I am trying to get notification when user is updated on MS Azure AD using MS Graph and Web hook.I have tried microsoftgraph/msgraph-training-changenotifications but face following
Status Code: Unauthorized
Microsoft.Graph.ServiceException: Code: ExtensionError
Message: Operation: Create; Exception: [Status Code: Unauthorized; Reason: ]
I have also explore notifications for changes in user data this code but it is for "Mail.Read" permission and I want to "User.Read" permission .
My case/issue is like Not receiving a request on our MS Graph Webbook for deleting a User in AAD but something different. i need notification on update user on my asp.net core project.
Please help me. I am troubling since last 3 days but not getting proper solution
I was missing to give a permission in Azure AD
User.ReadWrite.All
I have watched this video Change notifications with Microsoft Graph and use this code msgraph-training-changenotifications .Now i got notification from Azure AD
Related
When I'm trying to assign a user to a workspace programmatically using the api method AddGroupUserWithHttpMessagesAsync, facing the issue Operation returned an invalid status code 'Unauthorized'. I have given all the API permissions as shown in the below image. Please suggest.
First, only basically granting permissions to Azure AD App is not enough. You need to enable Service Principal option in Power BI Admin portal, and then add it to the Power BI workspace.
Please follow this document to embed Power BI content using service principal with app secret, or with a certificate.
I am using C# language and ASP.NET framework for linkedin integration
While authorization I have passed r_liteprofile,r_emailaddress within the scope and when I am trying to get the data of user I am facing the following issues:
When trying to get the data of the user using the API v1 (https://api.linkedin.com/v1/people/~:(id,firstName,lastName,picture-url,email-address)?oauth2_access_token={accessToken}&format=json) I am getting the 410 (Gone) error. { It was working previously}.
When I am trying to get the data of the user using API v2 (https://api.linkedin.com/v2/me?oauth2_access_token={accesstoken}&format=json) I am getting the 403 (Forbidden access) error.
For the purpose of authorization:
Previously I was using (https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id={apiKey}&redirect_uri={redirectURL}&state={uniquestringkey}&scope=r_basicprofile,r_emailaddress)
I also tried using the following authorization (https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id={apiKey}&redirect_uri={redirectURL}&state={uniquestringkey}&scope=r_liteprofile,r_emailaddress )
Can anyone please suggest?
We are using AD B2C for authentication on our web app. Last week we started receiving a 403.76 when calling our APIs that are hosted in Azure and locked down by Active Directory using our AD B2C tenant.
We haven't changed any config settings in AD when the change occurred. We rolled back all of our code which didn't help. We verified that our token is valid in jwt.io. We confirmed that our audience is correct and permissions was set properly in app registrations. We can see the easy auth error 403.76 when going in to "Diagnose and solve problems" section of the function app and drilling into 4xx errors.
The function app just does a GetAsync against Cosmos to get your user profile on sign in. However we aren't getting that far, as we are receiving a 403.76 when verifying our token with AD.
We should be able to do a GET against our API and receive data as we were before. Instead we get HTTP status 403 with a sub status of 76.
The error in "Diagnose and solve problems" section:
EasyAuth:AuthorizationCheckFailed. For more details, refer to HTTP Status Codes by EasyAuth Module
We banged our heads against a wall for five days, so I wanted to make sure this was posted on stack overflow for anyone else facing this issue. Especially since it affected customers.
