I'm using the /beta endpoints for Microsoft Graph API, but I'm getting an Unauthorized error when trying to create chat messages on behalf of other users (or any user).
In v1.0 of the API, the Create chatMessage method is not Supported, but in Beta it is: https://learn.microsoft.com/en-us/graph/api/channel-post-message?view=graph-rest-beta&tabs=http, as "Teamwork.Migrate.All" permission, which my Application has in Azure.
It is strange, because the same App can create Teams, channels and add members, but not add channel messages.
Anyone know where to look next?
Edit: I got this back now: "You need to add user delegated permissions in your application to at least Group.ReadWrite.All in portal.azure.com and then consent as user or Grant admin consent in portal. And re-run On behalf of a User | Get User Access Token request to update access token."
However, it does not make sense in regards to what the Beta documentation says about the permission "Teamwork.Migrate.All", which my app has as an "Application Permission": "Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization."
If I'm an app and I have that permission, what should I do with a User Access Token? I'm using the App Access Token.
For simply posting message to Teams Channel using Application Permission is not supported by Microsoft Graph
Alternatively you can setup Incoming Webhook which is connector in MsTeams's channel and after finish set up on Teams channel you will received URL which you could use Postman or any API consumer app to send request(your message) to Incoming Webhook which will be post in Teams Channel
Sample Result Image
NOTE: Incoming Webhook is not support for replying post
You need to add user delegated permissions in your application to at
least Group.ReadWrite.All in portal.azure.com and then consent as user
or Grant admin consent in portal. And re-run On behalf of a User | Get
User Access Token request to update access token.
It seems that you need to use a user token instead of an application token to create chat messages. The only difference between them is that the user token requires the user to log in. The application token allows the application to create chat messages on behalf of other users. Currently, you can only use user tokens.
As your prompt message says, you need to grant the Group.ReadWrite.All delegation permission to the application, and then grant the admin consent for the permission, and then you need to use the auth code flow to obtain the access token.
Update:
I think what you are doing is importing messages, not creating chat messages, it does require you to have the Teamwork.Migrate.All application permission.
Importing messages is special, it requires you to create team and create achannel in the migration state, you need to include the migration value in the teamCreationMode and channelCreationMode instance attributes in the POST request. See: here.
Related
I have a problem of sending SMS via API within one account where we have a bunch of numbers with their own extensions.
The goal is to be able to use any of these numbers for sending SMS from Salesforce via callout.
I've created an app with "SMS", "Read Account" permissions.
When I try to send a request from Postman using "Account" credentials with or without extension number, I receive an error: "Phone number doesn't belong to extension"
I cannot log in with default account credentials and different extensions.
I do not have other users credentials.
I cannot add number to extension as it already have own extension.
Is there any way I can solve this? Please, advice.
For now, you need to use an access token authorized by a user (extension) that has privileges to send/receive SMS on the numbers desired.
Given the scenario you describe, you will need to add a degree of indirection between the user taking the action and the user extension to which the number is associated.
To do this, you will need to build an app that manages access tokens for the extensions to which the numbers are assigned. Then your user will need to separately log into the app and select the number, at which time the app will use it's separately managed access token.
The authorization for user extensions associated with the numbers may be able to be authorized using OAuth 2.0 Authorization grant flow or, if your app is a private app the OAuth 2.0 Resource Owner Password Credentials grant flow.
I am trying to make an HTTP request into MS teams in order to create private channel like in the following example.
https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0&tabs=http
In order to authenticate it, the HTTP request, with option of "Active Directory oauth", it needs some info. 1) Cliend ID, 2) Tenant ID, 3) Audience & 4) Credential Type.
Therefore, I register an app at Registration App Azure page, where I have all this info + create a secret to provide it. In addition I give permissions. My task is to create/delete private channels and add/drop members. Why is there a 403-statusCode error called it "Forbidden"?
Also, in a lot of docs, a token is mentioned, but I donot know how to create&use it, as there is also not an accurate, step-by-step example for all this authentication/authorization/permissions.
