I am attempting to learn more about Microsoft Graph and have made extensive use of the Microsoft Graph Explorer site. I am now attempting to transfer a pair of queries from Microsoft Graph Explorer to an MVC C# app but I am receiving the following error message:
"AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'My App'."
The following query works just fine in Microsoft Graph Explorer:
https://graph.microsoft.com/v1.0/servicePrincipals/[resourceID]/appRoleAssignedTo?$select=appRoleId,principalId,principalDisplayName,principalType,resourceId,resourceDisplayName
The following C# equivalent throws the error:
var appRoleAssignedTo = await graphClient.ServicePrincipals[resourceId].AppRoleAssignedTo
.Request()
.Select("appRoleId,principalId,principalDisplayName,principalType,resourceId,resourceDisplayName")
.GetAsync()
.ConfigureAwait(false);
The Microsoft Graph Explorer site indicates the following four permissions must be consented by the app administrator:
"Application.Read.All", "Application.ReadWrite.All", "Directory.Read.All", "Directory.ReadWrite.All".
These permissions have been consented as required.
I am trying to automate these queries so that I can incorporate them into my app. Any assistance is greatly appreciated.
I think you may forget to grant api permission, or setting delegate api permission but using client credential flow to call the api.
when we use Microsoft Graph Explorer to call graph api, it require us to sign in with the microsoft account first, then we can call the api, this means we are using delegate api permission to call the api.
So I want to double confirm with you that if you has a sign in progress before you call the api, if not, then the failure should be the expected behavior. If you don't want to sign in before calling graph api, you need to grant application api permission and using client credential flow like code below to call this api:
var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_name.onmicrosoft.com";
var clientId = "azure_ad_appid";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
If you has a sign in progress before calling the api, then I suggest you to check if you've grant the api permission, if you want to give application api permission, you also need to click this button.
Related
Can MS Graph access mail boxes without individual Id/passwords?
Our organization is considering some mail box automation using MS Graph. However the concern has been expressed that it would expose all mail boxes emails.
Worst case (i.e. clever hacker using scripts only): Is there any way scripting with MS Graph one could access mail boxes without individual Id/passwords? What would be the biggest exposure if they had for one mailbox that has nothing delegated to it?
Thanks!
For Ms graph api, it provides the ability to manage the account/group/mail account/event/calender/... And if we need to use the graph api, we have to create an Azure AD application with the application credential(basically, the client_secret). And the Azure AD app should have enough API permission, for example, we give permission User.ReadWrite.All, then we can use graph api to manage users in this tenant via this Azure AD app. When we add permission Mail.ReadWrite, then we can manage email account.
For api permission, there are 2 kinds of permissions, one for delegate, another for application. When we give delegate api permissin, we need to sign in with your own account(e.g. user1#xx.onmicrosoft.com, and this account had license for mail) first, then we can use ms graph api to list all the mail messages for your account.
But when we give application api permission, we don't need to sign in first, we can directly call graph api, and list all the mail messages for any user account which has mail license in your tenant.
Let's go back to your question, if script can access mail boxes without individual Id/passwords. My answer is yes. But I have to get The Azure AD application & client secret, then this app must have enough api permission, like application permission for Mail.ReadWrite, Mail.Send, and I need to know your email address/account. When I get all these information, I can access the mail boxes. Here's an sample.
using Microsoft.Graph;
using Azure.Identity;
var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_name.onmicrosoft.com";
var clientId = "aad_app_id";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var messages = await graphClient.Users["{email_address/user_account/user_id}"].Messages
.Request()
.Select("sender,subject")
.GetAsync();
I am trying to figure out which way would be better for my application. I need to perform an automatic email import triggered from ASP.NET Core Web API using Microsoft Graph mailbox access. According to the documentation, there are two options to go for:
Get access on behalf of the user (https://learn.microsoft.com/en-us/graph/auth-v2-user?view=graph-rest-1.0)
Get access without the user (https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0)
As the import is automatically triggered by Azure Function timer I do not want to open a popup for the user credentials. So I considered to go with the second option and create a service user to do this, but then I saw a point about Admin consent in the documentation and I got a bit confused. Does this mean that if nobody is going to accept the app rights to access emails it will not be able to do so? What would be easier/preferred way to implement this kind of functionality?
