First post...here goes. I am trying to display email from a shared mailbox but run into "ErrorAccessDenied Access is denied. Check credentials and try again".
The user does have permission to the mailbox, I can access/read email in Outlook and in O365 portal. In my app I have also assigned Mail.Read.Shared and Mail.ReadWrite.Shared scopes.
At first I tried Graph Explorer
https://graph.microsoft.com/beta/users/<userPrincipalNameOfSharedMailbox>/messages
but same ErrorAccessDenied, assumed Graph Explorer did not have Mail.Read.Shared scope.
Next I tried to modify Microsoft Graph Snippets Sample for ASP.NET 4.6
I added Mail.Read.Shared and Mail.ReadWrite.Shared and was prompted to accept these permissions
• Read and write mail you can access
• Read mail you can access
but I get the same error when I try get mail from the shared mailbox
IUserMessagesCollectionPage messages = await graphClient.Users["userPrincipalNameOfSharedMailbox"].Messages.Request().GetAsync();
There was a similar post here Microsoft Graph API SDK .NET Issues getting other users emails and the answer implies this is possible. If it is can anyone provide some insight as to what I am missing? thanks
Right now, accessing shared messages is not supported for the authorization_code flow, but it is supported for the client_credentials flow. In order to incorporate this functionality, you will have to change your flow to incorporate this.
Here is an article on creating a client_credentials flow app if you are interested in going this route.
Related
We use in our company email addresses for each employee and for 3 departments (service, support and reports) - for example <employee_name>#<company_name>.de or support#<company_name>.de ("<..._name>" is just a placholder for posting here). Our programs use PHPMailer for sending Emails from the 3 departments via SMTP without user interaction (Host: smtp.office365.com), that means the PHPMailer is called by programs/scripts that are started by the Microsoft Task Scheduler on a computer where none of our Microsoft-Users is logged in. Now we want to switch from Basic SMTP Auth to Oauth2.
So we registered in the main tenant (<boss_name>#<company_name>.de) in the azure portal a web app "PHPMailer" and received the refresh token with the file "get_oauth_token.php", which is included in PHPMailer. The mail order via OAuth is working now, but only when <boss_name>#<company_name>.de is the username and the email sender (From).
It's not working when both are for example reports#<company_name>.de (prefered way)
SMTP INBOUND: "535 5.7.3 Authentication unsuccessful [AM6PR10CA0036.EURPRD10.PROD.OUTLOOK.COM]"
And it's not working when <boss_name>#<company_name>.de is the username and From is for example reports#<company_name>.de (willy-nilly compromise)
SMTP INBOUND: "554 5.2.252 SendAsDenied; <boss_name>#<company_name>.de not allowed to send as reports#<company_name>.de
We tried to change the configuration for <boss_name>#<company_name>.de ("SendAs" parameter) and of the app in the azure portal (for example defining the department email addresses as owner of the app or adding Mail.Send in the Micrsoft Graph API as application permission) and waited 24 hours (synchronization delay) - but no change.
So i've read in the past weeks countless tutorials from Microsoft, PHPMailer and others, and forums like stackoverflow. But nowhere i could find the necessary information, how to change the configuration.
Examples:
Microsoft
Give mailbox permissions to another Microsoft 365 user - Admin help
Authenticate an IMAP, POP or SMTP connection using OAuth
Get access on behalf of a user
PHPMailer
Using Gmail with XOAUTH2 (unfortunately no explanation for Microsoft)
Basic Usage of the OAuth 2.0 Client from the PHP League
Microsoft Provider for OAuth 2.0 Client Microsoft OAuth 2.0 support for PHPMailer from Steven Maguire
But in this answer to my older question #ADyson wrote that the app just needs the appropriate permissions in the Graph API - so it must be possible. Unfortunately he didn't write, how to set the permissions...
So, how can i achieve my goal?
(Because the PHPMailer is working and i think it's just a configuration problem, i omitted code snippets. If you although need code or more information, please tell me...)
Update:
PHPMailer
Thanks to #greew i found a well made explanation with helpfull screenshots for delegated permissions:
Microsoft Azure and XOAUTH2 setup guide
Unfortunately it doesn't help for my case with application permissions, because it is made for the case, that the Microsoft user is logged in on the compauter where PHPMailer is working.