Can someone provide that? Or explain why is that error there, as the info microsoft.docs is inefficient?
https://learn.microsoft.com/en-us/graph/resolve-auth-errors
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
https://learn.microsoft.com/en-us/graph/resolve-auth-errors
The 403 error indicates that your token lacks the permission to call the api. Each api document clearly explains what permissions are required to call the api.
Take the create channel as an example: It lists the permissions you need to call the api. These permissions are arranged from small to large, and you only need to select one of them. Then you need to add the permission to your application, and then grant the administrator consent for the permission.
Go to Azure portal>Azure AD>App registrations>your app>API permissions.
What you need to note is that permissions are divided into application permissions and delegated permissions.
Delegated permission is the authorization of the service principal on
behalf of the user. It usually involves user interaction. If you need
to log in to the user, you can choose to grant the permission, and
then you need to use the auth code flow to obtain an access token.
Application permission is the authorization of the service principal
on their own behalf. It is usually used in a daemon where no user is
logged in. If you do not need to log in to the user, you can choose to
grant the permission, and then you need to use the
client credential flow to obtain an access token.
I am using streaming api and cometD in community.
It works fine for authorized users but still doesnt work for Guest user. For example, in anonymous window. And every time i receve Handshake denied w/ error '401::Authentication invalid'.
What's the problem exactly? But if i log in anonymous window to org then it works.
Perhaps you will be using {!$Api.Session_ID} which will return null in the case of Salesforce Guest user.
Because Guest User doesn't have a session id to access salesforce streaming API.
You need to authenticate as a user in order to stream and subscribe to events for cometD.
If you want to stream events for guest users:
you have to spend a platform license by creating a dedicated user for it.
save the creds of a user in custom settings
generate an access token using the creds
use the access token as session-id while subscribing to platform events for guest users.
don't forget to remove the data access except for platform events.
I need to use the MS Graph API to retrieve calendar data for Office365 resources. We need to do this in a server app, so prior consent is needed. I created an app registration in the Azure Portal that provides API permissions for Calendars.read, Calendars.read.shared, Users.Read.All, among other permissions. Admin permission has been granted for all. A client secret was created to support token issue.
I am successful in obtaining a token, but when I use the token to read a resource calendar (or even my calendar,)
I receive the following error:
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood."
URL for GET request is something similar to the following:
https://graph.microsoft.com/v1.0/users/conferenceroom1#contoso.com/calendar
What's the proper to set up a registration and use keys/secrets to read graph api data for resource mailbox calendar events?
It seems that you granted delegated permissions, but you need the application permissions. Remember to grant admin consent after adding the permissions.
You can decode your token to check if you have the correct permissions by using https://jwt.io/
Good morning I am using internal mulesoft Access Management APIs API Reference. I have successfully setup my postman to get the security token after login, and even executed successfully the /api/users/me. However, regardless of the access provided to the connection/login user, i can't get the full list of users (/api/users), receiving a Not authorized error. Let me explain the context. We are running on a federated platform, so we can't manage the users registration from the console, but need to wait until they login through SSO the first time to grant access to the correspondent business group and role. There is a complain as the users need to send the admin a note letting know of their successful first login, and afterwards wait to receive the access to the business group. After they login for the first time, their profiles are created in the root org. You can see them only when you are in the master organization. However, you can't get their new user id when you request a list of users of this master organization (/api/organizations/{orgId}/users). We are looking to execute this /api/users in a batch app that runs periodically and do a cross verification to get the users not associated to any orgid or role. This way we can avoid the requirement of the user sending a note to the admin. When I execute the /accounts/api/users, (API Call), we receive a 401 Unauthorized response, despite the token is correct as it is working fine with the others APIs. there is no mention of any other parameter or requirement in the API reference.
Please advise what can be done to solve this authorization error and complete our app. Thank you in advance.
Had the same issue but figured it out.
Instead of calling /api/users, you should be calling
https://anypoint.mulesoft.com/accounts/api/organizations/{orgId}/members
to get a list of users