I am trying to use graph.microsft.com apis for user invinting to the AD account.
I was able to invite but when try to get the token using
https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token i am getting the above error.
I am using this key along with other required keys in the header.
[{"key":"resource","value":"https://graph.microsoft.com","description":""}]
Can you please let me know what is the issue?
Complete log.
{
"error": "invalid_grant",
"error_description": "AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII does not exist in the xxxxx.onmicrosoft.com directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 5537uiy4b-4473-4cfb-b45c-1281f61e2100\r\nCorrelation ID: 8121era7-8df4-47d5-8cc5-3d2f8371029b0\r\nTimestamp: 2019-02-26 11:04:46Z",
"error_codes": [
50034
],
"timestamp": "2019-02-26 11:04:46Z",
"trace_id": "5537db4b-4473-4cfb-b45c-1281f61e2100",
"correlation_id": "812138a7-8df4-47d5-8cc5-3d2f8a1029b0"
}
On my side, I ever encountered this error. For this error, you need to check the user account that you used, the user type must be member in your Azure AD tenant, cannot be guest.
Related
Here is the scenario to reproduce the error:
Take a Microsoft Education Tenant (Demo Tenant is sufficient)
Create a fresh user with valid office 365 license and usage location
Disable the account (set block sign-in) to true in Azure Portal
Create a group and add this user as member
That's the minimum scenario we need. It is also possible to have other (enabled) users within the group, but that doesn't change the behaviour. Now let's follow the documentation to create a class notebook:
POST https://www.onenote.com/api/v1.0/myOrganization/groups/{groupId}/notes/classNotebooks/?omkt=de-de
{
"name": "Class notebook of my group",
"teachers": [],
"students": [],
"studentSections": [],
"hasTeacherOnlySectionGroup": true
}
So, the unified group has just one member with an disabled account, but this specific user is NOT added into the teachers or students section of the create request. Nevertheless the following error message occurs:
System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (NotFound).
{
"error": {
"code": "30109",
"message": "The following users are invalid: Message: Der angegebene Benutzer disabled.user#mydomain.com wurde nicht gefunden., ServerErrorCode: -2146232832, ServerErrorTypeName: Microsoft.SharePoint.SPException",
"#api.url": "https://aka.ms/onenote-errors#C30109"
}
}
After getting the clarification from Marc our current procedure is as follows:
Get a list of all disabled users.
Enable all of them.
Wait one minute (cause Graph needs some time to propagate this).
Create the course notebook through OneNote API.
Disable all users from the initial list again.
With this everything works as expected.
The error message isn't clear but Teachers maps Owners and Students maps to Members. So even though you didn't specify this user in the students collection, they are a member of the Group and therefore they're considered part of the students collection.
When an 30109 error like this is encountered, the only workaround is either iterate through the Owners and Members and remove any disabled accounts, or parse the message property for the UPN (disabled.user#mydomain.com). It is less than ideal I know.
I am getting this error when trying to create a "transfer" to transfer the contents of one bucket in Google Cloud to another bucket in Google Cloud under the same owner:
To complete this transfer, you need the 'storage.buckets.setIamPolicy' permission for the source bucket. Ask the bucket's administrator to grant you the required permission and try again.
I have no idea what I'm supposed to do. I tried going to "Bucket -> Permissions -> Add Members -> myemail.com for Storage -> ...Admin" but I just keep getting "IAM policy update failed".
Please help on what to do to get this working so I can make my files publicly accessible.
I am using Node.js if that helps.
If I even try to fetch the photo and bypass it directly, I can't even do that :/
const { Storage } = require('#google-cloud/storage')
const storage = new Storage({
projectId: 'my-bucket'
})
const bucket = storage.bucket('my.bucket')
app.get('/photo/:photo.:ext', (req, res) => {
const remoteFile = bucket.file(`photo/${req.params.photo}.${req.params.ext}`)
remoteFile.createReadStream().pipe(res)
})
Can't do this either:
const opts = {
includeFiles: true
};
bucket.makePublic(opts, function(err, files) {
// `err`:
// The first error to occur, otherwise null.
//
// `files`:
// Array of files successfully made public in the bucket.
console.log(arguments)
});
Cannot get legacy ACLs for a bucket that has enabled Bucket Policy Only. Read more at https://cloud.google.com/storage/docs/bucket-policy-only.
$ gsutil iam ch allUsers:objectViewer gs://my.bucket
ServiceException: 401 Anonymous caller does not have storage.buckets.getIamPolicy access to my.bucket.
The error clearly indicates a missing permission on the Source bucket. I recommend you confirm that the Owner on the Source bucket has the Permission, storage.objects.getIamPolicy(IAM&admin --> IAM Menu --> Filter by the Owner's email address --> check the role on it). Then, you can check if the roles has that permission, storage.objects.getIamPolicy (go to IAM&admin -->Roles and then, search for specific role --> Click on it and it would show the list of assigned permission. Ensure that storage.objects.getIamPolicy is one of the permissions listed for the Role
Meanwhile, for you to be able to grant access to specific buckets, your account role must be a Storage Admin. So, if your account does not have that role, you would need someone that has that role to be able to grant access or have other control over the bucket
I expect you have found a solution to this on your own.
