I'm building a Windows service that connects to OneDrive for Business via the Graph API using this method:
https://graph.microsoft.io/en-us/docs/authorization/app_only
I've successfully authenticated my application and have a token for making calls to Graph API. I have given my Azure AD application permissions to both Windows Azure Active Directory and Microsoft Graph (all application and delegated permissions have been selected for both).
My goal is to get the contents of a folder that resides in a specific user's OneDrive. I need to make the following Graph API call:
//graph.microsoft.com/v1.0/users('user-guid')/drive/items/long-item-id-here/children
I can execute this request successfully using Microsoft Graph Explorer (logged in with my Office 365 credentials). When I try to make the same call as an application (using the auth token received above), I get an "itemNotFound" code with the message "The resource could not be found." (request-id:
5e814dce-c4c2-4615-90e6-ea8ab90cbc49). However, I am able to query the root and the "folder.childCount" property shows the correct number of children in the root:
//graph.microsoft.com/v1.0/users('user-guid')/drive/root
I've set the folder's sharing to "All Authenticated Users" and I still receive "The resource could not be found" from the API call.
Any ideas on what I'm missing here?
The marked answer is no longer the case. You can now access OneDrive and SharePoint resources using a Client Credentials grant (aka "App Only").
The applicable scopes are Files.Read.All, Files.ReadWrite.All, Sites.Read.All, Sites.ReadWrite.All
The application is using App-only authorization which is currently not supported for accessing OneDrive for Business through Microsoft Graph API. Please use delegated flow, which is used by Graph Explorer.
Related
When you access a mailbox of a specific user via a background service using MS Graph, the token will expire after 90 days since MSGraph (MSAL.NET/Azure AD 2.0) does not return a refresh token (see here).
Using administrator consent should resolve this issue, but the only choice is to get access to ALL mailboxes of the organization. This is way too great a security risk for this task.
Does anybody know a middle ground for this?
Is there a way to get the refresh token when using user consent, or limit admin consent to 1 mailbox?
Is this an issue that Microsoft should resolve?
Microsoft Graph documentation has provided a method to accomplish this requirement.
Just use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control.
New-ApplicationAccessPolicy -AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b -PolicyScopeGroupId EvenUsers#contoso.com -AccessRight RestrictAccess -Description "Restrict this app to members of distribution group EvenUsers."
See details from Scoping application permissions to specific Exchange Online mailboxes.
I have following dillema:
Using ArcGIS Enterprise 10.8, I have added a new item – Application – to a users content.
This generates an Application item, with an App ID and APP Secret, along with App type and redirect URIs defined.
These can be used to generate an access token via the OAUTH2 token endpoint:
https:///sharing/rest/oauth2/token
using the parameters :
client_id=APPID&
client_secret=APPSECRET&
grant_type=client_credentials
ESRI States in their documentation:
“Successful authentication directly returns a JSON response containing the access token that allows the application to work with resources that are accessible to the application (that is, have been shared with the application). Use of the client_secret as previously described is mandatory.”
Question is: how do we share resources with the application?
The overall goal is to grant an external application (unknown user) access to portal ressources (ie.a layer item) via OAUTH2 app login.
Do you have any suggestions?
This is certainly confusing documentation, but I have found it useful to review this page: Limitations of App Login.
Specifically:
Applications cannot create, update, share, modify, or delete items
(layers, files, services, maps) in ArcGIS Online or ArcGIS Enterprise.
... If you want to access private content within an organization or
content that has been shared with a user, you must use the named user
login pattern for authentication.
For what you want to do, you'll most likely want to create a non-expiring refresh token based on a specific user, and store that in with your external application.
I am using internal mulesoft APIs from Anypoint Access Management API Reference. I have successfully setup my postman to get the security token after login, and even executed successfully the /api/users/me and several other APIs as API creation, Portal creation, etc. However, regardless of the access provided to the connection/login user, i can't get the full list of users (/api/users) or full list of organizations (/api/organizations), receiving a 401-Not authorized error. What special permission does the connection user require to execute these 2 APIs?
Thank in advance!
Had the same issue but figured it out.
Instead of calling: /api/users, you should be calling https://anypoint.mulesoft.com/accounts/api/organizations/{orgId}/members to get a list of users.
We currently have a web service which is accessing the EWS API's for Mail, Calendar, and Contacts. For those, we used the "App-Only"/Client Credential flow to have an app-to-app auth.