Not supported?
I found in the Microsoft page Authenticate an IMAP, POP or SMTP connection using OAuth the following hint:
Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.
Does this mean, that i'm trying it for nothing, because it is not supported???
#biberman
I just tried setting up a new mailer with the correct permissions and also clicking the "Grant admin consent.." button.
This resulted in me being able to both get the refresh token and also send mail without user interaction on my behalf.
Note: I'm using the single tenant option in the App.
After i found in the Microsoft page Authenticate an IMAP, POP or SMTP connection using OAuth the following hint:
Note As per the current test with SMTP Oauth 2.0 client credential flow with non-interactive sign in is not supported.
i asked the same question in the Microsoft Q&A forum. There i received the following answer/comment:
Currently the Client Credentials flow isn't supported with SMTP Auth (it maybe in the future but there isn't a roadmap item that i know of) so you need to grant SendAS permissions to whatever account you trying to send as in the from or switch to using the Graph API eg one example https://katystech.blog/projects/php-graph-mailer that does support the client credentials flow.
I tried to solve the issue by letting the administrator grant the SendAs permission to all necessary mailboxes, but i still get the error SendAsDenied - maybe it doesn't work with modern authentication (OAuth).
At the end i used the graphMailer from the linked katystech.blog, which is a really slim solution compared to the PHPMailer. First i couldn't get it to work, because our administrator refused to grant the necessary Microsoft Graph permission Mail.ReadWrite (he has security concerns). But i changed the code, so that the email is "build" before sending it, instead of building the email step by step on the Microsoft server and then advising the server to send it (like in the original code).
Now the Mail.ReadWrite permission isn't necessary and i can send from different email addresses. To avoid rewriting the whole code, where the PHPMailer is used, i renamed the functions of Katys graphMailer (and adjusted the params), so that they are similar to the PHPMailer and i only need to replace = new PHPMailer( with = new graphMailer(...
I am working on a project, that sorts my emails in to folders in Python. I having a #outlook.com email and I am going to be using Microsoft Graph API. First I have just been using cURL to try out the different endpoints.
I have had a few problems, I am trying to get my personal access token, so I can use the endpoint /me/messages I have tried many different ways to authenticate using the documentation, but none of them seem to work. I don't have any active directory, I just want to use my own personal account, which I have selected when creating the project. Since my project is going to be running on the backend, I will be using the Application permissions instead of Delegated permission (please tell me if it is possible to use application permissions with my idea)
It would be helpful, if people could send me the cURL commands, to get my access token and maybe a example request to get my emails. Then I can translate this into Python code. If I receive any errors while executing your commands I will just comment on your answer.
Thanks in advance.
Based on the following documents I do not believe it is possible to use application permissions for a non-interactive (daemon) solution with a Microsoft Account. Only delegated permissions are supported since you as a user will not be able to grant admin consent on your Microsoft Account.
"Daemon applications can be used only with Azure AD organizations. It doesn't make sense to try to use daemon applications to manipulate Microsoft personal accounts. The admin consent will never be granted."
Scenario: Daemon application that calls web APIs
Account type support in authentication flows
I am building an app (HTTPS calls from LabVIEW) that will update my enterprise OneNote notebooks on Office 365 without the need for any user interaction. Hence I have opted for using the Client Credentials flow and granting Application permissions in Azure AD to my app (Read and write all OneNote notebooks) through Microsoft Graph.
I have referred to the instructions mentioned in the following pages:
https://msdn.microsoft.com/en-us/office/office365/howto/onenote-auth-appperms
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
https://learn.microsoft.com/en-gb/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
https://developer.microsoft.com/en-us/graph/docs/concepts/onenote-create-page
I am able to get an access token from Microsoft Graph but once I try to use it to update my notebooks by making a POST call to the URL
https://graph.microsoft.com/v1.0/me/onenote/pages
I get the error:
"The OneDriveForBusiness for this user account cannot be retrieved." Code - 30108
However, I am fully able to access OneDriveForBusiness online using the same account which created the app and the tenant ID of which I used to grant permissions. Can someone please clarify if there are certain restrictions regarding the type of O365 and OneDriveForBusiness subscriptions that are necessary for my requirements? Which particular subscription or their combinations thereof should allow me to achieve the flow I need?
