Showing "Forbidden" message when creating meetings MS Teams - api

I am trying to integrate ms teams API to my project. I have created an app in the Azure portal.I have added permissions User.ReadWriteAll and Meetings.ReadWriteAll.I can create a user through API but I am not able to create a meeting. Is there anything else I need to do for creating a meeting using API.
UPDATE
I gave delegated permission for creating the meeting,but unable to create the meeting.
Error Message
{code:"Forbidden",message:"Forbidden",innerError:{"request-id":"e1abb815-09d3-4b78-5063-39b0236c0968","Date":"2020-06-09T04:14:39"}}
Permissions
Screenshot of permission

You should check what kind of permissions are added for your app. To be able to create a meeting, only delegated permission OnlineMeetings.ReadWrite is supported - https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-1.0&tabs=http#permissions
If you have added an application permission, then the request for creating meetings won't work.
Update:
In the beta version of the MS Graph API, there is an OnlineMeetings.ReadWrite.All application permission which doesn't seem to be implemented yet. There is a note on the documentation page (https://learn.microsoft.com/en-us/graph/api/application-post-onlinemeetings?view=graph-rest-beta&tabs=http#permissions) that supports this.
Creating an online meeting with an application token will be supported
in the near future.

It depends on whether there is user interaction.
If you are get access on behalf of a userhere,follow this way app-user,just add delegated permission OnlineMeetings.ReadWrite.please check
If you get access without a userhere,follow this way app-only,just add application permission OnlineMeetings.ReadWrite.All.(Please note that this method can only use beta version https://graph.microsot.com/beta).please check beta version
Update:

Related

Azure ad graph api

I'm testing Azure Graph API.
and I'm trying to find an API that allows me to retrieve only users that are assigned to a specific app I created.
In app registration page, I gave a user.read.all permission, but the get user API gives me all users that are in the AD and not only that are assigned to the app I created. Should I change the permissions? or to access an another API?
Does anybody know what to do?
Thanks
Additionally, This object id should be based on service principal and not the application registration here.
You can retrieve the object Id from Azure AD->Enterprise Applications->Your app->object ID.
You need to have at least Application.Read.All and Directory.AccessAsUser.All for delegated permissions or Application.Read.All for application permission based on user or application context.
For specific details, you can add $select parameter to show only the displayName of the users assigned to the app.
https://graph.microsoft.com/v1.0/servicePrincipals/{object Id}/appRoleAssignedTo?$select=principalDisplayName
As a workaround you can use the below graph API to get the list of users.
https://graph.microsoft.com/v1.0/servicePrincipals/{ObjectID}/appRoleAssignedTo
Note: The above graph API gives the Object Types User and Service
Principle as well
As discussed in the MS Q &A Platform This endpoint currently does not support filters based on appRoleId. In fact, except that the id parameter can be filtered, the three parameters appRoleId, principalId, and resourceId do not support filtering. Similar issues have been raised before.

Azure AD and Authorization on self Developed Applications

I have read the documentation on Microsoft.com and have only got answers about giving Applications authorization to talk to eachother but not how to implement a permission system on each different application that I have.
I basically want to know what the best practices are to implement Authorization on my .Net API and Angular Client.
I would use Azure AD to redirect external and internal users to the Microsoft Sign-In Page, I am missing a fine grained Permission system to authorise users to access different Resources on the API or on the Angular Web Application.
Wo I have to set up a DB for my API with permissions?
How do I add new users to my DB after registering them to my AD?
Im really confused here, so my questions arenĀ“t really as clear as I wish I could write them.
Compiling comments to a proper answer:
Per-user permissions are limited to appRoles, roles that you can give in Azure AD to users. You can also use security groups to achieve a similar thing if you want. But anything finer-grained has to be implemented on the app side.
For identifying users you can use one of two claims in the user Id token / access token. oid or sub. The oid is the unique immutable object id in Azure AD. The sub claim is a unique immutable id within your app. So every app gets the same oid, but a different sub for the same user. The oid claim is also used when calling e.g. MS Graph API to identify the user.

How to avoid script authorization prompt when G-Suite user is accessing G-Suite trusted app script?

