Is there a setting for the Microsoft Graph API webhooks that will allow them to be created without using TLSv1.0 SSL? We have disabled 1.0 due to security concerns, but the Graph API seems to require it. Whenever I try to setup a subscription I get the following error:
"error": {
"code": "InvalidRequest",
"message": "The underlying connection was closed: An unexpected error occurred on a send.",
"innerError": {
"request-id": "3b78353d-6a51-45f8-9353-0402fc0b60c5",
"date": "2017-05-25T14:20:39"
}
}
To verify that TLSv1.0 was the problem, we temporarily allowed it to our servers and the subscription could be made. As soon as we turned it back off we no longer received notifications and could no longer make subscriptions.
Has anyone else encountered this issue?
TLS versions 1.1 and 1.2 have been enable in Microsoft Graph Webhooks. You should be able to disable TLS 1.0 now.
Related
I'm trying to create a private channel in a Team using the Microsoft Graph API. I'm using the beta API because the membershipType (to make the channel private) is not available in the 1.0 API. My code was working fine until yesterday, now I get a 502 Bad Gateway error, with message Failed to execute backend request. :
Server error: `POST https://graph.microsoft.com/beta/teams/{my-team-id-is-here}/channels` resulted in a `502 Bad Gateway` response:
{
"error": {
"code": "BadGateway",
"message": "Failed to execute backend request.",
"innerError": {
"request-id": "2ceece83-e3ff-455d-bc7b-b82f5454269f",
"date": "2020-04-17T12:45:12"
}
}
}
The JSON body sent with this request :
displayName = "Private Channel Test"
membershipType = "private"
description = "Test"
I have all the privileges in my AccessToken and I am Owner of this team. If I switch to the 1.0 API with the same code, the channel get created, but is public, which is correct because the membershipType is not available in this API, but here I need to create private channels, not public.
The scope of my Token :
Files.ReadWrite.All Group.ReadWrite.All GroupMember.Read.All offline_access openid People.Read.All profile Sites.Read.All Sites.ReadWrite.All User.Read User.Read.All
Did anyone ever had this problem, and a solution?
The problem is that I reached the limit of 30 private channels, even though my private channels are all «deleted», they are still available to restore for 30 days, after what they are permanently deleted. I tested with a new Team and my code is working fine.
It would be nice to have a detailed error, I wouldn't have spent time debugging what is not really a bug.
When trying to create a private channel from Microsoft Teams, I get the error «Your team has reached the maximum number of private channels.». I should have tried this before...
More information here : https://learn.microsoft.com/en-us/microsoftteams/private-channels
I was successfully creating private channels using the v1.0 API, because it's supported now.
The JSON content of the request requires at least one owner.
I recieved this error when I (accidentally) attempted to specify owners in the JSON that weren't members of the Team.
I'm trying to use the Microsoft Bookings API in Microsoft Graph. I've gone through the OAuth stage where I grant access and retrieve an authorization code from the token api. This works well. My issue now is that I get this response:
{
"error": {
"code": "ErrorInvalidOperation",
"message": "Mailbox does not exist.",
"innerError": {
"request-id": "e40bf9b9-8f2b-48e9-bb37-7a9ce1794ae7",
"date": "2020-01-27T21:28:46"
}
}
}
When I run the request recommended here: https://learn.microsoft.com/en-us/graph/api/resources/booking-api-overview?view=graph-rest-beta
POST https://graph.microsoft.com/beta/bookingBusinesses
Authorization: Bearer {access token}
Content-Type: application/json
{
"displayName":"Contoso"
}
(With another displayName)
I don't get what's wrong, do I need to set something up for my account or for the application in the Azure dashboard?
Any help would be greatly appreciated!
Found the answer!
The license for the company I was working for was not sufficient. Had to upgrade license to "P1" license.
The company I'm working for has also outsourced the management of their Microsoft environment, which means I couldn't change that license myself.
Changing the license fixed the problem though!
I have experienced the same problem with our organisation using a service account, I am doing exactly the same request and receiving exactly the same result from Graph API, However, our service account has an MS A3 license with MS booking permission. We found out the reason for it, is because the service account was not granted an Exchange mailbox. And it works after we granted an exchange mailbox to the account.
I'm getting an HTTP 400 on a request for https://graph.microsoft.com/v1.0/sites?search=* but expected response is an HTTP 200 w/ data.
