I am trying to read sharepoint user profiles using REST Api on userprofiles.peoplemanager Service.
We defined an application in azure AD, with "Sharepoint: read user profiles" permission for both application and on behalf of a user.
When i request the service on behalf of a user (for example getpropertiesfor(#v) with any user identifier passed as parameter), everything is working fine.
When i execute the exact same request on behalf of the application, i'm getting a HTTP 500 error.
Am i doing something wrong ?
What am i supposed to be allowed to execute on behalf of an application with the Azure AD permission "Sharepoint: read user profiles" ?
Related
I am trying to access a SP site outside of my tenant using a guest account provided by the third-part company.
According to them, the access is given using Azure B2B (ExternalAzureAD).
I want to access the SP site using Power Automate to copy files to my tenant. It is a specific list, but not specific files.
I tried performing common HTTP SP Rest requests (the connector using the guest account) and HTTP using AAD, but I keep having "401 UNAUTHORIZED" as a response.
Any ideas on how to perform this call? I have very little room for requests with the third-part company, and a request to register an application user to generate a token for me is almost certain to be denied.
What could I try here?
Thanks!
I am currently trying to implement the use of the Acumatica REST APIs in a project I am working on. I am able to successfully log in to the application.
The issue is when I try to access additional data, customers for example, I receive the following message: {"message": "You have been logged out because your account has been disabled. Please contact your system administrator."} in the form of a 403 error.
I checked my account permissions and I do have the System Admin Role on the account I am using to log in to Acumatica. Below is a screen shot of my postman.
You probably have the admin user disabled.
Some function of Acumatica impersonate the admin user in order to complete their task. Some of these functionalities include the web services, the scheduler and the integration services.
Enabling the admin user should fix the issue you are facing.
I had the Exchange Server Admins create an email account for me that I could use for EWS API testing (it was not an AD account). I used EWS api with no problem (using webCredentials). This app that uses EWS API consumes information from a mailbox and does stuff with it.
Now we had a service account created that will be used for a service on a server running the application. If I use the credentials for this service account (when I entered the credentials via WebCredentials) I get a 401 UnAuthorized.
I also used the EWSEditor and the same thing happens.
Any ideas about what I should be looking for or what to ask the AD/Exchange admins to check/change, etc?
I had the Exchange Server Admins create an email account for me that I could use for EWS API testing (it was not an AD account)
So this is technically incorrect, eg there is no such thing as an email account with Exchange you have an AD Account and the administrator then creates a Mailbox that is associated with that Active Directory Account (so be careful with what the admins are telling you if they are saying there is no AD Account).
Now we had a service account created that will be used for a service on a server running the application. If I use the credentials for this service account (when I entered the credentials via WebCredentials) I get a 401 UnAuthorized.
Is the service account mail enabled ? the easiest thing to do is ask them to Mail Enable (create a Mailbox) for the service account (if they don't want it to appear in the GAL then tell them to hide it). You should then be able to logon and at least access the Mailbox of the service account as you where with you previous code or the ewsEditor. To then access the Target Mailboxes you want to access you just need to be assigned rights (Eg add-MailboxPermissions and wait 15 minutes for application).
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
we've seen this SO question already and using the O365 REST API we have a working Oauth2 workflow that authenticates an O365 user and returns an access token. Our question is: Once we have an access token for a user, how can we discover the user's SharePoint servers (and associated endpoints) without knowing the authenticated user's O365 SharePoint server URLs ahead of time?
Our application uses Oauth2 workflows to access data on behalf of users from GitHub, DropBox, Google Docs and other services, and typically once user permission has been granted and we have an access token there is a straightforward way of querying/retrieving the resources for the user via the access token.
Once we have an access token, we're calling the O365 Discovery Services. If I'm reading the docs correctly, we should be getting back ServiceInfo entries on a request to the O365 /Services endpoint with an access token, like this:
https://contoso-my.sharepoint.com/personal/alexd_contoso_com
https://contoso-my.sharepoint.com
But at present we only get back O365 File and Contact ServiceInfo entries, even though in the Azure Portal when we created our app we specified Office 365 SharePoint Online Delegated Permission ('Read List').
If there are different O365 endpoints we should be hitting once we have an access token in order to discover a user's SharePoint servers, or if we're using the Discovery Services wrong, please provide a few pointers -- We want to solve this problem in a generic fashion based on Oauth2 workflow and don't want to prompt the user for things like O365 SharePoint Server URLs.
Lastly I'd mention that we're accessing this info in a purely RESTful fashion and we have no Windows-specific dependencies (in fact we're building things on the JVM) so a workable solution for us must not depend on Windows-only APIs or platforms.