Graph Explorer - Add Guest to Team - microsoft-graph-teams

i have a problem to add guests to a team. I receive an 403 forbidden when i'm not the owner of a team.
i found similar issues with that like Add Team Member via Graph API. Response: 403
So here what i did:
Graph Explorer has the Permission: TeamMeber.ReadWrite.All [delegated]
My User has the role Team Administrator
I have tested it with an global administrator as well
Request Uri: https://graph.microsoft.com/v1.0/teams/63b29ab5-6c63-4df1-b3fd-xxxx/members
Request Method: POST
Request Body:
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": ["member"],
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('e4f6524f-4764-40a5-b5a3-xxxxxx')"
}
Is there something what i missed?
Thanks for any help.

Related

Unable to GET or POST Teams Tabs in Power Automate using the Office 365 HTTP connector

Trying to GET or POST Teams tabs.
I get the same error when trying to delete Planner plans.
ALL of these operations works with the EXACT same URI in Graph Explorer.
As you can see below getting Teams Tab works in one tenant (where I have no particular admin roles)
In the tenant where it is not working I am Global Admin and owner of the teams & planners in questions.
I have contacted MS support but don't have high expectations they will find a solution.
So:
Working with Graph Explorer
Working in one tenant but not another
Working with the premium HTTP connector.
What could this be about. I have matched the licenses between the two different tenants.
Any permissions deep in Azure missing? I am out of ideas, and this is quite important as I am building a project where they expect be to automate Tab creation and Planner removal.
My query:
Error (To the left is one tenant, to the rioght another where it is working.:
Full error:
{
"error": {
"code": "NotFound",
"message": "Not Found",
"innerError": {
"date": "2021-10-14T19:54:08",
"request-id": "xxx",
"client-request-id": "xxx"
}
}
}
Using Power Automate, tried to get list of tabs in Teams Channel using HTTP connector (Instead of using O365 HTTP connector as its giving "NotFound" error) and got success code 200.Got success code using Graph Explorer and Postman as well
Used the tenant where I am Global Admin and owner of the teams.
Steps followed:
Result:

Microsoft Graph API - sendMail API error - "The requested user 'foobar#private.com' is invalid."

I am trying to understand how to send mail using Microsoft Graph sendMail API after creating an Azure AD app with 'Application permissions' for Microsoft Graph 'Mail.Send' and 'User.Read'. I am successfully using the client_id, tenant_id and client_secret to obtain an apparently valid token and subsequently submitting a POST to the api like this (R code):
from_address <- "foobar#private.com"
url <- paste0("https://graph.microsoft.com/v1.0/users/", from_address, "/sendMail")
resp <- POST(url,
add_headers(.headers = c(content_type = "application/json",
Authorization = paste("Bearer", token))),
body = upload_file("mail.json"))
The content of "mail.json" is:
{
"message": {
"subject": "Meet for lunch?",
"body": {
"contentType": "Text",
"content": "The new cafeteria is open."
},
"toRecipients": [
{
"emailAddress": {
"address": "someone#somewhere.com"
}
}
]
}
}
However, I get this 404 response:
"{\"error\":{\"code\":\"ErrorInvalidUser\",\"message\":\"The requested user 'foobar#private.com' is invalid.\"}}"
The Microsoft account I am using is private and the address represented above with foobar#private.com is the main 'signin' mail address for the account. I'm not sure if this user needs some special permissions or if it has to be a "corporate account". The plan is to use this within a corporate Microsoft account to send mails but I am currently testing with a private account to determine how it works.
The syntax for the call is
POST /users/{id | userPrincipalName}/sendMail
The tricky part is, as far as I can tell, personal Microsoft accounts don't have a userPrincipalName. Your "foobar#private.com" is an email address, but it isn't used as an identifier within Azure Active Directory or Graph.
Instead, you have to use your ID. You can get this with
GET /me
and the ID is the id field in the response.
Note that you may run into a separate problem with using an email address in the call, when it comes to work & school accounts. Commonly, people will have an address like "firstname.lastname#company.com", but this is only an alias for convenience; their userPrincipalName might be something more cryptic like "id123456#companytenantname.com". For this reason, it's best to stick to IDs throughout.
The description of how to POST to the Microsoft Graph SendMail api are correct in the question. The problem was only in the configuration of the application in Microsoft Azure portal Active directory. The administrator of the tenant created an app with two permissions with 'Admin consent'. The first is a Delegated permission, Microsoft Graph: 'Sign in and read user profile' the second is an Application permission, Microsoft Graph: 'Send mail as any user'. The first is used to get a token that is valid for 1 hour and the second is used in the code you see in the question to send the mail itself with the aquired token. I have been told that there is a restriction in place that only makes it possible to send mail from one specific 'no-reply' address at the organization so you can't use the api to impersonate someone else. It is not clear to me how that restriction works just that is does.

