I am developing a multi-tenant web app managing the mail, contacts and calendar of users.
On the AzureAd management portal, I registered my app as multi-tenant and I manage to get OAuth tokens for both people out and inside my tenancy, replacing the tennantId by "common" when querying the Authentication Code and Token endpoints.
Now, I would like to access calendar, mail and contacts info of people who signed in and consented to give permissions to my app.
I started simple, by querying the basic user info of a user inside tenancy like this:
GET https://graph.windows.net/-tennantId-/me?api-version=2013-11-08
or
GET https://graph.windows.net/-tennantId-/users/myAdress#company.com?api-version=2013-11-08
{headers: {Authorization: "Bearer -accessToken-"}}
It works!
Now, how can I have access to information of users that are outside my tenancy? I tried
GET https://graph.windows.net/-tennantId-/me?api-version=2013-11-08
GET https://graph.windows.net/-tennantId-/users/address#outside.com?api-version=2013-11-08
GET https://graph.windows.net/common/me?api-version=2013-11-08
GET https://graph.windows.net/common/users/address#outside.com?api-version=2013-11-08,
I always end-up having a 400 error:
{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Invalid domain name in the request url."}}}
Any idea what I am doing wrong?
Ah-ah!
Forget the use of your tenant ID when talking with the Graph API if you develop a multi-tenant app with OAuth!
The equivalent to "common" when requesting a token for a user in or outside your tenancy is... "myorganization"!
This will work:
https://graph.windows.net/myorganisation/me?api-version=2013-11-08
Oh, it was clearly written in the doc, but... but... MICROSOOOOOFT!!!
Related
I am working on the integration of the outlook calendar with our app. I am trying to get the calendar events of the guest user. So far I have done the following steps.
Registered an app in the Azure Active Directory admin centre and added the following API permissions.
API permissions
Then I used the following API call to get the access token.
https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token
I used this token to get the user list which is working fine.
https://graph.microsoft.com/v1.0/users
Then I am using user_id from this result to call the following APIs
https://graph.microsoft.com/v1.0/users/{user_id}/calendars
https://graph.microsoft.com/v1.0/users/{user_id}/calendars/events
https://graph.microsoft.com/v1.0/users/{user_id}/events
I am getting a successful result for Member users but getting the following error for guest users
>AuthOMMissingRequiredPermissions
>The AadGuestPft token doesn't contain the permissions required by the target API.
Any Idea what am I missing?
To get guest users(external) you can use https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest' Graph API endpoint. This will give you all external users details in response. Event API will only work for the user within tenant, for external users who does not have license it will not work.
Hope this helps.
One of the websites we used to get data from requires now log in via Google, I have been granted access, and want to update the app to continue working.
I've set up credentials (clientId, clientSecret) as well as service account - whichever is easier tbh.
The url I'm trying to access looks like "https://xxxxxxxxxxxxxx.appspot.com/view/company_name"
When logging in manually, I'm being informed that:
To continue, Google will share your name, email address, language preference and profile picture with iap.googleapis.com.
Trying to get it working first on:
https://developers.google.com/oauthplayground/
But each time I select scope (guessing here) Google OAuth2 API v2 (userinfo.email, userinfo.profile) and get the tokens I end up receiving following error message:
Invalid IAP credentials: Expected JWT to have 3 parts separated by a '.' but there are 2 parts
Could anyone tell me all the things I'm doing wrong here?
I'm currently trying implement an app to read calendars only for a group that's permitted to the app. The idea behind this is that when I want to add a another calendar all I'd have to do is add the object to a specific o365 group. I'm taking the application approach over delegation that way I don't have anything actually logging in to utilize the app. Ultimately I'd like to stay away from any of the *.All permissions for security reasons.
Steps taken :
- created o365 group
- added resource objects and one user service account (just for testing) to the group
- registered app
- generated secret
- assigned group to the app
- granted admin consent to groups.selected via the azure portal
When I run a GET for group/{id}/members :
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'request-id': '473410a8-4db4-49d6-8d2c-92b9fbd4edb1', 'date': '2020-03-05T14:59:28'}}}
As per the docs
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
If you are using Application permissions to Get Members for a group. you will need User.Read.All, Group.Read.All, Directory.Read.All.
The usual issue is not granting that permissions to the application in Portal.azure.com and admin consenting it.
If you're confident with that. Then I'd eliminate your code as being the issue by using something like postman with your app id and client secret. We have a sample Postman collection here https://learn.microsoft.com/en-us/graph/use-postman . for delegated permissions you can use our Graph Explorer playground.
MS docs says:
Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change.
https://learn.microsoft.com/en-us/graph/permissions-reference
I gave my application the following scopes:
SCOPES = [ "Calendars.Read", "User.Read.All" ]
I got an access token. With this token I am able to get the users and I get two users back which is correct.
When I then ask for the calendar of myself (admin):
https://graph.microsoft.com/v1.0/users/stijn#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
This also works perfectly. However when I do this for the other user:
https://graph.microsoft.com/v1.0/users/frank#temponia.onmicrosoft.com/calendarview?startDateTime=#{start_date.to_s}&endDateTime=#{end_date.to_s}
I get this error message:
Access is denied. Check credentials and try again.
According to the documentation: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
Calendars.Read: Read calendars in all mailboxes: Allows the app to read events of all calendars without a signed-in user.
The scope I got back together with the access token was this: "calendars.read user.read.all" so it got accepted.
What am I missing here?
We are working to support the scenario you are requesting (Accessing other users' calendars) but the feature hasn't shipped yet. Stay tuned ...
UPDATE: Please take a look at using client credential flow. The blog post https://blogs.msdn.microsoft.com/exchangedev/2015/01/21/building-daemon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow/ explains how to do this for Outlook API endpoint. But you should be able to follow the instructions for Microsoft Graph as well.
The app will require an admin to consent, and then can access calendar of any user in the organization, as long as their mailbox is in Office 365.
I'm trying to use the Email Settings API from within a google marketplace app. Because I need all the logic to happen offline (in a cron job). I'm using an app engine Service Account, but when I'm trying to actually change the email settings for the users of the domain that installed it I'm getting this error:
You are not authorized to access this API.
Error 403
this is the scope: https://apps-apis.google.com/a/feeds/emailsettings/2.0/
I'm probably missing something, but I couldn't find the right docs to show me the way. How would I go about implementing an app that accesses the email settings even when the admin is offline?
You need to set the prn attribute to address of an admin account.
Examples for the directory API are at:
https://developers.google.com/admin-sdk/directory/v1/guides/delegation#instantiate_an_admin_sdk_directory_service_object
In terms of accessing the Email Settings API, you're really unlikely to get people to give you Service Account access to their domain.
On the other hand, if it's your domain (and thus you can add Service Account access), couple of pointers below:
What is important is that you add the following to the header:
"Authorization" = "Bearer <your_token>"
(note the very specific syntax - "Bearer+<1 space>+", as per https://www.rfc-editor.org/rfc/rfc6750 section 2.1)
"Content-Type" = "application/atom+xml"
(important for POST/PUT/DELETE requests, doesn't matter for GET)
that should get you up and running.