I'm trying to update O365 Group logo using Microsoft Graph API with Microsoft Graph .NET Client Library and GraphServiceClient.
Created app and added Group.ReadWrite.All (Admin Only) permissions to Application, did Admin consent to app.
When setting logo to Group I'll get exception Access is denied. Check credentials and try again.
Is there some other permissions that I need to add or is there some limitations to update logo using app permissions?
Here's the line of code that throws exception:
await graphClient.Groups[groupId].Photo.Content.Request().PutAsync(file.ContentStream);
Updating a Group's photo isn't supported using Application permissions. From the documentation:
Examples of group features that support only delegated permissions:
Group conversations, events, photo
External senders, accepted or rejected senders, group subscription
User favorites and unseen count
Microsoft Teams channels and chats.
Related
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
We have a daemon app that connects to teams using MS graph. It's using "Application Permissions" mode and Admin consent is granted for most permissions. We are able to add channels (private or 'standard'), add/remove members, etc... from this service based on company requirements. All is well.
For the ChannelMessages, we'd like to be able to retrieve them based on userPrincipalName, from the same tenant that the app is registered in. (I know there is an ChannelMessage.Read.All with Application Permission and it requires us to submit a form to MS, we are not currently pursuing that route...).
Do we have to create ConfidentialClientApplication object to communicate with MS graph? If so, how do we create a ClaimsPrincipal or ClaimsIdentity, based only on userPrincipalName? Or is there a different solution to this problem?
Your help is appreciated.
thanks,
Art
I am developing an app in Microsoft Teams using the App Studio. Towards the end of the proccess, in the section Domains and Permissions, you are allowed to give resource-specific consent permissions such as File.Read.Group. I was wondering where I would use these permissions (Microsoft Graph, Azure AD Graph, ...) to programmatically access an API. As a side question, does anybody know which permission allows the app to manage group members?
Thank you!
Here is a good read on that permissions settings page, those consent permissions are not actually a part of azure ad app registrations as of this articles writing. so that means while they are sort of graph permissions, you would use them against the graph api. They are for specific teams based resource specific permissions.
https://blog.thoughtstuff.co.uk/2020/01/microsoft-teams-has-a-new-more-granular-and-resource-specific-permissions-model-for-apps-what-is-resource-specific-consent-rsc-and-how-do-i-use-it/
the official documentation on the matter: https://learn.microsoft.com/en-us/microsoftteams/platform/graph-api/rsc/resource-specific-consent
as per the microsoft link i don't see a resource specific permission to "edit" groups members.
I'm trying to access a group calendar using the microsoft graph api as the application (I don't want to use delegate permissions).
If I request calendar events using the below I get the events for the user just fine.
https://graph.microsoft.com/v1.0/users/[emailAddress]/events
If I make a request to the following I get group information:
https://graph.microsoft.com/v1.0/groups/[groupId]/
If I make a request to this:
https://graph.microsoft.com/v1.0/groups/[groupId]/events
I get "Access is denied. Check credentials and try again."
In azure portal, I've given my app service the following Application permissions:
Calendars.Read
Calendars.Read.Shared
Group.Read.All
User.Read.All
What am I missing?
Applications permissions to list events is currently not supported. Also, listing events using delegated permissions with a Personal accounts is not supported. Please refer to List Events documentation which has the details. You can also refer to known limitations of Graph here.
A user voice on this feature request is also available here and you can upvote the same so that the product team can include into their plans.
I'm trying to create Planner Plan using Microsoft Graph API. As documented it requires groupId. I also create Group, but when i create a Planner plan using Graph Explore it returns a 403 with the message
"You do not have the required permissions to access this item, or the item may not exist."
I'm aware that in order to create a plan, It required Group.ReadWrite.All permission on Delegated (work or school account). I granted these in the Azure Portal but still get same error.
One thing is I don't know how to determine if my account is a "work or school account". My account was created by the admin of my tenant and it uses the of my organization so I guest it is Work account.
What do I have wrong here, do I need another API to assign plan to group before create?
EDIT1:
Here is the request body when i'm create a Planner Group, I'm also tried to toggle "securityEnabled" to true but it still fail when create a plan
And Here is the Request body when I create Planner Plan
EDIT2:
I also tried to update Planner plan by this API and it still failed. It seems Group.ReadWrite.All permissions does not apply to my account
Your request is failing because you are not a member of the group in which you are trying to create a plan. Changing group content requires the calling user to be a member. Owners of the group currently cannot edit the Planner content in the group, unless they are also members.
Although you have requested Group.ReadWrite.All, you cannot authorize this permission until you have received "Consent" from an Administrator.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about he Consent Framework in Integrating applications with Azure Active Directory.