I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
Related
I am new to the Microsoft Graph PowerShell SDK.
The commands below all launch a browser tab where I am prompted to login.
I login with my Microsoft account which has these roles:
SharePoint Administrator
Global Reader
Power Platform Administrator
The account is also specified as an Admin of the global term store taxonomy.
In order to list all sites in a tenant (List sites), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Sites.Read.All", "Sites.ReadWrite.All"
In order to export term store taxonomy (Get store), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "TermStore.Read.All", "TermStore.ReadWrite.All"
In both these instance, after logging in with my admin account, I am getting the error shown below in the browser:
Need admin approval
unverified
needs permission to access resources in your organization that only an admin can grant.
Please ask an admin to grant permission to this app before you can use it
I do not get this error when connecting with the following:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
Troubleshooting
Perhaps the research below can shed some light on an answer as to why this is happening and how to resolve it?
If I look at the docs for the Graph API endpoints I am wanting to query, I can see the Permissions are as follows:
List sites
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
Delegated (personal Microsoft account)
Not supported.
Application
Sites.Read.All, Sites.ReadWrite.All
Get store
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
TermStore.Read.All, TermStore.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Not supported.
How do these permissions relate to using the Graph PowerShell SDK?
Per the quote below from the official docs, I believe using the SDK as I have above is considered delegated access?
The PowerShell SDK supports two types of authentication: delegated
access, and app-only access. In this guide, you'll use delegated
access to sign in as a user, grant consent to the SDK to act on your
behalf, and call the Microsoft Graph.
So I guess my scenario is Delegated (work or school account)?
Questions
01) If so, does that mean I cannot make any request where the API docs define the Permissions as:
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
02) If that is the case, does that mean that the Microsoft Graph PowerShell SDK is not a good tool for administering SharePoint Online (because, according to the API reference docs, many of the endpoints are 'not supported' by a Delegated (work or school account))?
Thanks for reaching out to us , this looks like you are not using your admin account, please cross check the account you are logging in PowerShell. please follow below steps .
Try to disconnect your previous account from PowerShell (use command Disconnect-MgGraph)
Then try connect with your account ,use Connect-MgGraph
You will get a pop up , select the account in which you are the admin.
Then run the command and try again
Edited :
Agree with scottwtang comments ,If you are using the correct account make sure admin consent requests are Enabled in your tenant , you can check by following the below steps and ask your Global Administrator to grant admin consent
To check the admin consent workflow and choose reviewers:
Sign in to the Azure portal with one of the roles listed in the
prerequisites.
Search for and select Azure Active Directory.
Select Enterprise applications.
Under Manage, select User settings. Under Admin consent requests,
select Yes for Users can request admin consent to apps they are
unable to consent to . Configure admin consent workflow settings
ref doc - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Hope this help ,
Thanks
I am currently trying to implement the use of the Acumatica REST APIs in a project I am working on. I am able to successfully log in to the application.
The issue is when I try to access additional data, customers for example, I receive the following message: {"message": "You have been logged out because your account has been disabled. Please contact your system administrator."} in the form of a 403 error.
I checked my account permissions and I do have the System Admin Role on the account I am using to log in to Acumatica. Below is a screen shot of my postman.
You probably have the admin user disabled.
Some function of Acumatica impersonate the admin user in order to complete their task. Some of these functionalities include the web services, the scheduler and the integration services.
Enabling the admin user should fix the issue you are facing.
I have an office 365 account from work and it is not admin. When I try the Graph API for Planner to get all the plans, It responds with Insufficient privileges to complete the operation. I know that it requires the permission of "Group.ReadWrite.All". If I ask my boss for this permission, Is it going to be limited to my account only or is it going to make my account an admin which i will not likely get it.
If you are using Application Registration Portal to get the token:
In Application Registration Portal set the permission that you need, for example
Group.ReadWrite.All and Directory.AccessAsUser.All. Always you must use Directory.AccessAsUser.All because users need login and get the token.
When save Application Registration Portal go to Azure Portal, in Azure Active Directory --> Enterprise applications --> click in you application --> "click in consent permission for username..." --> login --> accept.
Use librarys as hellojs and get a token.
I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.
we've seen this SO question already and using the O365 REST API we have a working Oauth2 workflow that authenticates an O365 user and returns an access token. Our question is: Once we have an access token for a user, how can we discover the user's SharePoint servers (and associated endpoints) without knowing the authenticated user's O365 SharePoint server URLs ahead of time?
Our application uses Oauth2 workflows to access data on behalf of users from GitHub, DropBox, Google Docs and other services, and typically once user permission has been granted and we have an access token there is a straightforward way of querying/retrieving the resources for the user via the access token.
Once we have an access token, we're calling the O365 Discovery Services. If I'm reading the docs correctly, we should be getting back ServiceInfo entries on a request to the O365 /Services endpoint with an access token, like this:
https://contoso-my.sharepoint.com/personal/alexd_contoso_com
https://contoso-my.sharepoint.com
But at present we only get back O365 File and Contact ServiceInfo entries, even though in the Azure Portal when we created our app we specified Office 365 SharePoint Online Delegated Permission ('Read List').
If there are different O365 endpoints we should be hitting once we have an access token in order to discover a user's SharePoint servers, or if we're using the Discovery Services wrong, please provide a few pointers -- We want to solve this problem in a generic fashion based on Oauth2 workflow and don't want to prompt the user for things like O365 SharePoint Server URLs.
Lastly I'd mention that we're accessing this info in a purely RESTful fashion and we have no Windows-specific dependencies (in fact we're building things on the JVM) so a workable solution for us must not depend on Windows-only APIs or platforms.