It works successfully in multiple client environments (i.e. 100s of environments), but it doesn't work for one of our clients.
The application does successfully return calls for /groups, /domains, and other endpoints prior to hitting this HTTP 400.
The error is:
Error authenticating with resource
Response from remote side is:
{
"code": "AuthenticationError",
"message": "Error authenticating with resource",
"innerError": {
"request-id": "1d68c066-dba8-487e-b3a8-bd77f517d394",
"date": "2019-06-25T18:50:31"
}
}
I'm not sure the next steps from here. HTTP 400 suggests a malformed request, but I'm guessing this should actually be an HTTP 403 or 401 response instead of a 400?
Not sure how to resolve, please let me know, thanks!
edit: request-id added back in
If you're able to call other resources the same way (i.e. /groups), it would suggest a lack of permissions. Be sure the app or user authenticating has the required permissions:
Delegated (work or school account): Sites.Read.All, Sites.ReadWrite.All
Delegated (personal Microsoft account): Not supported.
Application: Sites.Read.All, Sites.ReadWrite.All
Documentation here
I am having trouble starting a Microsoft Graph webhook subscription (for a mailbox in particular). When initiating the subscription it appears as though Microsoft accepts all of the parameters I am sending to configure the subscription but fails the total subscription because it is receiving a non 2xx response from the endpoint I have configured.
The reason my endpoint is sending a 401 back to Microsoft is because their POST that includes the subscription validation token is missing the clientState.
I am using the clientState key-value pair to authenticate all the communication between Microsoft and my endpoint. If my endpoint does not see the correct clientState it will return a 401.
Any ideas on what I might be missing or if I should go about this in a different way? In my opinion allowing my endpoint to accept unauthenticated GET/POST's is not an option.
Example request body using POST method including the API key in the header:
{
"changeType": "created",
"clientState": "testClientState",
"resource": "users/<UserName>/messages",
"expirationDateTime": "2017-08-10T10:24:57.0000000Z",
"notificationUrl": "<EndpointURL>"
}
Error Returned from Microsoft:
"error": {
"code": "InvalidRequest",
"message": "Subscription validation request failed. Must respond with 200 OK to this request.",
"innerError": {
"request-id": "adf7fc7b-6b14-4422-8526-c1391be8dd27",
"date": "2017-08-07T16:24:59"
}
}
I understand everything to work as intended until my endpoint is sent the validation token because I receive the validation token but my endpoint rejects it because it is missing the client state.
Endpoint Log Snippet:
queryStringParameters": {
"validationToken": "<ValidationToken sent by Microsoft>"
}
I am basing my API endpoint logic off of some of Microsoft's developer guides. For the subscription creation in particular I am using this guide.
It appears this question was also asked but not answered on GitHub.
I represent Microsoft Graph Web hooks team ...
We verified your request in our MS Graph Service logs and confirmed that it was failed at Subscription validation phase because of HTTP status code='Unauthorized' from your endpoint ... Up to this everything is correct per your observation ...
By design, MS Graph Web hooks do not send the clientState header as part of the Subscription validation request. Please do not expect for this header during the subscription validation.
More information
You would have expected to receive the clientState as part of the validation request header because Office365 graph sends it https://msdn.microsoft.com/en-us/office/office365/api/notify-rest-operations. Office 365 Graph different from MS Graph ...
There are some document improvements observed with this question at https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/subscription_post_subscriptions ... Example Publisher Notification Payload, which is after successful subscription is mentioned together with the Subscription validation … We fixed those.
I am trying to use the Youtube API to pull in all the videos from a particular channel. I set up the project in Google Developers Console and got an API browser key. I enabled YouTube Data API v3 and for safe measure, I enabled YouTube Analytics API.
I do not know what I am getting this error. Can anyone help me. This is my console output.
"error": {
"errors": [
{
"domain": "usageLimits",
"reason": "ipRefererBlocked",
"message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.",
"extendedHelp": "https://console.developers.google.com"
}
],
"code": 403,
"message": "There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed."
}
Did you add any bundle id's to "Edit allowed iOS apps..." in your API Access panel? If you did, remove them all. iOS apps: should now say "Any app allowed". This fixed this issue for me.
I am told that this is fixed by simply removing all Ip's from the edit allowed IP's option. This makes it so that it is less secure, but it will accept all IP's after that.