I use django-allauth to get an access token.
Then i make this call :
https://graph.facebook.com/v2.8/10153430807524570/?access_token=' +
access_token
And i get this error message :
{'error': {'type': 'GraphMethodException', 'code': 100, 'fbtrace_id':
'GILhd/N+d7D', 'message': "Unsupported get request. Object with ID
'10153430807524570' does not exist, cannot be loaded due to missing
permissions, or does not support this operation. Please read the Graph
API documentation at https://developers.facebook.com/docs/graph-api"}}
when i use the access token from the Graph API explorer, it works.
The 2 access tokens are different.
Got an answer for my problem.
It is a matter of permissions : Django-allauth access token and the one i get from Graph explorer are not giving the same permissions.
Related
I am trying to create GDAP relationship request using MS Graph endpoint
POST /beta/tenantRelationships/delegatedAdminRelationships
I am getting an access token from Azure app that has the application permission DelegatedAdminRelationship.ReadWrite.All granted to it.
I verified that the request header contains a bearer access token and that the token contains
"roles": [DelegatedAdminRelationship.ReadWrite.All]
However I am receiving the error: forbiddenUserDoesNotHaveAccess.
What am I missing?
According to the documentation the required scope for DelegatedAdminRelationship.ReadWrite.All permission is only delegated.
Application permission type is not supported.
Hi I am trying to access the microsoft graph endpoint https://graph.microsoft.com/v1.0/me/contacts but I receive a 404.
** ISSUES IT SHOULDN'T BE **
it should not be the problem with the exchange mailbox, since it works for the user in the explorer
it's not the code, since the token from the graph explorer works in the code
both tokens seems to have the same permissions
The image below is a picture of the decoded accesstoken, one is from the graph explorer and one is a token received from my own Oauth flow (auth code grant), they are trying to access the same users contacts.
Anyone know what I am doing wrong?
To access the https://graph.microsoft.com/v1.0/me/contacts, I think "Contacts.ReadWrite" permission is also required which is missing in the scopes of the above image. Can you please check the permissions here:https://learn.microsoft.com/en-us/graph/api/user-list-contacts?view=graph-rest-1.0&tabs=http#permissions.
Hope this resolves the issue. If not please share Client request id and timestamp of the query.
I have a Logic App that is calling the Graph API to create lots of O365 Groups. For the creation, I am using Application permissions with a registered Azure app which works great.
However, I am now trying to hide O365 groups from the GAL.
I need to set these parameters:
{
"hideFromAddressLists": true,
"hideFromOutlookClients": true
}
I am having the same issue described here. But I can't figure out how to call the Graph API on behalf of a user, with Delegated permissions. I've tried setting up an Azure Managed Identity and setting it's permissions as per these instructions, but I am getting error:
"code": "ErrorGroupsAccessDenied"
"message": "User does not have permissions to execute this action.",
Can anyone help?
These are the App permissions I have set, but I am still getting "ErrorGroupsAccessDenied" "User does not have permissions to execute this action."
As your mentioned it requires to be called with delegated permission, so you can't get the access token just by MSI. According to the page you provided about MSI, it seems just use the service principal to verify the permissions. It still use application permission but not delegated permission. So please refer to the steps below to get the access token and then request the graph api.
1. Create an "HTTP" action to get the access token(we need to use username/password grant flow in this http request).
2. Use "Parse JSON" action to parse the response data from the HTTP action above.
3. Request the graph api to update the group(with the access token from "Parse JSON" action).
Please notice there is a space between "Bearer" and "access_token".
Trying to post events to user calendars for our organization. Getting a 401 error.
Azure admins created an app/user, and gave permissions
Delegated Graph Permissions: Calendars.ReadWrite
App graph permissions: Calendars.ReadWrite
I can connect to the OAuth token generation end point, and retrieve a token. Using that token, I can't send my JSON payload and create a series of calendar events, I get a 401. The JSON is known good - I can copy/paste it into the graph explorer tool and get correct results.
I've examined a generated token using jwt.ms and I'm not seeing anything related to permissions, calendars, etc.
Our Azure logins use empIDnumber#example.com and I've been told that is what our userPrincipalName is
I've tried changing the URL end point with no change-
/v1.0/users/empIDnumber#example.com/calendar/events
and
/v1.0/users/empIDnumber#examplecom.onmicrosoft.com/calendar/events
Where should I look next?
Solved.
Slight typo in the content of the JSON I was sending, was only able to find it by doing the POST using postman. Java was throwing an exception, not showing the returned string as well as the exception message, but postman showed the returned JSON with content regarding malformed date/time.
Still got 401 exceptions though, so The Fix Part II was to add an Accept-Encoding property set to application/json to my http client request options array.
Still no claims showing up in my tokens, but that is a non-issue apparently.
I'm trying to build an application that uses Microsoft Graph to automatically create and read pages in OneNotes stored in SharePoint 365.
I can successfully do this using Graph Explorer as long as I am logged in, but can't get it to work using a bearer token in Postman
The error I am getting is:
Either scp or roles claim need to be present in the token
I successfully get an access token using this:
https://login.microsoftonline.com/common/oauth2/v2.0/token
And passing in the grant_type, client_id, client_secret, code, redirect_uri and scope
Then I perform the following call, with the bearer token included in the header:
https://graph.microsoft.com/v1.0/sites
With the following getting returned:
{
"error": {
"code": "AccessDenied",
"message": "Either scp or roles claim need to be present in the token.",
"innerError": {
"request-id": "fa442c72-4ffe-493b-a33a-8e9e78c94f09",
"date": "2018-01-19T09:56:34"
}
}
}
I have set up graph permissions as per below. I have also tried enabling ALL Notes permissions configured with the same result though
Graph Permissions Image
One post I found said to check http://jwt.calebb.net/ what is returned in the token, and I found that it doesn't contain any roles, so I wonder if this is the problem.
You may need to state your tenant in the url when getting the token :
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Thanks to Tsuyoshi Matsuzaki as seen here : How to use Application Permission with Azure AD v2
Your application can get access token using the following HTTP request
(OAuth). Note that you cannot use
https://login.microsoftonline.com/common/oauth2/v2.0/token (which is
commonly used) for getting the token. Instead, you must use
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token, which
identifies the specific tenant.
The call that you mentioned "https://graph.microsoft.com/v1.0/sites" is not valid.
Also request to ~/sites/... routes may need other permissions in addition to Notes.ReadWrite.
Recommend to follow steps mentioned in the following references:
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service