--Does this mean that if nobody is going to accept the app rights to access emails it will not be able to do so?
no, that means after admin consent the api permission, then you can access any users' emails in your tenant.
--What would be easier/preferred way to implement this kind of functionality?
as you said that you are using Azure timer function to to auto import the mails, so you shouldn't get access to graph api on behalf of a user, you have to access the api on behalf the application.
But you have to check if the graph api you want to call support being accessed on behalf of the application. Let's see this api. You may notice that it supports Application api permission.
Then pls note that you have to using client credential flow to generate access token to call the graph api, you can't use other flows. Here's sample code for using client credential flow with graph SDK to call graph api.
var scopes = new[] { "https://graph.microsoft.com/.default" };
var tenantId = "tenant_name.onmicrosoft.com";
var clientId = "azure_ad_appid";
var clientSecret = "client_secret";
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var inboxMessages = await graphClient.Users["user_id"]
.MailFolders["inbox"]
.Messages.Request().GetAsync();
I'm building an ASP .Net Core web App. I use Azure ADB2C for user authentication and I would like to have an admin user, which could delete other users. I can delete users from Azure Active Directory via Azure portal, but I would like to do it directly from the app. I have created an admin account in my Active Directory tenant, and gave it global administrator permissions.
I tried to use Graph API, but I can't get it to work. I created an IAuthenticationProved according to instructions on this website:
https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS.
Then I created GraphServiceClient and tried to delete user (https://learn.microsoft.com/en-us/graph/api/user-delete?view=graph-rest-1.0&tabs=csharp), but I got error:
System.AggregateException: 'Returning 0 accountsts and 0 broker accountsdata provider for login.microsoftonline.com. Success? True.)'
AuthenticationException: Code: authenticationChallengeRequired
Message: Authentication challange is required.
My code looks like this:
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create("<My Client ID>")
.WithRedirectUri("<My Redirect Uri>")
.WithClientSecret("<My Client secret>")
.Build();
List<string> scopes = new List<string>();
scopes.Add("https://graph.microsoft.com/User.ReadWrite.All");
scopes.Add("https://graph.microsoft.com/Directory.ReadWrite.All");
AuthorizationCodeProvider authProvider = new AuthorizationCodeProvider(confidentialClientApplication,scopes);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
graphClient.Users[<UserId>]
.Request()
.DeleteAsync()
.Wait();
Could you tell me what I'm doing wrong? Or maybe there is some other way to do it? Thank you in advance!
Your approach to use Graph API is the way to go. But the problem you are facing there is because your selected auth provider (AuthorizationCodeProvider) is not matching with the scope needed here to delete user. Looking at your code, you want 'Authorization Code' flow which means it would need a delegated scope. As mentioned in permission requirement for delete user, the 'Delegated' scope needed to delete user is Directory.AccessAsUser.All which I don't see in the code snippet you shared.
Additionally, suggest you a quick read to Choose a Microsoft Graph authentication provider based on scenario.
NOTE: To add the required delegated permission, the application registration must be either of the first two types types shown below. The third option won't give you that.
For the above you will be able to add Directory.AccessAsUser.All delegated permission.
I'm trying to get all the messages from Microsoft Teams in my tenant, I have registered the application to Azure, set the correct permissions and grated admin privileges.
What I am getting confused about is creating a GraphServiceClient.
My app is more of an Daemon Application.
