I'm trying to create Planner Plan using Microsoft Graph API. As documented it requires groupId. I also create Group, but when i create a Planner plan using Graph Explore it returns a 403 with the message
"You do not have the required permissions to access this item, or the item may not exist."
I'm aware that in order to create a plan, It required Group.ReadWrite.All permission on Delegated (work or school account). I granted these in the Azure Portal but still get same error.
One thing is I don't know how to determine if my account is a "work or school account". My account was created by the admin of my tenant and it uses the of my organization so I guest it is Work account.
What do I have wrong here, do I need another API to assign plan to group before create?
EDIT1:
Here is the request body when i'm create a Planner Group, I'm also tried to toggle "securityEnabled" to true but it still fail when create a plan
And Here is the Request body when I create Planner Plan
EDIT2:
I also tried to update Planner plan by this API and it still failed. It seems Group.ReadWrite.All permissions does not apply to my account
Your request is failing because you are not a member of the group in which you are trying to create a plan. Changing group content requires the calling user to be a member. Owners of the group currently cannot edit the Planner content in the group, unless they are also members.
Although you have requested Group.ReadWrite.All, you cannot authorize this permission until you have received "Consent" from an Administrator.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about he Consent Framework in Integrating applications with Azure Active Directory.
Related
I've create an app on microsoft azure portal and i created a c# application who read the number of email's inside inbox folder of a user (using Microsoft Graph).
It works correctly with every user except one.
With that user i get "Access to OData is disabled"
How it's possibile? the api abilitations of the applications are activated (Mail.Read)
API call is denied access due to a configured application access policy for specific user.
Administrators can create an application access policy to limit third-party app access to only set of mailboxes.
Administrator for your organization must ensure that your app has permission to access the mailbox of the specific user.
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
Is there any example how I can achieve following requirement:
I need to read Planner Plans from Group in an Azure Function trough Graph Api.
Application permissions are not supported, only delegated.
I tried with ConfidentialClientApplicationBuilder with OnBehalfOfProvider, but no luck. I do not know how to set UserAssertion in this case.
Also, username and password flow is not an option, because end user can use MFA.
Unfortunately Microsoft Planner APIs on Microsoft Graph do not support Application permissions (App-only) . This is confirmed in the docs here https://learn.microsoft.com/en-us/graph/api/planner-post-plans?view=graph-rest-1.0&tabs=http#permissions
Please vote up the feature request for this https://microsoftgraph.uservoice.com/forums/920506-microsoft-graph-feature-requests/suggestions/5904632-application-permissions-to-task-api
I'm trying to access a group calendar using the microsoft graph api as the application (I don't want to use delegate permissions).
If I request calendar events using the below I get the events for the user just fine.
https://graph.microsoft.com/v1.0/users/[emailAddress]/events
If I make a request to the following I get group information:
https://graph.microsoft.com/v1.0/groups/[groupId]/
If I make a request to this:
https://graph.microsoft.com/v1.0/groups/[groupId]/events
I get "Access is denied. Check credentials and try again."
In azure portal, I've given my app service the following Application permissions:
Calendars.Read
Calendars.Read.Shared
Group.Read.All
User.Read.All
What am I missing?
Applications permissions to list events is currently not supported. Also, listing events using delegated permissions with a Personal accounts is not supported. Please refer to List Events documentation which has the details. You can also refer to known limitations of Graph here.
A user voice on this feature request is also available here and you can upvote the same so that the product team can include into their plans.
What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?
Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?
Delegated Permissions -
Microsoft Graph API
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
Windows Azure Active Directory
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.
And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.
It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.
Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.
After some experimentation, it seems that the minimum permissions are the following:
/me/checkMemberGroups
User.Read
GroupMember.Read.All
/users/{userId}/checkMemberGroups
User.ReadBasic.All
GroupMember.Read.All