I have logged into my dev tenant as the tenant admin and I'm trying to create a schema extension, but I get a 403 Authorization_RequestDenied.
I have granted Directory.AccessAsUser.All to Graph Explorer and consented as admin, and double checked.
I'm running a POST against https://graph.microsoft.com/v1.0/schemaExtensions with the following payload:
{
"id":"GroupMetadata",
"description": "some desc",
"targetTypes": [
"Group"
],
"properties": [
{
"name": "groupType",
"type": "String"
}
]
}
and I'm getting the response:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "3e3019c6-8ec5-4695-8ea3-b0aaf1ea1d25",
"date": "2017-09-06T13:14:36"
}
}
}
Any help on the matter would be appreciated.
We just deployed a fix for this. You can now Create/Update/Delete your schema definitions within Graph Explorer.
NOTE: In order to make this work you must specify the owner property to be the appId of an app that you (the signed-in user) owns, in all POST, PATCH or DELETE operations.
The documentation will be updated shortly to reflect this change. Please give it a whirl and let us know if you can now fully manage extension schema definitions through Graph Explorer.
Hope this helps,
Related
Using Microsoft Graph is it possible to assign a the "owner" role to a SharePoint drive item? I can achieve this using the UI but do not seem to be able to do this using Graph.
I have tried the following method:
PATCH https://graph.microsoft.com/v1.0/groups/{groudId}/sites/root/drives/{driveId}/items/{itemId}/permissions/{permId}
Body:
{
"roles": [
"owner"
]
}
Return:
{
"error": {
"code": "invalidRequest",
"message": "Invalid value for role",
"innerError": {
"date": "2023-01-07T07:57:17",
"request-id": "b849af34-5b2d-4f50-94bd-b6ac15947eb8",
"client-request-id": "224905e8-ffb3-2dd1-6223-60ec9e5ad2a9"
}
}
}
However what confuses me is if I assign the same permission group full control to the drive item in the UI the same permission object will return "owner" as the role.
I was facing the similar issue long time ago and fixed it by using sp.full control instead of owner. Maybe it will work for you.
PATCH /v1.0/groups/{groudId}/sites/root/drives/{driveId}/items/{itemId}/permissions/{permId}
Body:
{
"roles": [
"sp.full control"
]
}
I am trying to deprecate a Term from my term store using Microsoft Graph API.
I tried to update the term properties to achieve this using the UPDATE action as below but this is not working.
PATCH sites/{site-id}/termStore/sets/{set-id}/terms/{term-id}
{
"properties": [
{
"deprecated": true
}
]
}
I get the following response:
{
"error": {
"code": "generalException",
"message": "Object reference not set to an instance of an object.",
"innerError": {
"date": "XX",
"request-id": "XX",
"client-request-id": "XX"
}
}
}
I do have the TermStore.ReadWrite.All permissions.
Is this even possible to do?
If yes, do you know how to do this?
Mostly this could be happening because your user doesn't have sufficient privileges for the group under which you are trying to update the term. Your user needs to be at least a 'contributor' to the parent group of this term.
I would like to read a team's shifts using https://graph.microsoft.com/v1.0.
However i always fail with different errors and get contradicting server messages.
I send the API requests with Postman.
I am using Application authorization method. I think i have set all required Api permissions for my app.
I beleive i supply the correct headers, like:
Authorization
Content-Type
MS-APP-ACTS-AS
When i send the request like this to GET a team:
GET https://graph.microsoft.com/v1.0/teams/{id}
i get the following error message:
"error": {
"code": "NotFound",
"message": "No team found with Group Id {id}",
"innerError": {
"date": "2020-09-05T08:37:17",
"request-id": "id"
}
}
But when i try to create the team (from a group) like this:
PUT https://graph.microsoft.com/v1.0/groups/{id}/team
I get the error as follows:
"error": {
"code": "Conflict",
"message": "Team already exists",
"innerError": {
"date": "2020-09-05T08:33:33",
"request-id": "id"
}
}
When i try to make my actual call of interest, like:
GET https://graph.microsoft.com/v1.0/teams/{id}/schedule/shifts
That also fails with error:
{
"error": {
"code": "NotFound",
"message": "{\"error\":{\"code\":\"NotFound\",\"message\":\"Sorry, the team was not found, or you may not have access to it.\",\"details\":[],\"innererror\":{\"code\":\"TeamNotFound\"}}}",
"innerError": {
"date": "2020-09-05T08:59:55",
"request-id": "id"
}
}
}
Pleaset help me understand what i am doing wrong!
Thank you in advance!
Solved (itself).