But for anyone getting the same error message i got this when trying to set up a transfer from the cloud console. I had done a transfer before between these two storage buckets and not changed the name of the transfer, so the second time trying this the suggested name was the same as the previous. I changed the transfer name to a unique one and that solved the issue for me.
No idea why i kept getting this error message as permissions was not part of the problem.
I am currently trying to catch an edge case when a user removes my app as a third party app without having us aware of the event. I currently don't know of any way that google would let me know if a token has been revoked until I get a google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', '{\n "error": "invalid_grant",\n "error_description": "Token has been expired or revoked."\n}')
I've tried manually 'pinging' the google client before I auth the user, but it seems a bit slower than just catching and handling the error when it occurs. I've also tried directly importing the auth error. import google.auth.exceptions.RefreshError as AuthError
Retrieving credentials:
storage = Storage(GCalUser, 'gcal_user', request.user, 'credentials')
user_credentials = storage.get()
Actual call:
try:
calendar_service = googleapiclient.discovery.build('calendar', 'v3', credentials=user_credentials)
print("Error 2: " + str(calendar_service))
except calendar_service:
pass
Looking for way to direct the user to a different page if there is an error on auth. Currently it just fails with the google.auth.exceptions.RefreshError: ('invalid_grant: Token has been expired or revoked.', '{\n "error": "invalid_grant",\n "error_description": "Token has been expired or revoked."\n}')
Fixed with explicitly fully importing the error from the module from google.auth.exceptions import RefreshError. As it turns out, the error wasn't thrown on building with the user credentials but was thrown on executing using the api.
try:
calendar_list = calendar_service.calendarList().list(pageToken=page_token, minAccessRole="writer").execute()
except RefreshError:
print("Hello debugging!")
I started with Facebook Marketing API today.
I am simply trying to read the campaigns from my Facebook Business account. I have an Ad account and a Campaign created there.
I suppose my issue is with generating the Token.
I am simply generating the token from here: https://developers.facebook.com/tools/explorer?classic=0
And the error I get is:
{ error:
{ message: 'Unsupported get request. Object with ID \'10xxxxxxxx\' does not exist, cannot be loaded due to missing permissions, or does not support this operation. Please read the Graph API documentation at https://developers.facebook.com/docs/graph-api',
type: 'GraphMethodException',
code: 100,
error_subcode: 33,
fbtrace_id: 'E5CAU6UvHwF' } }
My Node.js code is:
const readCampaign = async (program) => {
const accessToken = TOKEN
const api = adsSdk.FacebookAdsApi.init(accessToken)
const account = new AdAccount('act_' + program.accountid)
console.log('act_' + account.id) // fields can be accessed as properties
let result
account.read([AdAccount.Fields.name])
.then((account) => {
return account.getCampaigns([Campaign.Fields.name], { limit: 10 }) // fields array and params
})
.then((result) => {
campaigns = result
campaigns.forEach((campaign) => console.log(campaign.name))
}).catch(console.error);
console.log(result)
}
To generate the Token I am choosing the App I created, "Get User Access Token" and then selected all possible permissions there - just to test this.
What am I doing wrong? Thanks
I suspecting this is due to a permission error.
First I would check that your app has access to the account you are trying to access.
Then I would suggest creating a system user through your business manager (can be found under business settings ), assigning it access to ad accounts, and utilizing the the system user's token when initializing the library.
One big advantage is that the system users's token does not have such a short expiration time.
Facebook system user doc
For creating a group, a user and assigning the user to that group, I referred this link Add permission profile through API.
Using REST APIs I am able to do that but permission for user is not getting set.
When I check in DocuSign, group is having correct permission set but same is not set for a user. Please let me know if I am missing anything.
Additional Information: This is the request I am sending
{
"newUsers":[{
"email":"'.$email.'",
"userName":"'.$userName.'",
"password":"'.$password.'",
"groupList": [{
"groupId": "'.$groupId.'",
"groupName": "'.$groupName.'",
"permissionProfileId": "'.$permissionId.'"
}]
}]
}
Also, when a user is added to a group, permissions set at group level will be applied to the users. Is there something missing?
When you create a permission profile you use this endpoint:
POST {vx}/accounts/{accountid}/permission_profiles
the response body for that endpoint should contain this info ( I omitted some details from the response)
{
"permissionProfileId": "sample string 1",
"permissionProfileName": "sample string 2",
...
}
Once you have the permissionProfileId and permissionProfileName you should be able to assign that permission profile to a user using this endpoint:
PUT {vx}/accounts/{accountid}/users/{userid}
and using the permissionProfileId and permissionProfileName in your request (I used dummy values here):
{
"permissionProfileId": "12345",
"permissionProfileName": "SomeName"
}
I hope that helps!
-Yadriel