Develop Reference

Upload fail for DrievItems in Drive of SitePages List

Upload fail for all the DrivesItems in Drive associated with SitePage list in a sharepoint site.
Graph API request:
UploadSession uploadSession = GraphCLient.Sites[{SiteId}].Drives[{DriveId of SitePages List }]. Items[{DriveFolderID}].ItemWithPath(driveItem.Item.Name).CreateUploadSession().Request().PostAsync().Result;
The uploadSession will be created sucessfully but chunkuploadprovider gives error.
Error response: Code: accessDenied Message: The caller does not have
permission to perform the action. Inner error
Code Snippet:
private void UploadItem(OneDriveJsonStructure driveItem)
{
try
{
MemoryStream memStream = (MemoryStream)driveItem.Content;
byte[] buffer = memStream.ToArray();
DriveItem item = null;
using (System.IO.MemoryStream ms = new System.IO.MemoryStream(buffer))
{
UploadSession uploadSession = this._SharepointOperations._GraphCLient.Sites[this._SiteId].Drives[this._DriveId].Items[this._DriveFolderId].ItemWithPath(driveItem.Item.Name).CreateUploadSession().Request().PostAsync().Result;
var provider = new ChunkedUploadProvider(uploadSession, this._SharepointOperations._GraphCLient, memStream);
var chunkRequests = provider.GetUploadChunkRequests();
var readBuffer = new byte[buffer.Length];
var trackedExceptions = new List<Exception>();
DriveItem itemResult = null;
foreach (var request in chunkRequests)
{
// Send chunk request
var result = provider.GetChunkRequestResponseAsync(request, readBuffer, trackedExceptions).Result;
if (result.UploadSucceeded)
{
itemResult = result.ItemResponse;
item = result.ItemResponse;
}
}
if (itemResult == null)
{
UploadChunkResult result = null;
// Retry the upload ...
foreach (var request in chunkRequests)
{
// Send chunk request
result = provider.GetChunkRequestResponseAsync(request, readBuffer, trackedExceptions).Result;
}
item = result.ItemResponse;
}
}
item.Permissions = driveItem.Item.Permissions;
GivePermission(item);
Permission Provide to Client App from Azure AD:
Graph Permission:
Sharepoint Permissions:
Even after all these permissions it gives this error message:
"The caller does not have permission to perform the action".
Which permissions are needed to perform this action?
Upload for driveItems of other drive execute sucessfully.

Now that uploading for driveItems of other drive execute successfully, your code should be OK.
So the key to the issue lies in the user's SharePoint permissions.
Please check if the user account can upload files into the target folder in your SharePoint site.
If the user doesn't have the permission to do that, you need to use an admin account to grant edit permission to the user.
Detailed steps:
Next to the folder name, click the Ellipsis…
On the file popup window, click Share.
On the Share dialog box, click Shared with, and then click
Advanced.
Click Stop Inheriting Permissions.
Add the user into an SharePoint Group which has Edit or Contribute
permission. (If you don't want to modify the default SharePoint
Group, just create a new one)
A quick method: Share this folder (with edit permission) with the user.
Next to the folder name, click the Ellipsis…. On the file popup window, click Share. On the Share dialog box, follow the screenshot.
UPDATE:
Note that we can't upload any documents into Site Pages document library. Using API is also not supported.

Microsoft Graph API - Update password - Insufficient privileges to complete the operation