I would really appreciate if someone could give me an example of how to create the client correctly.
this is my code so far:
string[] graphScopes = { "https://graph.microsoft.com/.default" };
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder
.Create("x")
.WithTenantId("x")
.WithClientSecret("x")
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(app);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
try
{
var messages = await graphClient.Teams["x"].Channels["x#thread.skype"].Messages.Request().GetAsync();
Console.ReadLine();
foreach(var item in messages)
{
Console.WriteLine(item.Body);
}
}
catch(Exception e)
{
Console.WriteLine(e.Message);
Console.Read();
}
I'm getting the following error no matter what I'm trying to get
Code: UnknownError Inner error: AdditionalData: request-id: x date: 2020-05-27T14:22:37 ClientRequestId:x
update: I was able to get something from the API, I had wrong permissions.
still can't get the messages though,
I have all these permission:
ChannelMessage.Read.All, Group.Read.All, Group.ReadWrite.All
I'm probably missing the "ChannelMessage.Read.Group (RSC)" permission but I can't find it in the permissions page.
May this is the solution or the problem ;-)
Microsoft Teams APIs in Microsoft Graph that access sensitive data are considered protected APIs. These APIs require that you have additional validation, beyond permissions and consent, before you can use them.
https://learn.microsoft.com/en-us/graph/teams-protected-apis
Your problem is you are accessing a "beta" api but using the production base url path.
The permission you need is ANY of the following (i.e. or not and):
ChannelMessage.Read.Group (RSC) OR
ChannelMessage.Read.All OR
Group.Read.All OR
Group.ReadWrite.All
Since you have Group.Read.All, that is ALL you need for permissions.
What you need to do is change the base URL to the beta api:
graphClient.BaseUrl = "https://graph.microsoft.com/beta";
UPDATED:
Since now you are saying that you are getting a "Forbidden" error, I think you also have a consent problem.
My guess is that you created & consented you app on one tenant but you are trying to access the data in another tenant. This will give you a forbidden errors. i.e. you created and consented on a dev azure account tenant and are trying to access your work tenant.
If this is the situation you need to:
* Make sure that the setup you azure app to be multi-tenanted
* You have to get your app consented by the target tenant
If you do that and use the beta endpoint I would expect that your example code will start working.
Update2:
Finally got around to trying to do the message list with a application context like you above and I get the same Forbidden error as well from the beta api. From a user context it works fine. So your answer will be to use a user context and not an application context to access this API.
It looks like what you are hitting is a Protected API. So if you want to use this API from an application context, you will have to submit a request to be allowed access to it.
What I basically want to be able to do is authenticate to azure mobile services (using google or some other provider), and immediately save some of the user information (i.e. email address) on the server.
I know I could call a custom method from the app after authentication, but I was hoping to have some hook to do this straight after the google login on the server side.
Is this possible? How do I do it?!
This is currently only possible in the .NET runtime. If using the Node runtime, you will not be able to do this.
For the .NET runtime, you would want to create a class which inherits from GoogleLoginProvider (I'll call mine CustomGoogleLoginProvider), and then you'll need to override the CreateCredentials method:
public override ProviderCredentials CreateCredentials(ClaimsIdentity claimsIdentity)
{
// grab any information from claimsIdentity which you would like to store
// If you need the access token for use with the graph APIs, you can use the following
string providerAccessToken = claimsIdentity.GetClaimValueOrNull(ServiceClaimTypes.ProviderAccessToken);
// use the access token with HttpClient to get graph information to store
return base.CreateCredentials(claimsIdentity);
}
Then in your WebApiConfig.cs, add the following to the Register() method, immediately after the options object is created:
options.LoginProviders.Remove(typeof(GoogleLoginProvider));
options.LoginProviders.Add(typeof(CustomGoogleLoginProvider));
The CreateCredentials() method gets called immediately before a Mobile Services token is created. At this point, the Google token has been validated, and the claimsIdentity has been populated with whatever Google sent back.
Some information will be available in the claimsIdentity by default, but you may also have information which requires you to call through to Google. You can only do this if you set the proper scopes configured.
If you did want to go the custom API route, you would just need to make a call from your controller:
ServiceUser user = (ServiceUser)this.User;
GoogleCredentials creds = (await user.GetIdentitiesAsync()).OfType<GoogleCredentials>().FirstOrDefault();
string accessToken = creds.AccessToken;
The Node version of getIdentities() is documented here.