You cannot use /me with Client Credentials. /me is an alias for /users/{currentUserId but since you're using Client Credentials, there is a User in context for the API to map that alias to. You are effectively calling /v1.0/users/NULL/onenote/pages in this case.
You need to explicitly specify the User you want to access:
/v1.0/users/{userId or userPrincipalName}/onenote/pages
I have an error while trying to use Microsoft Graph to write a script to upload an Excel file to OneDrive then read the Excel file.
I followed Microsoft documentation to obtain the access token without user. I successfully got an access token but I got an error while using the access token to call the OneDrive API.
Here is the response:
{
"error": {
"code": "BadRequest",
"message": "Tenant does not have a SPO license.",
"innerError": {
"request-id": "5ec31d17-3aea-469f-9078-de3608f11d0d",
"date": "2017-10-10T04:34:05"
}
}
}
I don't understand why I need to have SPO license while calling graph API and how to get it. Because of this error message so I'm trying to buy a SPO license.
According to this document, I think I should see many products in the license pages but while logging in with Azure Portal and go to the License page, I see only 2 products: Azure AD Premium and Enterprise Mobility Suite:
In case anyone else has a similar issue, I was getting the same error message when using an Office 365 Home license. It turns out SPO stands for SharePoint Online, and you need an Office 365 Business account to have it. So as far as I can tell, you can't use the Microsoft Graph API to access OneDrive without having SharePoint (which only comes with the business licenses). This isn't really made clear anywhere that I could find.
Answering a couple of things here.
Background: Microsoft Graph is the developer gateway or API to many Microsoft cloud services, like Office 365, Azure Active Directory, EMS (Enterprise Mobility Suite), personal Outlook, personal OneDrive and more. Use of the API is free, but to access the data behind it, you need to actually have those services - in some cases they may be free and in other cases you may need to pay for them.
As for adding Office 365 to your existing tenant. I believe you've signed up for Azure using a Microsoft Account. This means that you already have an Azure Active Directory tenant. You can still purchase/acquire Office 365 for that tenant. All you need to do is create a new Azure AD user (not a Microsoft Account) in your tenant, and make them a company admin. Then you should be able to sign-up for Office 365 - if it asks if you already have a tenant or account, sign in with the AAD account you just created. And voila, you should have an Azure AD tenant with a subscription to Azure AND now a subscription to Office 365.
Hope this helps,
In case anyone else has a similar issue, I was getting the same error message when using a personal Microsoft account, just like OP.
So, if you are using a personal account in a registered Azure Active Directory(AAD) app, that type isn't Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) you will get this error. Also, you need to use the correct endpoint to avoid errors.
The main problem is our account type. As a personal account, there are some restrictions to access one drive files. These restrictions are:
You can only use Oauth2 Code Flow or Oauth2 Token Flow. Both are interactive approaches. [1][2]
Your application registered in AAD needs be Personal Microsoft accounts only or Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox) and each one have a different endpoint to acquire the access token (That you can saw clicking on endpoint button, near the delete app button in app page). [3]
Enable these delegated permissions to your application registered in AAD: Files.Read, Files.Read.All, Files.ReadWrite, and Files.ReadWrite.All.
With these restrictions in mind, you can set up a workflow in Postman following these two steps(I'm using endpoints of Personal Microsoft accounts only app type and using Oauth2 Code Flow):
Important note: To use code flow, you need to enable Access tokens in Implicit grant and hybrid flows on Authentication ADD app sidebar menu.
Aquire access token:
https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=YOUR_CLIENT_ID&response_type=token&redirect_uri=ONE_OF_REGISTERED_REDIRECT_URI&scope=Files.Read Files.Read.All Files.ReadWrite Files.ReadWrite.All
After you fill in your information on Postman's request, I recommend using a browser and network inspection to login with a Microsoft account and permit the app. You are getting the access token via network inspection.
List one drive root files:
https://graph.microsoft.com/v1.0/me/drive/root/children
Add a new header:
Authorization
With value:
Bearer ACCESS_TOKE_OF_STEP_1
In my angular application, due to this interactive way restriction to access one drive files, I changed my authentication method to use Microsoft Authentication Library(MSAL) to avoid every time that need send an API request open a popup window to authenticate a valid Microsoft account.