I am trying to update a user via Microsoft Graph API, I am able to update the DisplayName but the PasswordProfile I get an error:
Insufficient privileges to complete the operation.
Here are the roles associated to the token when I decoded the JWT token at http://jwt.io :
"roles": [
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All"
],
Based on the documentation it seems these permissions should suffice.
Here is my code (taken from a console app), I was able to figure out the call is failing via Fiddler, the UpdateAsync does not throw an exception.
try
{
var userId = "9a5413cd-85ff-4ad1-ab2f-b443941abd8e";
var token = GetToken().Result;
System.Console.Write($"Token: {token}");
var newPassword = "TwDx5zgHxe51DZZ";
GraphServiceClient graphClient = GetAuthenticatedClient(token);
// This works -- Updating Display name
graphClient.Users[userId].Request().UpdateAsync(new User
{
DisplayName = "NewDisplayName"
});
// This does not work - Updating password
graphClient.Users[userId].Request().UpdateAsync(new User
{
PasswordProfile = new PasswordProfile
{
Password = newPassword,
ForceChangePasswordNextSignIn = true
}
});
System.Console.WriteLine("---Update Complete---");
}
catch (Exception e)
{
System.Console.WriteLine(e);
}
Method for getting token:
public async Task<string> GetToken()
{
// Constants
var tenant = "dev-mytenantmydomaincom";
var resource = "https://graph.microsoft.com/";
var clientID = "XXXXXXXX-87ef-494d-b921-cf8956006b0e";
var secret = "zgkzas2THJLiD5XXXXXX";
// Ceremony
var authority = $"https://login.microsoftonline.com/{tenant}";
var authContext = new AuthenticationContext(authority);
var credentials = new ClientCredential(clientID, secret);
var authResult = await authContext.AcquireTokenAsync(resource, credentials);
return authResult.AccessToken;
}
Here is the full response via Fiddler:
HTTP/1.1 403 Forbidden
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: application/json
request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
client-request-id: 6edcf194-7705-4cd7-8144-767925cc9ee4
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"East US","Slice":"SliceB","ScaleUnit":"001","Host":"AGSFE_IN_27","ADSiteName":"EST"}}
Duration: 69.2849
Date: Thu, 31 Aug 2017 13:15:34 GMT
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "6edcf194-7705-4cd7-8144-767925cc9ee4",
"date": "2017-08-31T13:15:34"
}
}
}

Passwords are a particularly sensitive data set and therefore have some unique permissions to them. From the documentation:
When updating the passwordProfile property, the following scope is required: Directory.AccessAsUser.All.
The Directory.AccessAsUser.All is a Delegated Permission that requires an Admin. In other words, it allows someone a Global Administrator to change other another user's passwordProfile.
If you're looking to allow the end user to change their password themselves, there is also a baked in ChangePassword method in the SDK:
await graphClient.Me.ChangePassword("current-pwd, "new-pwd").Request().PostAsync();
Note: that this also requires that Admin Consent be granted for DirectoryAccessAsUser.All before a user can execute it)
Keep in mind that DirectoryAccessAsUser.All is a "Delegated" rather than an "Application" permission scope. This means it is only supported by the Authorization Code and Implicit flows; it will not work for daemon/service scenarios using the Client Credentials flow.
If you consider the potential exploits that could be achieved by a non-interactive application having the ability to change user's passwords at will, the reason for this restriction is pretty clear.

An easy solution we found out is to add the application principal to the "Helpdesk administrator" role.
Go to Azure Active Directory
On the left click on Roles and administrators
Search for the Helpdesk administrator role and click on it
Click on Add assignments and paste your application object id
Wait 5 minutes or so for azure to take the changes into account

For anyone arriving at this Q&A in 2021 - there is a password reset endpoint in Graph:
POST /users/{id | userPrincipalName}/authentication/passwordMethods/{id}/resetPassword
You will have to retrieve the id of the password authentication method first.
The permission needed for this operation is UserAuthenticationMethod.ReadWrite.All which can be granted as an Application type permission.
See the documentation: https://learn.microsoft.com/en-us/graph/api/passwordauthenticationmethod-resetpassword
Update
Even though the permission can be granted as an Application type permission, the call will not succeed in Application Context.
See https://learn.microsoft.com/en-us/answers/questions/246207/34upn-from-claims-with-value-null-is-not-a-valid-u.html