After working with Microsoft 24/7 for the last three days, we finally received word that this was due to an issue on their end with EasyAuth. The workaround was to add this in our Configuration of the function app:
WEBSITE_AUTH_AAD_BYPASS_SINGLE_TENANCY_CHECK = true
I have been told to raise a question about Azure AD Graph Api here instead of raising it as an issue for the corresponding GitHub sample repository, I hope Azure Graph API team monitors SO and can help us with this github sample issue
Some extra context for the problem:
We are using Microsoft.Azure.ActiveDirectory.GraphClient nuget to create and manage users in our Azure AD test tenant. Following this sample application
we can create and update users in Azure AD via Graph API. That was fine until some moment which happened about 2-3 days ago (not sure about the exact moment, we discovered the problem on Tuesday morning AU time. Last successful run was on Friday last week). It was 100% working code and to confirm that it's not our code - I ran through sample application again - it's broken now too. I've tested it with the latest GraphClient v2.1.0 and original one from sample app which is - v2.0.6
To simplify testing of the problem I've made a LINQ based sample with some secrets redacted ( you need to follow console app sample guide to put in your values if you want to run it, instead of original sample app)
Also here is the Fiddle captures (redacted) of
Authentication request-response (client-request-id: 88b2bbbd-94cd-498d-a147-caad05e16eb7)
User Creation failing Attempt
Few things to note in the fiddler captures - Azure AD Graph API doesn't return refresh token along with access token:
{"expires_in":"3599","token_type":"Bearer","scope":"UserProfile.Read",
"expires_on":"1441183928","not_before":"1441180028","resource":"https://graph.windows.net",
"access_token":"TOKEN WAS HERE"}
I can see the issue with the scope string here, but we are not setting any explict scope in GraphClient when calling for token as per Sample app ( and this code was fine before, as I mentioned early)
User creation response is clear in terms of what happens and why it happens
{"odata.error":
{"code":"Authorization_RequestDenied","message":
{"lang":"en","value":"Insufficient privileges to complete the operation."}
}
}
But it's not clear how to ask for extra permission scopes through any of these AuthenticationContext.AcquireToken Method overloads
Also it's strange that the very same code was fully functional before and is broken now, after some mysterious change?
So I have few questions:
How to add extra scope permissions in GraphClient library to get Graph API token with User Modification enabled. This is probably a band aid fix of the problem.
It looks like Azure AD tries to manage permissions for client apps in the portal. But there is no extra permissions for Native Client type of application. How can I explicitly update app permissions so the existing code can work again. Is it possible at all ?
Can anyone recommend other libraries to interact with GraphAPI, which allow the consumer to explicitly specify scope for the requested token ?
================Update================
Yes, I saw that consent flow documentation. Chasing the issue I've created new Azure AD tenant, added brand new application and added all possible rights, including all available application and delegation ones:
now it looks like this. I also
I can get a token with long list of scopes, e.g.
Directory.AccessAsUser.All
Directory.Read
Directory.Write
User.Read
User.ReadWrite
User.Read.All
User.ReadBasic.All
User.ReadWrite.All
user_impersonation
UserProfile.Read
--cut unrelated scopes--
But it still gives me 403 :
{"odata.error":
{"code":"Authorization_RequestDenied","message":
{"lang":"en","value":"Insufficient privileges to complete the operation."}
}
}
One thing worth to note - in the scope list there is no Directory.ReadWrite.All
But here docs says :
Directory.ReadWrite.All : Read and write directory data
================Update================
PS: Some technical request info for Azure AD engineers:
Authentication request-response has client-request-id: 88b2bbbd-94cd-498d-a147-caad05e16eb7.
Failed Graph call has client-request-id: 882f3918-0ddd-40fe-a558-866997e32b46 in response only
The issue here is that you have not properly configured your application to request the correct permissions to the Graph API.
To do this, you must go into the Azure Management Portal and configure your 'permissions to other applications' to include the scopes your app needs to be able to read/write to the directory.
We have some documentation here which should help you:
https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx (Describes the consent flow)
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/graph-api-permission-scopes (describes the specific permissions that the graph API exposes that your application will need to request)
I hope this helps!
I'm attempting to retrieve other users' outlook photos using the Office 365 REST API (Preview). The documentation is here on this page: https://msdn.microsoft.com/en-us/office/office365/api/photo-rest-operations.
I'm able to successfully retrieve my own photo using an access token by making the following rest call:
GET https://outlook.office365.com/api/beta/me/userphoto/$value
However, when attempting to retrieve the photos of other people in my organization by using this REST call:
GET https://outlook.office365.com/api/beta/Users('{user_id}')/userphotos('{size}')/$value
I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
This error isn't listed anywhere in the documentation as far as I can tell. I suspect this has something to do with the permissions in Azure but that's only a guess. Maybe it isn't supported in the preview API? Anyone have any ideas?
nkorai, you are right, the current permission set does not allow you to see others photo. We are adding a new oauth permission to the exchange online application endpoint which will allow you to do this. We are in the process of getting this permission enabled. Hopefully in a few weeks.