Authentication issue while using Client Credential through Oauth2.0
Hi Community Hope you are doing well. I am unable to authenticate to our registered app in azure. I am looking to test the get/users graph api using insomnia (similar tool as postman). During Token generation we are getting 401 error. we are provide correct Client ID and Secret with right scope url. I created the app, added the necessary permissions and the client credentials. Do I need to add a redirect uri to the app? Does the app need to be registered account types as "accounts in any organization directory"? I am getting a 401 unauthorized error Can you please assist what I'm what is missing here? I will really do appreciate your help. Thanks Vatan
Error getting new token
Hi, i want to add a new member to a private channel. I follow the authentication flow as follows: a) starting with url https://login.microsoftonline.com/#tenantid#/oauth2/v2.0/authorize?client_id=#clientid#&response_type=code&response_mode=query&redirect_uri=https://www.dashandwerk.net/dashandwerk/api/graph/webhook&scope=offline_access%20TeamMember.ReadWrite.All%20ChannelMember.ReadWrite.All%20User.Read&state=1234" b) my redirect_uri will open and i am getting a new code c) this new code will be used to get a new token with this url https://login.microsoftonline.com/#tenant#/oauth2/v2.0/token?client_id=#client_id# &client_secret=#client_secret# &scope=offline_access%20TeamMember.ReadWrite.All,ChannelMessage.Send%20User.Read%20Mail.Read%20ChannelMember.ReadWrite.All' &code=#code# &redirect_uri=https://www.dashandwerk.net/dashandwerk/api/graph/webhook &grant_type=authorization_code But when getting the new token, i am getting this error: "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '640a5194-77b1-40cf-b774-fc9eb9a6d128' named 'dashandwerk-teams'. Send an interactive authorization request for this user and resource. Trace ID: 34a8ea64-b664-448c-9b7c-b4c9a92e0300 Correlation ID: 77e80082-9e58-4da9-8752-2d7bc75d7262 Timestamp: 2025-03-03 11:11:08Z","error_codes":[65001],"timestamp":"2025-03-03 11:11:08Z","trace_id":"34a8ea64-b664-448c-9b7c-b4c9a92e0300","correlation_id":"77e80082-9e58-4da9-8752-2d7bc75d7262","suberror":"consent_required"} Searching on google shows this: Make sure you have followed the steps to grant admin consent. You can do this under Application > API permissions > Grant admin consent. But all grants have admin consent in the office admin center for intra at the app registration. Any ideas to solve this issue ?
Approvals Not updating
I'm having a problem when retrieving the approvals created. Until 2024-12-26 at 13:16:48 UTC, when I created an approval, either through the application or through the API, it immediately appeared when I used get in the endpoint: https://graph.microsoft.com/beta/solutions/approval/approvalItems. Now I'm only able to see the approvals from before 2024-12-26 at 13:16:48 UTC, there is no record of the new approvals. I also noticed that, in the application, it's not showing the name of the person to whom the approval request was sent, only the name of the person who approved it, both for the new requests and for the old requests that have already been completed.
Approvals Not updating
I'm having a problem when retrieving the approvals created. Until 2024-12-26 at 13:16:48 UTC, when I created an approval, either through the application or through the API, it immediately appeared when I used get in the endpoint: https://graph.microsoft.com/beta/solutions/approval/approvalItems. Now I'm only able to see the approvals from before 2024-12-26 at 13:16:48 UTC, there is no record of the new approvals. I also noticed that, in the application, it's not showing the name of the person to whom the approval request was sent, only the name of the person who approved it, both for the new requests and for the old requests that have already been completed.PowerApp Graph Custom Connector without User Login
So I've been trying to create an app that will allow users to set and edit their own pronouns and then store those pronouns in Graph for use in Email Signatures and the such. I've been following this tutorial <How to add Azure AD directory extensions> in doing so, and I've basically got it down I've made the app and it works. However, it only works for me, i.e. admins. Whenever another user logs in and they are able to view their pronouns, i.e. GET graph.microsoft.com/me, but can't update their pronouns, PATCH graph.microsoft.com/me?$select=pronouns They get this error: My question is what can I do to get this app to be able to make the changes to this one specific item in graph, or allow for users to be able to edit this for themselves, or something that would make this work. Or perhaps I'm going about it the wrong way. Any help is appreciated, KamalaIntune Discovered Apps
Hello All, In the process of trying to use Graph to pull out the apps installed on user devices from Intune for a database being created in PowerApps for our IT Admin to ensure that licenses are removed from a device after it is returned by the user. Our process of licensing apps is less than streamlined, so if a user is licensed for something like Adobe or Navisworks, they are manually installing these themselves. As a result they arent visible in detectedApps, only in the Discovered Apps list. Have had a solid dig through the available resources and through various discussion boards but havent found a way that the Discovered Apps list can be pulled through Graph. Has anyone found a way to get this data out or is this a feature yet to be made available? Thanks in advance.
