When you access a mailbox of a specific user via a background service using MS Graph, the token will expire after 90 days since MSGraph (MSAL.NET/Azure AD 2.0) does not return a refresh token (see here).
Using administrator consent should resolve this issue, but the only choice is to get access to ALL mailboxes of the organization. This is way too great a security risk for this task.
Does anybody know a middle ground for this?
Is there a way to get the refresh token when using user consent, or limit admin consent to 1 mailbox?
Is this an issue that Microsoft should resolve?
Microsoft Graph documentation has provided a method to accomplish this requirement.
Just use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers#contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
See details from Scoping application permissions to specific Exchange Online mailboxes.
Related
GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.
I am using internal mulesoft APIs from Anypoint Access Management API Reference. I have successfully setup my postman to get the security token after login, and even executed successfully the /api/users/me and several other APIs as API creation, Portal creation, etc. However, regardless of the access provided to the connection/login user, i can't get the full list of users (/api/users) or full list of organizations (/api/organizations), receiving a 401-Not authorized error. What special permission does the connection user require to execute these 2 APIs?
Thank in advance!
Had the same issue but figured it out.
Instead of calling: /api/users, you should be calling https://anypoint.mulesoft.com/accounts/api/organizations/{orgId}/members to get a list of users.
I'm building a Windows service that connects to OneDrive for Business via the Graph API using this method:
https://graph.microsoft.io/en-us/docs/authorization/app_only
I've successfully authenticated my application and have a token for making calls to Graph API. I have given my Azure AD application permissions to both Windows Azure Active Directory and Microsoft Graph (all application and delegated permissions have been selected for both).
My goal is to get the contents of a folder that resides in a specific user's OneDrive. I need to make the following Graph API call:
//graph.microsoft.com/v1.0/users('user-guid')/drive/items/long-item-id-here/children
I can execute this request successfully using Microsoft Graph Explorer (logged in with my Office 365 credentials). When I try to make the same call as an application (using the auth token received above), I get an "itemNotFound" code with the message "The resource could not be found." (request-id:
5e814dce-c4c2-4615-90e6-ea8ab90cbc49). However, I am able to query the root and the "folder.childCount" property shows the correct number of children in the root:
//graph.microsoft.com/v1.0/users('user-guid')/drive/root
I've set the folder's sharing to "All Authenticated Users" and I still receive "The resource could not be found" from the API call.
Any ideas on what I'm missing here?
The marked answer is no longer the case. You can now access OneDrive and SharePoint resources using a Client Credentials grant (aka "App Only").
The applicable scopes are Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All
The application is using App-only authorization which is currently not supported for accessing OneDrive for Business through Microsoft Graph API. Please use delegated flow, which is used by Graph Explorer.
I am using the following project: https://github.com/OfficeDev/O365-ASPNETMVC-Start
I set the configurations as requested in the documentation but I am receiving an error after sign in.
Cause Action
AdalException This exception is thrown when either you have a stale O365 access token that can cause authentication errors, or you attempted to access a resource that you don't have permissions to access.
Make sure the app is configured with the correct service permissions in the Services Manager menu. If any of these permissions are not configured, or configured incorrectly, some parts of the app may throw an error. For example Right click the project, select Connected Service..., and ensure the following permissions are set for this app:
(Calendar) – Have full access to users’ calendar and Read users' calendar
(Contacts) – Have full access to users’ contacts and Read users' contacts
(Mail) - Send mail as a user, Read and write access to users' mail, and Read users' mail
(Users and Groups) – Enable sign-on and read users’ profiles.
The permissions are set correctly:
How can I solve this problem?
You are missing the Send permission under the Mail API.
I fixed the problem...I was logging with the developers account without an assigned license. You have to create a new user and ensure that it has the Microsoft Office 365 Developer set as Assigned license.
If not this error would occur:
When making a request as an account that does not have a mailbox, you must specify the mailbox primary SMTP address for any distinguished folder Ids.
I want to get started with the Office365 Unified API , so I decided to register a new web app to our azure directory.
In the section: "permissions to other applications" , I select Office365 unified API(preview)
I only get set delegated permission (I don't have all admin powers in our tenant), so I choose the ones I need (user profiles, sign-in , the exact number does not matter).
When I save the configuration I get the message
Could not update the configuration for app ""
Information tells me:
Unauthorized. You do not have sufficient permissions to access this resource.
The strange is , that when I log out and return to the application in the Azure Portal, I do see those modification in the configuration ?!
Finally when I try to call the REST endpoint (with valid Accesstoken etc..) I get this message:
{"error":"invalid_grant","error_description":"AADSTS65001: No permission to access user information is configured for 'f1299649-ea20-4cf6-9cd6-afb69d9b5760' application, or it is expired or revoked.\r\nTrace ID: 69ab1a6c-eeda-4351-8e1e-2b774c19a5a0\r\nCorrelation ID: 968a962e-d851-48bb-ad6f-3f05ea7b8efe\r\nTimestamp: 2015-06-18 20:12:15Z","error_codes":[65001],"timestamp":"2015-06-18 20:12:15Z","trace_id":"69ab1a6c-eeda-4351-8e1e-2b774c19a5a0","correlation_id":"968a962e-d851-48bb-ad6f-3f05ea7b8efe","submit_url":null,"context":null}
So maybe the Azure Portal UI is right the first time and those permissions where never stored with the app ?
the application details in https://portal.office.com/myapps tell me this:
Permissions
This app works with data in your documents. It will be able to:
Read directory data
Sign you in and read your profile
Read all users'basic profiles
Access the directory as you
Read directory data
Sign-in as you and read your profile
What would be the next step to take to get this to work ?
What is your app trying to do (in terms of access to users, groups etc)?
Access the directory as you is a permission that requires admin consent. The portal unfortunately has a bug that it appears as though you have the permission, but that's not true. That's because there are 2 elements here - configuring the permissions your app needs which drives the consent experience AND the consent grant. The portal (under the covers) tries to consent the app for the permissions it requires within the developer tenant. A non-admin in this case has permissions to update the app configuration, but not to consent for those permissions in their tenant.
Hope this helps,
It is impossible to set permissions to Office 365 Unified API for your application even if you are tenant administrator due to error. I have tried it. Remember that whole Unified API is in Preview mode so there will definitely be other errors.