What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?
Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?
Delegated Permissions -
Microsoft Graph API
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
Windows Azure Active Directory
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.
And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.
It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.
Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.
After some experimentation, it seems that the minimum permissions are the following:
/me/checkMemberGroups
User.Read
GroupMember.Read.All
/users/{userId}/checkMemberGroups
User.ReadBasic.All
GroupMember.Read.All
Related
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I am trying to read a person's Out of Office text with MSGraph. I understand the only way to do this is by getting the person's mailbox settings as indicated here.
Is there another way to read a person's Out of Office Message?
Assuming there is no other way I then have read for example in this link that to call GET /users/{id|userPrincipalName}/mailboxSettings you need to have Application Permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. Is this still the case? It does not make sense to me that you need Application level permissions. Is there not a delegated (admin consent required) MailboxSettings.Read.All??? The problem is that most IT departments will be hesitant (or pigs are going to fly before some IT departments) give an application this permission to run without a signed in user.
Alternatively, I see that there is a User property of mailboxsettings, thus using the $select query parameter you can call this https://graph.microsoft.com/v1.0/users/{id}?$select=mailboxSettings does or should this work with the User.Read.All.
UPDATE in accordance with the suggestion below I have added 2 suggestions to the MSGraph user voice.
A person's out of office information should be included with their calendar / freebusy (getschedule) information.
There should be a Mailboxsettings.Read.All permission.
Please click on the link and vote them up if you agree.
No, there is no MailboxSettings.Read.All or MailboxSettings.Read.Shared. You can see the list at https://learn.microsoft.com/graph/permissions-reference#mail-permissions. I encourage you to request this as a feature at https://microsoftgraph.uservoice.com.
One possible approach given the currently available permissions around this API is to use app permissions and configure an app access policy to limit the mailboxes it can access - if that's the concern you're mentioning. I'm not clear on why it would be preferable to give a user account access to this info for all mailboxes in an org but not an app service principal.
It isn't included as part of User.Read.All by design. It's not really a property on the user, it's config stored in the mailbox. It's abstracted as a property in Graph, but it requires additional permissions to access.
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
I have created an app in https://apps.dev.microsoft.com portal with name GroupsApp and I have given couple of permissions as below:
I have created client id and secret to use in my application. I am using asp.net MVC (with 4.5.1 .net framework) web application.
I am getting some groups info and displaying on the screen. If I am logged with my account it is working fine. But if I logged in as another user then it is giving me issue as below:
I have formatted url as below: https://login.microsoftonline.com/948894dc-c0e2-43e5-a7e6-1d21dd183c9d/oauth2/authorize?client_id=75acb700-e675-4dc4-9deb-d3f68f6911a1&response_type=code&redirect_uri=http://localhost:34280&prompt=admin_consent and trying to granted the permission. Here I have logged in as admin and given permissions.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
I could encounter the same issue according to your settings. I assumed that you may hit the Admin-restricted scopes of AAD v2.0 as follows:
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of scopes include the following permissions:
Read an organization's directory data by using Directory.Read
Write data to an organization's directory by using Directory.ReadWrite
Read security groups in an organization's directory by using Groups.Read.All
Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions.
You could Using the admin consent endpoint and follow this Build an app with admin restricted scopes using the v2.0 endpoint github code sample to ensure your app can gather permissions for all users in a tenant, including admin-restricted scopes.
I'm trying to create Planner Plan using Microsoft Graph API. As documented it requires groupId. I also create Group, but when i create a Planner plan using Graph Explore it returns a 403 with the message
"You do not have the required permissions to access this item, or the item may not exist."
I'm aware that in order to create a plan, It required Group.ReadWrite.All permission on Delegated (work or school account). I granted these in the Azure Portal but still get same error.
One thing is I don't know how to determine if my account is a "work or school account". My account was created by the admin of my tenant and it uses the of my organization so I guest it is Work account.
What do I have wrong here, do I need another API to assign plan to group before create?
EDIT1:
Here is the request body when i'm create a Planner Group, I'm also tried to toggle "securityEnabled" to true but it still fail when create a plan
And Here is the Request body when I create Planner Plan
EDIT2:
I also tried to update Planner plan by this API and it still failed. It seems Group.ReadWrite.All permissions does not apply to my account
Your request is failing because you are not a member of the group in which you are trying to create a plan. Changing group content requires the calling user to be a member. Owners of the group currently cannot edit the Planner content in the group, unless they are also members.
Although you have requested Group.ReadWrite.All, you cannot authorize this permission until you have received "Consent" from an Administrator.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about he Consent Framework in Integrating applications with Azure Active Directory.