I'm attempting to take advantage of the public preview of Microsoft Graph reporting APIs for retrieving Office 365 product usage data. I have an application registered for Graph that successfully executes Graph calls for non-reporting APIs (i.e. the access_token I generate with my app is successfully used to access users information for a tenant: https://graph.microsoft.com/beta/users) but when I try any of the report resources I encounter the below error:
Invalid scope claims/roles.
According to the documentation I've read this would seem to imply that my app does not have the necessary permissions for reports but this is not correct as I have confirmed that the app has the "Read all usage reports" application permission enabled.
Has anyone else encountered similar challenges with the Microsoft Graph reporting APIs and have any suggestions that I could try?
If you added this scope after you had already authorized the application, it may still be using the previous/cached list of scopes. You can force re-authorization by adding ?prompt=consent to your initial authorization URL. For example:
https://login.microsoftonline.com/common/oauth2/authorize?client_id={app id}
&response_type=code&redirect_uri={redirect uri}&prompt=consent
Related
I am attempting to use "v1.0/me/joinedTeams" to get all the joined teams for the currently authenticated user in my asp.net service. This works fine for external accounts that use a Microsoft identity (have a live account) but the same call returns a 400 Bad Request when I attempt to use an external account that uses a mail identity (no live account). The request is the same regardless of external account type. The token generated when authenticating as the mail identity external user looks correct when I inspect it.
I have been able to implement a workaround where I instead use the SharePoint REST service to get the groupId for the team site the user is apart of and then use the Graph call "v1.0/teams/{groupId}" to get that team. However, I need to do this for all the teams the external user has access to which slows things down quiet a bit.
I am aware of what looks like a bug in Graph when trying to make any Graph calls with any external user type, described here: https://github.com/OneDrive/onedrive-api-docs/issues/1039. I have also implemented the workaround for this issue which requires first accessing each site the user has access to by making some arbitrary call using the REST service. Then any subsequent calls using Graph should work. I do this for external accounts with a mail identity before trying to make the joinedTeams call but still run into the 400 response.
These workarounds will suffice in the short term but they increase my execution time significantly, especially when there is a large number of teams the external user is apart of. Any insight on a solution is greatly appreciated.
/me/joinedTeams is not available for personal Microsoft accounts. Se the table on this page
i'm using this URL https://login.windows.net/(the Tenant ID of the App that i made in Azure AD)/oauth2/token to create a Token for PowerBI API. my postman looks like this:
but when i use this Access token to do some operations like getting a list of reports in a Dataset i get 401 Unauthorized:
exactly which steps i have taken so far can be seen in this Question. I also haven't created a Service Principal, is that needed here? Am i missing a step?
I tried to follow all the steps, it's working fine for me.
Please check the API permissions provided for your registered app.
You can check the required permission API Permissions -> Add a permission -> Power BI Service and select the required permission.
For Instance, We need these permissions to access the datasets:
You can also try the same with the 'try it' feature from here:
Datasets - Get Dataset In Group - REST API (Power BI Power BI REST APIs) | Microsoft Docs
I'm trying to get a list of devices associated with my Microsoft account. When somebody uses his Microsoft account for logging in into his Windows account, he can see that in https://account.microsoft.com/devices/ appears a new device, from which he has logged in. So, I'd like to get this list using API. I've tried to send GET request to https://graph.microsoft.com/v1.0/devices as the Documentation says using my access token, but an empty list is returned although in https://account.microsoft.com/devices/ there are registered devices. What's the problem?
The /devices endpoint hasn't been released so it isn't available under /v1.0. It is only available under /beta.
You can find details on how to use /devices in the Beta documentation.
I'm trying to use Microsoft Graph from my app via REST API graph.microsoft.com/beta/schemaExtensions
Here is what I did:
Register app at https://apps.dev.microsoft.com
Checked for all Delegated and Application authorizations
Got access token without a user based on OAuth Client Credentials Grant flow
Asked for Admin Consent with access token retrieved from point 3. and it was successful using https://login.microsoftonline.com/tenant/adminconsent?client_id=xxx&state=12345&redirect_uri=http://localhost:8081
POST to /beta/schemaExtensions with access token retrieved from point 3. and I have this error:
Authorization_RequestDenied - Insufficient privileges to complete the operation
So here are my questions, hoping someone could help me:
How do I check if delegate authorization is ok after Admin Consent request?
Which privileges are missing to use schemaExtensions?
My app should work without a user, it's the preferred approach.
Couple of things here.
Extensions is GA and available on the /v1.0 version. Please use that instead of /beta.
We don't support schema extension registration using application permissions. It requires the Directory.AccessAsUser.All permission today (we're also investigating if there's another less privileged permission we can use here) per the create schema extensions topic.
Registering a schema extension can be a separate process from your application actually using the extension to create custom data on target object instances.
As such we are making a change (should be available shortly) to allow you to register and manage schema extensions for your app using Graph Explorer. There is also a user voice request to have a UI experience in app registration for schema registration/management. Please vote for this if it's important to you.
I'll update this post once Graph Explorer supports registering and managing schema extensions.
Hope this helps,
To answer the follow up question, the calling user should have read/write access to add custom data to another user. However, you can use open extensions to add custom data using /me/extensions to calling user (as long as the app has user.readwrite or higher permissions).
While getting managed apps from Intune using the graph api is no problem, every time I try to delete an app from intune, i get 403 forbidden.
DELETE https://graph.microsoft.com/beta/deviceAppManagement/{appID} - returns 403
GET https://graph.microsoft.com/beta/deviceAppManagement/{appID} - returns 200
I've tried adding the application in the app registration portal and adding it as a app in the Azure AD.
First I get an auth code using from here
https://login.microsoftonline.com/{TenantID}/oauth2/authorize?response_type=code
&redirect_uri=localhost
&client_id={MyAppID}
&resource={ "https://graph.microsoft.com"}
&prompt=admin_consent
&scope=DeviceManagementApps.ReadWrite.All
And then obtain a jwt token from here, using the code
POST https://login.microsoftonline.com/{TenantID}/oauth2/token
-Body grant_type=authorization_code&redirect_uri={redirectURI}client_id={App/ClientID}&client_secret={App/ClientSecret}&code={MyAuthCode}&resource=https://graph.microsoft.com
I then use the returned token to make calls to the graph api.
I've also tried using the common endpoint, but to no avail.
Am i missing some permission scope I need to set? I have the following delegeted perimissions set for the app and im authenticating using an admin account on a MS demo account.
Read and write Microsoft Intune apps (preview)
Sign in and read user profile
Read and write directory data
If it's a "Managed" app - those are built-in apps that Intune ships, and can't be deleted. Can you verify that it works if you create/delete a standard iOS store app via Graph API?