Microsoft Graph File Permission invite API not working always - permissions

I have an app to work with MS group Documents files.
For a public group, I am creating files with the app and sharing direct invite to a tenant user (Not a member of the group) using permission API:
POST https://graph.microsoft.com/v1.0/drives/{drive_id}/root:/Document.docx:/invite
I am observing it is giving success response always but permission is not always created for the file. I verified on the UI also. Sometimes, UI does not show the User in the Manage Permission list. The API behavior is inconsistent.
Once this situation occurs, PATCH permission and GET specific permission fails for this File even if invite API response was success. PATCH permission fails with 400 error code.
I have tried this using MS Graph Explorer as well. I am observing this issue using the Graph Explorer as well.
Has anybody come across this issue and dealt with it?
[Edit] I have observed this issue for public group only. For User onedrive and private group drive I am not getting this issue.

Related

Persistent access control exception error message on Moodle

I am trying to enroll a user on my Moodle site via using the Moodle API.
My Moodle instance is hosted on AWS and all relevant ports are open and listening. So, from the network perspective, I can commit that is all ok.
The steps I have already done based on Moodle Documentation:
I have enabled web services on Administration > Mobile app >Mobile settings
I have gone through the 10 steps on the overview of allowing an external system to control Moodle as explained in the documentation (shown also in this Youtube video)
For testing purposes, I am using Postman. Some requests are going through (e.g. getting the token for a certain user, getting the list of all courses, etc.)
Example:
But when I try to i.e. create a user or enroll a user in an existing course I am getting this error:
{
"exception": "webservice_access_exception",
"errorcode": "accessexception",
"message": "Access control exception"
}
The way I am trying to i.e. create the user is as follows:
In the body section I am sending the following data:
users[0][username]
users[0][email]
users[0][lastname]
users[0][firstname]
users[0][password]
Based on my research, most of the contributors suggested enabling web services, but as mentioned above I have enabled them but the problem persists.
Can someone help me solve the issue here or maybe suggest a way of debugging it?
Fortunately, I managed to solve the issue for both user creation and user enrollment.
Here is a great guide that helped me. In addition, you need to add some additional functions to the web service (roles wary based on what you want to do in Moodle) and also you need to alter the permissions of the new user (again depending on what you want to do)...

Microsoft Graph API - Follow Site

I'm trying to make users follow a SharePoint Online site using the Microsoft Graph API. When I enter my user ID in the below scenario, the operation is successful. When I use another user's ID, the operation fails with a 403 error. The text says to check the permissions in the modify box but all permissions are granted. Is this just a limitation of the API that you can't make another user follow a site?
Error image
My test result is same with you, I think follow site should be a personal action, so setting follow site for others is prohibited.

Create User via API in Azure AD

GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.

MS Graph API: OneDrive resource not found

I'm building a Windows service that connects to OneDrive for Business via the Graph API using this method:
https://graph.microsoft.io/en-us/docs/authorization/app_only
I've successfully authenticated my application and have a token for making calls to Graph API. I have given my Azure AD application permissions to both Windows Azure Active Directory and Microsoft Graph (all application and delegated permissions have been selected for both).
My goal is to get the contents of a folder that resides in a specific user's OneDrive. I need to make the following Graph API call:
//graph.microsoft.com/v1.0/users('user-guid')/drive/items/long-item-id-here/children
I can execute this request successfully using Microsoft Graph Explorer (logged in with my Office 365 credentials). When I try to make the same call as an application (using the auth token received above), I get an "itemNotFound" code with the message "The resource could not be found." (request-id:
5e814dce-c4c2-4615-90e6-ea8ab90cbc49). However, I am able to query the root and the "folder.childCount" property shows the correct number of children in the root:
//graph.microsoft.com/v1.0/users('user-guid')/drive/root
I've set the folder's sharing to "All Authenticated Users" and I still receive "The resource could not be found" from the API call.
Any ideas on what I'm missing here?
The marked answer is no longer the case. You can now access OneDrive and SharePoint resources using a Client Credentials grant (aka "App Only").
The applicable scopes are Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All
The application is using App-only authorization which is currently not supported for accessing OneDrive for Business through Microsoft Graph API. Please use delegated flow, which is used by Graph Explorer.

OneDrive for Business API item/file download content 401

My question seems similar to OneDrive for Business REST API - PUT,POST - 401 Unauthorized
However, instead of uploading, I am trying to download a file. What's strange is that I do get the file contents and data, but the response code is a 401.
Any idea why? Of course, I would like to be receiving a 200 and not have to ignore the response code.
As far as my Azure AD app permissions go, I am allowing pretty much all read permissions under delegated permissions for Office 365. I have listed all the permissions I selected here, for your reference.
Delegated Permissions I am allowing for Office 365:
Read managed metadata
Run search queries as a user
Read items in all site collections
Read user files
Delegated Permissions I am allowing for Windows Azure Active Directory:
Enable sign-on and read users' profiles
I have not enabled anything under Application Permissions.
There is a bug in our implementation - if you provide an Authorization: header with a bearer token on the download URL (which is pre-authenticate) the service rejects the authentication (hence the 401) but since the URL is pre-authenticated, the contents of the file are still sent.
We're working on a fix. You can track the status by watching this issue on our GitHub repo: https://github.com/OneDrive/onedrive-api-docs/issues/189