Microsoft Graph API - Insufficient privileges to complete the operation

I am trying to use Microsoft Graph API to update another user in Active Directory.
I have the following permissions set for both user and application at https://apps.dev.microsoft.com/
I've requested the following scopes:
Directory.ReadWrite.All
User.ReadWrite.All
Group.ReadWrite.All
I am able to get a listing of all users in the directory, but when trying to update (in this case, the city) it fails:
GraphServiceClient graphClient = SDKHelper.GetAuthenticatedClient ();
var usersResponse = graphClient.Users.Request ().GetAsync ();
var users = usersResponse.Result;
// hard coding user id for now
var userId = "9a5b83cd-85ff-4ad1-ab2f-b443941a518e";
var user = users.FirstOrDefault (m => m.Id == userId);
if (user != null) {
user.City = "New York";
await graphClient.Me.Request ().UpdateAsync (user);
}
I get:
{
Code : Authorization_RequestDenied
Message : Insufficient privileges to complete the operation.
Inner error
}
The user I am logged in as is a Global Administrator of the directory.
I took the JWT token, headed over to https://jwt.io and these are the roles I am seeing:
Directory.Read.All
Directory.ReadWrite.All
Files.ReadWrite
Group.ReadWrite.All
Mail.Send
User.Read
User.Read.All
User.ReadWrite.All
Do I need other permissions to make this happen?
At the end of the day, I'd like to create a console app (not web app) that I can update other user information in the directory. But I figured using this sample app provided by Microsoft is a good start.

The reason you're seeing this is because you're passing the complete user object rather than only the city property. In other words, you're attempting to update every property in that user record, including several that are read-only.
This is one of those cases where having an SDK that wraps a REST API can be result in some confusing errors. As REST API, it is stateless so passing in the entire user property set is telling the API you want to PATCH all of those values.
You're also passing in a different user object into the me object (i.e. you're replacing all of your property values with this other user's property values):
await graphClient.Me.Request().UpdateAsync(user);
Instead, try this:
GraphServiceClient graphClient = SDKHelper.GetAuthenticatedClient ();
// hard coding user id for now
var userId = "9a5b83cd-85ff-4ad1-ab2f-b443941a518e";
await graphClient.Users[userId].Request ().UpdateAsync(new User
{
City = "New York"
});

How to apply SSO with an existing login screen and a trusted second website

We use IdentityServer3 (IdSvr3) for authorization/authentication. We want to offer the ability for our end user (or resource owner: RO) to log in (log through) to a second trusted website (site B) without login in to site B also, after they have already logged in to an initial website (site A). Site B administers a different set of resources for the RO. It is important that the RO is not redirected to the IdSvr3 login/consent screen. A possible approach I found so far is: inside site A an access token is created by calling RequestResourceOwnerPasswordAsync (passing username and password plus scope = "openid ..."). This access token is send to site B with which the RO can be authenticated. Site B retrieves the user info by calling the connect/userinfo endpoint. I want to know if this is a correct approach/flow. We assume that the RO will always enter site A first, not site B.
Thanks in advance for taking your time to think with me about this.

what you can do here is to send a authorize request to identity server for Site B Scope and request id_token or reference token. Make sure while sending the authorize request to idsrv you are using prompt=none, this way you will get the access_token without showing a consent to the user again if the user is already logged-in to site A.
Below example is doing the same from a JS file. In Site A you can refer to this script file and execute the script using IIFE.
function getIdentityServerURL() {
var url = global.appSettings.identityServerURL
+ "/connect/authorize?client_id=siteB&response_type=id_token token&redirect_uri="
+ global.appSettings.siteBUrl + "/Main/SsoCallback&scope=siteBscope openid email roles&prompt=none&nonce="
+ genNonce();
return encodeURI(url);
}
The code above will redirect you to SsoCallback page where you can create a virtual iframe and post the token back to site B after reducing the result from authorize request. Refer to code below.
<script type="text/javascript">
var identityresult = window.location.hash.split('&').reduce(function (result, item) {
var parts = item.split('=');
result[parts[0]] = parts[1];
return result;
}, {});
window.parent.postMessage(identityresult, '*');
your script can listen to postmessage event. Hope this helps.