r_1st_connections_size permission trouble

We make a GET request in Postman to get the number of 1st-degree connections of an authenticated member's network, strictly following the instructions described here:
GET https://api.linkedin.com/v2/connections/urn:li:person:{Person ID}
And the result is this:
{
"serviceErrorCode":100,
"message":"Not enough permissions to access: GET-viewer /connections",
"status":403
}
We already have this set of permission scopes approved and listed in the Auth area of our App:
r_1st_connections_size
r_liteprofile
since we have been accepted in LinkedIn's Marketing Developer Programs.
So, what's wrong?
Thanks in advance

Fetching drafts forbidden in Wordpress rest api

I am using the wpapi npm module to interface with the WP rest api in a node app. I am authenticated and my user created some draft posts. When I go to the dashboard with the same credentials, I can see/edit the draft posts as well.
I am using this method to list the drafts:
wp.posts().auth().param( 'context', 'edit' ).param( 'status', 'draft' )
But I keep getting this error:
{ code: 'rest_invalid_param',
message: 'Invalid parameter(s): status',
data: { status: 400, params: { status: 'Status is forbidden.' } } }
Here's where I've commented on the issue and some helpful context.
The curl response to http://localhost:8000/wp-json/wp/v2/posts?status=draft is the same error message so I don't believe the issue is with the node module.
I'm the author of the wpapi module, this issue ended up on our issues list https://github.com/WP-API/node-wpapi/issues/325 and represented a bug that we've fixed in the latest release.
Authentication is required when querying for drafts, and not providing authentication can result in this 400 error; however, as noted in the linked issue above, authentication was working for one-off requests. Why the 400? What was happening was that inside wpapi requests we did not properly forward authentication credentials when paging through a collection, so the request to the first page of results would return a 200, then the second page would return a 400 because the second request lacked authentication. We've resolved this bug by always passing on the authentication credentials when paging through collections, and hopefully this doesn't trip anyone else up.
General troubleshooting if you do encounter a 400:
Are you sure you're authenticated? (try hitting /users/me)
Does your user have the capabilities required to view draft posts?
And we welcome issues if you do find bugs like this!

Internal Server Error in OAuth for Google

EDIT: I was able to resolve the original error here when I realized my ROOT URL was set to my IP address rather than my domain. However, I now have a new issue. My client ID is the same as the original post below. This works fine in the local app, but in production, the popup flashes for a second and then the login box displays "Internal Server Error". I can't see any other messages that would explain it.
I am using the service-configuration package to load the settings, as follows:
ServiceConfiguration.configurations.upsert(
{ service: "google" },
{
$set: {
clientId: "************",
loginStyle: "popup",
secret: "***********"
}
}
);
If I add ?close to the end of my Authorized redirect URI, the Google popup comes up with a redirect_uri_mismatch error, showing the URI without ?close. I think there was an issue resolved here but it at least shows me that my project in Google is being recognized.
ORIGINAL POST
I am setting up an OAuth 2.0 client ID for accounts-google in Meteor and am seeing the following error:
400. That’s an error.
Error: invalid_request
Invalid parameter value for redirect_uri: Raw IP addresses not allowed:
http://***.***.***.***/_oauth/google
My Client ID in Google:
Authorized Javascript Origins
http://localhost:3000
http://myApp.com
Authorized redirect URIs
http://localhost:3000/_oauth/google
http://myApp.com/_oauth/google
I understand I must not be properly pointing the domain to the IP address. I have already set up an A record and the site works fine in other regards though, so not sure what step I missed.

Resources