So what was happening:
i created a team (directly or from a group).
created a schedule for the team.
get the schedule for the team, and see the response:
"enabled": false,
"provisionStatus": "Failed", (so not running or queuing or something)
"provisionStatusCode": "GraphResourceNotFound",
struggle few (like 4-5) days
without changing a thing, get the schedule showing:
"enabled": true,
"provisionStatus": "Completed",
"provisionStatusCode": null,
Maybe it would help others to see the possible wait time length or add a clarification about the provisionStatus field’s status progression.
We're using the client_credentials flow to get access for our application to tenants environments. The application has the correct scopes, and we get an access token that is working for other endpoints like /users but when doing a request like the following we get error messages.
GET https://graph.microsoft.com/beta/me/findRooms
{
"error": {
"code": "ErrorInvalidUser",
"message": "The requested user '{userId}#{tenantId}' is invalid.",
"innerError": {
"request-id": "b72d26a3-d0ad-42eb-a3d3-35951cb42b3d",
"date": "2020-01-21T10:21:28"
}
}
}
I understand that there's no "me" when we're just an application, but how do we access these types of endpoints in that case? Do I have to have a user to act as, as well? That seems to me like it defeats the purpose of a daemon like this. Cannot find any clear documentation on this matter. On this page in the docs on the use a token section they even refer to a /me endpoint, which is incorrect in that case.
I've tried requesting the /users/{id}/findRooms endpoint with all different kinds of ID's I can find in the access token - none of them work.
Other people with the same issue, that have yet to resolve it.
1. Feedback area in docs
2. Github issue
Best regards,
Christopher
Using the /users/{user-id} is the only pattern that will work with client credentials. In your case, this should work, so maybe it's an issue with the id you are using.
To make sure I'm not giving you bad information, I just tested this with an app-only token from the client credentials flow. Parsing that token over at https://jwt.ms, I see the roles claim like so:
"roles": [
"User.Read.All"
]
If first did a GET /users?$select=displayname,id, and this user was included in the response:
{
"displayName": "Adele Vance",
"id": "3103c7b9-cfe6-4cd3-a696-f88909b9a609"
}
This is the id to use in your findRooms call. I did GET /users/3103c7b9-cfe6-4cd3-a696-f88909b9a609/findrooms and got the following response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.emailAddress)",
"value": [
{
"name": "Conf Room Adams",
"address": "Adams#M365x330971.onmicrosoft.com"
},
{
"name": "Conf Room Baker",
"address": "Baker#M365x330971.onmicrosoft.com"
},
{
"name": "Conf Room Crystal",
"address": "Crystal#M365x330971.onmicrosoft.com"
},
{
"name": "Conf Room Hood",
"address": "Hood#M365x330971.onmicrosoft.com"
},
{
"name": "Conf Room Rainier",
"address": "Rainier#M365x330971.onmicrosoft.com"
},
{
"name": "Conf Room Stevens",
"address": "Stevens#M365x330971.onmicrosoft.com"
}
]
}
I am attempting to create a new list item in SharePoint Online using the [beta] Microsoft Graph endpoint. The goal is to call Microsoft Graph from an Outlook Add-in but the problem persists on Postman.
When I call the endpoint as per the documentation I get the following error message:
{
"error": {
"code": "unauthenticated",
"message": "The caller is not authenticated.",
"innerError": {
"request-id": "bb094f39-71c9-4c7d-9d9b-913cc9622baf",
"date": "2017-08-08T11:32:02"
}
}
}
I'm using ADAL JS to fetch the authentication token and I initialized my AuthenticationContext with my tenantID. My app has the following permissions: offline_access, Sites.Read.All, Sites.ReadWrite.All, User.Read
2nd Edit - more details on readItem
I use the https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/items endpoint with the {site-id} of my desired site from /sites and the {list-id} of the list from /sites/{site-id}/lists but this is the empty response I get:
{
"#odata.context": "https://graph.microsoft.com/...",
"value": []
}
If I try to to add /{item-id} to my original call to access specific item I receive this response:
{
"error": {
"code": "itemNotFound",
"message": "The specified list was not found",
"innerError": {
"request-id": "6e7ccae3-3aee-4dbb-ae3e-de61250478e0",
"date": "2017-08-09T13:13:33"
}
}
}
Which doesn't make sense because I can retrieve valid information about the list if i make the call without /items/..
Any and all input appreciated :) I'll gladly provide more code, this is all I deemed relevant and didn't want to overcrowd the post.
might be that you actually don't have an item with that id, since https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/items/1 works for me.
test the id's you really have by just https://graph.microsoft.com/beta/sites/{site-id}/lists/{list-id}/items and each item returns it's id.