Gmail API returns 403 error code and "Delegation denied for <user email>"

Gmail API fails for one domain when retrieving messages with this error:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 OK
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Delegation denied for <user email>",
"reason" : "forbidden"
} ],
"message" : "Delegation denied for <user email>"
}
I am using OAuth 2.0 and Google Apps Domain-Wide delegation of authority to access the user data. The domain has granted data access rights to the application.

Seems like best thing to do is to just always have userId="me" in your requests. That tells the API to just use the authenticated user's mailbox--no need to rely on email addresses.

I had the same issue before, the solution is super tricky, you need to impersonate the person you need to access gmail content first, then use userId='me' to run the query. It works for me.
here is some sample code:
users = # coming from directory service
for user in users:
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
####IMPORTANT######
credentials_delegated = credentials.with_subject(user['primaryEmail'])
gmail_service = build('gmail', 'v1', credentials=credentials_delegated)
results = gmail_service.users().labels().list(userId='me').execute()
labels = results.get('labels', [])
for label in labels:
print(label['name'])

Our users had migrated into a domain and their account had aliases attached to it. We needed to default the SendAs address to one of the imported aliases and want a way to automate it. The Gmail API looked like the solution, but our privileged user with roles to make changes to the accounts was not working - we kept seeing the "Delegation denied for " 403 error.
Here is a PHP example of how we were able to list their SendAs settings.
<?PHP
//
// Description:
// List the user's SendAs addresses.
//
// Documentation:
// https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs
// https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/list
//
// Local Path:
// /path/to/api/vendor/google/apiclient-services/src/Google/Service/Gmail.php
// /path/to/api/vendor/google/apiclient-services/src/Google/Service/Gmail/Resource/UsersSettingsSendAs.php
//
// Version:
// Google_Client::LIBVER == 2.1.1
//
require_once $API_PATH . '/path/to/google-api-php-client/vendor/autoload.php';
date_default_timezone_set('America/Los_Angeles');
// this is the service account json file used to make api calls within our domain
$serviceAccount = '/path/to/service-account-with-domain-wide-delagation.json';
putenv('GOOGLE_APPLICATION_CREDENTIALS=' . $serviceAccount );
$userKey = 'someuser#my.domain';
// In the Admin Directory API, we may do things like create accounts with
// an account having roles to make changes. With the Gmail API, we cannot
// use those accounts to make changes. Instead, we impersonate
// the user to manage their account.
$impersonateUser = $userKey;
// these are the scope(s) used.
define('SCOPES', implode(' ', array( Google_Service_Gmail::GMAIL_SETTINGS_BASIC ) ) );
$client = new Google_Client();
$client->useApplicationDefaultCredentials(); // loads whats in that json service account file.
$client->setScopes(SCOPES); // adds the scopes
$client->setSubject($impersonateUser); // account authorized to perform operation
$gmailObj = new Google_Service_Gmail($client);
$res = $gmailObj->users_settings_sendAs->listUsersSettingsSendAs($userKey);
print_r($res);
?>

I wanted to access the emails of fresh email id/account but what happened was, the recently created folder with '.credentials' containing a JSON was associated with the previous email id/account which I tried earlier. The access token and other parameters present in JSON are not associated with new email id/account. So, in order make it run you just have to delete the '.credentails' folder and run the program again. Now, the program opens the browser and asks you to give permissions.
To delete the folder containing files in python
import shutil
shutil.rmtree("path of the folder to be deleted")
you may add this at the end of the program

Recently I started exploring Gmail API and I am following the same approach as Guo mentioned. However, it is going to take of time and too many calls when we the number of users or more. After domain wide delegation my expectation was admin id will be able to access the delegated inboxes, but seems like we need to create service for each user.