registered in AAD: Files.Read, Files.Read.All, Files.ReadWrite, and Files.ReadWrite.All.
With these restrictions in mind, you can set up a workflow in Postman following these two steps(I'm using endpoints of Personal Microsoft accounts only app type and using Oauth2 Code Flow):
Important note: To use code flow, you need to enable Access tokens in Implicit grant and hybrid flows on Authentication ADD app sidebar menu.
Aquire access token:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=token&redirect_uri=ONE_OF_REGISTERED_REDIRECT_URI&scope=Files.Read Files.Read.All Files.ReadWrite Files.ReadWrite.All
After you fill in your information on Postman's request, I recommend using a browser and network inspection to login with a Microsoft account and permit the app. You are getting the access token via network inspection.
List one drive root files:
https://graph.microsoft.com/v1.0/me/drive/root/children
Add a new header:
Authorization
With value:
Bearer ACCESS_TOKE_OF_STEP_1
In my angular application, due to this interactive way restriction to access one drive files, I changed my authentication method to use Microsoft Authentication Library(MSAL) to avoid every time that need send an API request open a popup window to authenticate a valid Microsoft account.
Both OneDrive for Business and the Excel APIs require Office 365. Based on your screenshot, this looks like a standalone Azure Active Directory tenant (i.e. not linked to O365).
The reason for the SPO License message is that OneDrive for Business is a special SharePoint Online document library that is automatically provisioned for users.
Are you able to access the OneDrive contents (including the Excel file) manually through browser after logging in with your account in the same tenant?
If you are able to access the drive and file manually, please use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer to sign in using the same account and make the call to get the Drive contents. When you’re signing-in, you would be presented with a consent page listing the permissions needed to be granted. Please make a note of those permissions and check whether the permission match to those required for accessing the drive.
If you do not have appropriate SPO license yet, you can try setting up a free Office-365 trial account (https://products.office.com/en-in/business/office-365-enterprise-e3-business-software) and test the APIs.
To add to Kikutos' answer answer, you can use this Azure sample to acquire the token via MSAL.NET.
The only thing you need to change is the Instance property, which needs to be set to:
https://login.microsoftonline.com/consumers/
I'm trying to retrieve the policies created for my tenant on the Azure AD portal using the Microsoft Graph API. As I understand from the graph API documentation, all the policy CRUD operations require a scope of Directory.AccessAsUser.All.
This scope translates to the permission Access directory as the signed-in user as mentioned here - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes
I have been trying to configure my application on the both the new Azure portal and the old one with different failure points.
On the new portal:
I have created a Web Application in my tenant following instructions on https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal.
When configuring access control, the only subscription for my tenant is Access to Azure Active Directory and I'm not able configure access control on this in the new portal. From the browser, when I select Access Control (IAM), I see the error - "Call to ARM failed with httpCode=BadRequest, errorCode=DisallowedOperation, message=The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription., reason=Bad Request."
The "Add" roles button is disabled as well.
Can I not configure Access control on the subscription Access to Azure Active Directory? If so, is there no other way to retrieve the policies for my tenant using the API?
On the old portal:
For my app, I configured permissions for:
Microsoft Graph
Windows Azure Active Directory
I verified on the portal that both the APIs are configured with the permission Access directory as the signed-in user. Even in this case, I keep getting a 403 Forbidden when I try to access the https://graph.microsoft.com/beta/policies endpoint to list the policies on my tenant.
Here is the payload on my access token I obtained (https://login.microsoftonline.com/{my tenant name}/oauth2/token)
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"iat": 1491256764,
"nbf": 1491256764,
"exp": 1491260664,
"aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==",
"app_displayname": "test-app",
"appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",
"appidacr": "1",
"idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"oid": "7ccea836-d389-4328-a155-67092e2805e9",
"roles": [
"Device.ReadWrite.All",
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityRiskEvent.Read.All"
],
"sub": "7ccea836-d389-4328-a155-67092e2805e9",
"tid": "8b49696d-462a-4a71-9c5c-f570b2222727",
"uti": "4fmUDNWWHkSoTn2-7gtTAA",
"ver": "1.0"
}
Obviously the Directory.AccessAsUser.All role is missing on this token which is causing the 403 error. So either I'm missing something here or there is a bug in the API that is preventing all the permissions from being correctly configured. Greatly appreciate any help/pointers on this!
Please note:
I'm only using the beta APIs because I didn't find the corresponding endpoint for policies on the v1.0 APIs and the Azure Graph API documentation recommends using the Microsoft Graph API.
With the same configuration, using the Azure Graph API endpoints also returns a 403 Forbidden error for the policies endpoint(https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy-operations#list-policies)
Based on the claims in the access token, you were acquire the access token using the client credentials flow which the token used to delegate the app. There is no such delegate permission for user in this kind of token.
To get the access token for the delegate permission for users, you need to using the other flows like Authorization code grant flow. You can refer this link for the detail.