unable to provide consent
Hi All, I am facing an issue with API permissions. I have an Azure App Registration with the following Microsoft Graph API permissions. Let's say the App Registration name is TESTAPP and the Client ID is xxxx-xxxx-xxxxx-xxxxx. I have a SharePoint site, let's say mysite1, and I am trying to provide permissions in the following way: I obtained the site ID using the following URL: https://mydomain.sharepoint.com/sites/mysite1/_api/site/id. Let's say the site ID i got is 11111-111-1111-11221 i have logged into https://developer.microsoft.com/en-us/graph/graph-explorer/ Post-->v1.0-->https://grapsh.microsoft.com/v1.0/sites/{11111-111-1111-11221}/permissions Request headers: Key:application/json Request Body: { "roles": [ "write" ], "grantedToIdentities": [ { "application": { "id": "xxxx-xxxx-xxxxx-xxxxx", # This is my app regisration id "displayName": "TESTAPP" } } ] } When i click modify permissions and search for sites permissions, i am unable to provide consent, its grayed out. I am a global admin and i have full access on the SharePoint site. Please guide me.Mailtips - deliveryRestriction returns incorrect result with acceptedSenders having nested lists
Hello Graph Community, I'm in the process of developing a graph solution where I can check if a mailbox or from address has permission to send to a Distribution list when that list has acceptedSenders, meaning only members added to "Specified Senders" in Exchange can send to that list. If they are not a member they generally will receive a tooltip and an NDR if they hit send. GOAL – We want to be able to determine if a user has access to send to a restricted Distribution List (DL) before sending via our product. DLs have a property –- acceptedSenders – which can be individual addresses or other DLs. Members belonging to this list have permission to send to the DL. In the Exchange Admin Center (EAC) this can be set by going to... Recipients -> Groups -> Distribution List -> <select a list> -> Settings -> Delivery management -> add specified senders -> Save This can also be viewed in the Powershell Exchange Online module $(Get-DistributionGroup "<DL HERE>") | select GroupType, alias, AcceptMessagesOnlyFrom, AcceptMessagesOnlyFromDLMembers, AcceptMessagesOnlyFromSendersOrMembers When a user that is NOT a member of this list, they will receive a MailTip in Outlook that states they cannot use this list. They can still send but they will receive an NDR if they do so. PROBLEM – When a DL that is part of the acceptedSenders list has a NESTED DL, the response from the API will ALWAYS return false. The MailTip also does not appear in Outlook. the NDR does still function. This behavior is noted in the documented here -- Restricted Recipient https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips A tech unknowingly may add a nested DL to a DL that is used for deliveryRestriction, and break the expected behavior. ATTEMPTED SOLUTION #1 – Mailtips https://learn.microsoft.com/en-us/graph/api/user-getmailtips?view=graph-rest-1.0&tabs=http GET - https://graph.microsoft.com/v1.0/users/<email>/getMailTips Scopes – Delegated/Application - Mail.Read Body { "EmailAddresses": [ <list of DLs/Recipients> ], "MailTipsOptions": "deliveryRestriction" } Response deliveryRestricted : True emailAddress : @{name=; address=lockedDL@@contoso.org} TEST CASE Assuming I want to use my email and I am NOT a member of the acceptedSenders list If acceptedSenders has just a few approved senders -> deliveryRestricted = TRUE If acceptedSenders has just a DL -> deliveryRestricted = TRUE If acceptedSenders has just a DL and a few approved senders -> deliveryRestricted = TRUE If acceptedSenders has just a DL (with NESTED DL) and a few approved senders -> deliveryRestricted = FALSE All cases above --> NDR will be received if the message is sent This is a huge problem because a tech may add a nested DL to a deliveryRestricted list by mistake and now the list appears available to EVERYONE. OWA/Outlook will successfully send to the restricted list, only to be blocked at the Exchange level via NDR. ATTEMPTED SOLUTION #2 – beta/groups/<id>/acceptedSenders Option 2 – beta – groups/<id>/acceptedSenders Alternatively, there appears to be an effort in the Graph Beta to allow /beta/groups/<id>/acceptedSenders but this still has not been implemented nor appears functional when I try it. https://learn.microsoft.com/en-us/graph/api/group-list-acceptedsenders?view=graph-rest-1.0&tabs=http Thanks, Cameron