Now we'd like to extend our web service to access the SharePoint/OneDrive API's. It looks like the preferred way to access these API's is by making a request to the Discovery service, however it seems that the Discovery service doesn't work with App-Only auth (see: Access Office 365 Discover Service with "app-only" token)
Another approach we've tried is to simply hard-code the SharePoint endpoint URL's.
* Connection #0 to host devunit1-my.sharepoint.com left intact
{
"#odata.context": "https://devunit1-my.sharepoint.com/_api/v2.0/$metadata#me",
"#odata.type": "#microsoft.coreServices.currentUserRequestContext",
"#odata.id": "https://devunit1-my.sharepoint.com/_api/v2.0/me",
"#odata.editLink": "me",
"id": null
}
We can hit the server, but trying to access /files gives us an error:
{
"error": {
"code": "-1, Microsoft.Office.Server.UserProfiles.UserNotFoundException",
"message": "User 'i:0i.t|00000003-0000-0ff1-ce00-000000000000|app#sharepoint' doesn't exist in UPA by UPN or SID, and user with this SID was not found in AD."
}
}
The third way we've tried is by using the Office365 Unified API using /users/<OMITTED User.objectId>/drive which fails giving:
{"odata.error"=>{"code"=>"Request_ResourceNotFound", "message"=>{"lang"=>"en", "value"=>"Resource 'drive' does not exist or one of its queried reference-property objects are not present."}}}
Is there something that we're doing wrong? Is it possible to access SharePoint/OneDrive data (either through the Files API or some other API) with App-Only credentials? If not, is there some work around we can use or do we have to create an entirely separate auth flow just to use the Discovery service?
When working with SharePoint Designer Workflow on SharePoint Online (Office 365) and trying to access to User Profile Service (UPS) make sure you follow the instructions on the following post by providing the Workflow App the necessary permission to the UPS, but make sure you don't run the REST call in an App Step, this caused me a lot of Troubleshooting time as I was getting the error mentioned above "...app#sharepoint doesn't exist in UPA by UPN or SID, and user with this SID was not found in AD."
http://sharepoint-community.net/profiles/blogs/retrieving-user-profile-properties-in-a-sharepoint-2013-workflow
I hope it helps you too. Have fun.
I want to get started with the Office365 Unified API , so I decided to register a new web app to our azure directory.
In the section: "permissions to other applications" , I select Office365 unified API(preview)
I only get set delegated permission (I don't have all admin powers in our tenant), so I choose the ones I need (user profiles, sign-in , the exact number does not matter).
When I save the configuration I get the message
Could not update the configuration for app ""
Information tells me:
Unauthorized. You do not have sufficient permissions to access this resource.
The strange is , that when I log out and return to the application in the Azure Portal, I do see those modification in the configuration ?!
Finally when I try to call the REST endpoint (with valid Accesstoken etc..) I get this message:
{"error":"invalid_grant","error_description":"AADSTS65001: No permission to access user information is configured for 'f1299649-ea20-4cf6-9cd6-afb69d9b5760' application, or it is expired or revoked.\r\nTrace ID: 69ab1a6c-eeda-4351-8e1e-2b774c19a5a0\r\nCorrelation ID: 968a962e-d851-48bb-ad6f-3f05ea7b8efe\r\nTimestamp: 2015-06-18 20:12:15Z","error_codes":[65001],"timestamp":"2015-06-18 20:12:15Z","trace_id":"69ab1a6c-eeda-4351-8e1e-2b774c19a5a0","correlation_id":"968a962e-d851-48bb-ad6f-3f05ea7b8efe","submit_url":null,"context":null}
So maybe the Azure Portal UI is right the first time and those permissions where never stored with the app ?
the application details in https://portal.office.com/myapps tell me this:
Permissions
This app works with data in your documents. It will be able to:
Read directory data
Sign you in and read your profile
Read all users'basic profiles
Access the directory as you
Read directory data
Sign-in as you and read your profile
What would be the next step to take to get this to work ?
What is your app trying to do (in terms of access to users, groups etc)?
Access the directory as you is a permission that requires admin consent. The portal unfortunately has a bug that it appears as though you have the permission, but that's not true. That's because there are 2 elements here - configuring the permissions your app needs which drives the consent experience AND the consent grant. The portal (under the covers) tries to consent the app for the permissions it requires within the developer tenant. A non-admin in this case has permissions to update the app configuration, but not to consent for those permissions in their tenant.
Hope this helps,
It is impossible to set permissions to Office 365 Unified API for your application even if you are tenant administrator due to error. I have tried it. Remember that whole Unified API is in Preview mode so there will definitely be other errors.