Both OneDrive for Business and the Excel APIs require Office 365. Based on your screenshot, this looks like a standalone Azure Active Directory tenant (i.e. not linked to O365).
The reason for the SPO License message is that OneDrive for Business is a special SharePoint Online document library that is automatically provisioned for users.
Are you able to access the OneDrive contents (including the Excel file) manually through browser after logging in with your account in the same tenant?
If you are able to access the drive and file manually, please use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer to sign in using the same account and make the call to get the Drive contents. When you’re signing-in, you would be presented with a consent page listing the permissions needed to be granted. Please make a note of those permissions and check whether the permission match to those required for accessing the drive.
If you do not have appropriate SPO license yet, you can try setting up a free Office-365 trial account (https://products.office.com/en-in/business/office-365-enterprise-e3-business-software) and test the APIs.
To add to Kikutos' answer answer, you can use this Azure sample to acquire the token via MSAL.NET.
The only thing you need to change is the Instance property, which needs to be set to:
https://login.microsoftonline.com/consumers/
I configured an application on AzureAd to be multi-tenant, I chose to require all the permissions for Windows Azure Active Directory and Office 365 Exchange Online.
I can get a user to grant permissions, get access tokens, refresh them, OAuth works for me. I always used the "common" keyword instead of the tenant ID, because my app is multi-tenant.
Now, I would like to have (CRUD) access to a user's Mail, Contacts and Calendar with this token. Here is my problem: I am completely lost in all the possible API endpoints. Should I use: graph.windows.net, outlook.office365.com, graph.microsoft.com? This page seems to suggest that graph.microsoft.com is the Swiss army knife that would serve my purpose, but somehow I cannot find a doc that allows me to find the info I'm looking for. Plus, it seems under development and maybe too incomplete for what I want.
If I make queries against outlook.office365.com, I've got a 401 error.
If I put my access token in this token analyzer, it seems healthy although the scope field only shows the permissions I set in the AzureAd portal for Windows Azure Active Directory, not Office 365 Exchange Online.
I am kind of lost, any help would be welcome...
You have a choice:
Call the separate service apis - Your problem is that you acquired a token to call AAD, and then tried to use that to call Outlook - you need to make a separate call to acquire a token for outlook.office365.com through ADAL or through the token endpoint directly. The token acquired for AAD Graph can ONLY be used against AAD Graph. Similarly the token acquired for Outlook can ONLY be used against Outlook APIs.
Just to clarify - Azure AD OAuth can protect/secure multiple web APIs, including O365 APIs, Azure AD Graph, Azure Resource Management APIs, your own APIs and the new O365 unified API. In the first access token request, you specify the first resource you want/need to call. It doesn't have to be AAD Graph - i.e. it's not the default AFAIK. Based on what is consented to, you have the ability to request additional access tokens using the (multi-resource) refresh token. Vittorio's blog post which you link to in your comments does a great job explaining this.
Call the O365 unified API (which is in preview) and IS documented. See below. The beauty of the unified API is that you only need to acquire a token to call graph.microsoft.com and ALL the entities on that endpoint are available to you AND more. It removes the siloed nature of #1, and the requirement to get and manage multiple access tokens to call these different API endpoints. However #1 is currently GA, and the unified API is preview only at this time.
For more on #2 please see https://msdn.microsoft.com/en-us/office/office365/howto/office-365-unified-api-overview and search for "unified" in the list of samples here: https://msdn.microsoft.com/en-us/office/office365/howto/starter-projects-and-code-samples
We are working on improving the unified API documentation. If you are making pure REST calls, then I recommend starting out with the API explorer (and try things like https://graph.microsoft.com/beta/me/events and https://graph.microsoft.com/beta/me/messages to get your calendar events and mail messages), OR the API sandbox (which can show you JS code snippets, and allow you to test your own easily enough). As you can see on the REST examples, to access mail and calendar features in the unified APIs, you should be able to swap the service roots from Outlook to the unified API ie - https://outlook.office365.com/v1.0 -> https://graph.microsoft.com/beta. On the JS sample - we will be adding more capabilities here and additional samples.
NOTE: Personal contacts available in outlook.office365.com are not available in the unified API yet.
Hope this helps