I wrote an app script which provides a web UI for data entry into a team calendar. I published it using G-Suite super admin account and added it as Trusted App under Security/API Permissions. "Trust domain owned apps" is checked under "Internal App Settings".
When a G-Suite user in our organization tries to access the app, he sees
"The developer of ShiftSchedulingApp, admin#_our_organization_.org, needs your permission to access your data on Google."
Those brave enough to click "Review Permissions" are taken to the next message:
"ShiftSchedulingApp wants to access your Google Account. See, edit, share, and permanently delete all the calendars you can access using Google Calendar"
Of course nobody wants to risk losing all the calendars on their Google Account and this is where it ends.
How do I get rid of this misleading message? It's not Google account, it's their organization account on G-Suite. It's not all their calendars, it's the shared team calendar only. It's adding data, not permanently deleting calendars. It's published by their administrator in their G-Suite, not an unknown 3rd party.
I spent days trying to make this message go away but no luck. App must be executed as an accessing user and not as publishing user because their user ID determines what shifts they can fill on a calendar.
I'd appreciate any hints pointing me the right direction.
I experimented with variations of the two-app approach as suggested.
The app which provides the UI needs to read the calendar to display available shifts - so I can't get away from the user authorization prompt.
Another variation I tried was having one app do everything and run as me, and another do nothing but return Session.getActiveUser(). I tried calling the 2nd one from the 1st one on the client side via XMLHttpRequest. It would be ideal for my needs - but I hit CORS error as apps URL is script.google.com but it actually gets redirected to script.googleusercontent.com. There doesn't seem to be a way to set CORS in Google App Script.
Although I was not able to find a way to avoid prompting users for authorization when executing the app as accessing user, it turns out my reasons for doing that were based on a false premise.
I chose to publish app as accessing user because I thought that's the only way to get accessing user Id - which is true for non-G Suite accounts.
However, when app is published by a G Suite account, the app can get accessing user ids within the same G Suite domain even when it's set to execute as publishing user.
Thanks Niek and TheMaster for your help!
If you just need user ID, why do you ask for all those permissions?
Possible Solutions:
2 web-apps- One running as you and another as user accessing (with only profile) permission. The second one will be the actual web interface and POST necessary information to the first one with privileges. OR
Implement your own web-app Google-sign in1
Use the least permissive2 scope3

How to get current user permissions using JIRA SOAP API?

I'm developing a JIRA Client using the SOAP API and I want to check in advance what features the user will have available.
For example I don't want to show a button to comment on an issue if the user doesn't have Add Comments RemotePermission.
I tried with getAllPermissions method, but it seems it gets all permissions int the application, not the ones that the user has.
Not easy. There is a method for checking comment permission in 4.4 but not for all permissions in general, IIRC.
http://docs.atlassian.com/rpc-jira-plugin/4.4/com/atlassian/jira/rpc/soap/JiraSoapService.html#hasPermissionToEditComment(java.lang.String, com.atlassian.jira.rpc.soap.beans.RemoteComment)
Better to go with REST if you can.

Using generic open graph objects and actions, and the publish_actions permission?

I'm trying to use the beta open graph API to publish about a user playing songs in my app. Besides the "normal" Open Graph docs, I found these:
https://developers.facebook.com/docs/opengraph/music/
Unfortunately I am not able to add generic actions like 'music.listens' or generic objects like 'music.song' to my app in the dev app. In order to get the publish_actions permission, however, I seem to be obliged to add at least an action, an object and a preview aggregation. If I don't, the auth dialog won't ask for the publish_actions permission.
When I do all this, I am able to get the publish_actions permission, but still I cannot publish a user listening to a song.
I get a 500 error 'OAuth "Facebook Platform" "unknown_error" "An unknown error has occurred."' when I try to publish by POSTing a request to this url:
https://graph.facebook.com/me/music.listens?song=http://open.spotify.com/track/34uKquOrQLgzBsUbFTkMTc&access_token=[...]
Is the publish_action permission bound to actions and objects that I have created within the namespace of my app? If so, how should I go about when I want to perform generic actions on generic objects? Or could this just be that I cannot use the spotify song for testing?
Hope someone can help.
Erwin
The built in music actions and objects are currently only available to the music launch partners.
In the meantime, please create your own custom song objects and listen actions.
publish_actions is the permissions used for all publishing of actions, custom and built-in.