Issue with Graph Permission API for folders
Hello Community, I am currently working on an application that utilizes Graph APIs to synchronize local changes with Microsoft OneDrive folders. This functionality extends to both folders within my drive and those shared with me. Specifically, I utilize the Permissions Graph API to retrieve information regarding the user's access level, whether it be read or write permissions. The documentation says, the permissions collection includes potentially sensitive information and may not be available for every caller. For the owner of the item, all sharing permissions will be returned. This includes co-owners. For a non-owner caller, only the sharing permissions that apply to the caller are returned. Sharing permission properties that contain secrets (e.g. shareId and webUrl) are only returned for callers that are able to create the sharing permission. Documentation: Access to sharing permissions Now, despite the above points, I've encountered an inconsistency. When I attempt to fetch permissions for a folder shared with me with read permission, I do not receive the permissions granted to me. This seems to contradict the second point mentioned earlier. Below is a sample response I receive as a read-only recipient of the folder: { "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users('user id removed for privacy reasons')/drives('drive id removed for privacy reasons')/items('item id removed for privacy reasons')/permissions", "value": [ { "id": "permission id removed for privacy reasons", "roles": [ "owner" ], "shareId": "shared permission id removed for privacy reasons", "grantedToV2": { "user": { "@odata.type": "#microsoft.graph.sharePointIdentity", "displayName": "Test user", "email": "email address removed for privacy reasons", "id": "user id removed for privacy reasons" }, "siteUser": { "displayName": "Test user", "email": "email address removed for privacy reasons", "id": "3", "loginName": "i:0#.f|membership|email address removed for privacy reasons" } }, "grantedTo": { "user": { "displayName": "Test user", "email": "email address removed for privacy reasons", "id": "user id removed for privacy reasons" } } } ] } I've been relying on this API for over a year to carry out operations successfully. However, I've recently observed a disruption in its functionality within the past week or so. Have there been any updates implemented? Has the response format been modified in any way?How to limit getSchedule access to list of calendars
Hi, I'm currently working on a feature that utilizes the /users/{id|userPrincipalName}/calendar/getSchedule resource of the graph api. We let our clients enter the SMTP addresses of resources so that we can display their availability and do some recommendations. The worry is that, although we ask only for the Calendars.Read authorization on the azure app registration, this gives us too broad access to their users calendars. I have searched around for some solution that would allow our clients to limit the reach of the access they give us. At first, I found that we could set up an ApplicationAccessPolicy. But after testing, we found that it only limited the {id|userPrincipalName} we passed into the request URL, we could still put any address in the body and get the calendars of other users. I also tried to limit the app to a single (fake) user with the ApplicationAccessPolicy and limit this user to a group of addresses with MailboxFolderPermission, but this also had no impact after testing. Are you aware of a solution that would guaranty our clients that we had only the access we needed?
