We have a web page using microsoft single sign on. When we redirect the user to login to our application, we send them to :
https://login.microsoftonline.com/common/oauth2/authorize?scope=user.read&response_type=code&client_id=a5342222-a222-222d-87c3-222222222222&redirect_uri=${ourappurl}/office365handler
We want to be able to access the user's proxyAddresses (their alias emails) as often users are not using their upn to receive emails. When the user logs in, we are unable to call
https://graph.microsoft.com/v1.0/me?$select=proxyAddresses
as we get Access Denied.
Do we need to redirect the user to login.microsoftonline.com with additional scopes? If so, which scope do we need? We've gone over the docs but can't find anything relevant.
Thanks!
• As you are encountering ‘Access denied’ Status code 400 message after running the query in Microsoft Graph Explorer while retrieving the details of proxy addresses of the signed in users, you have not provided appropriate permissions to Microsoft Graph API for accessing and reading the users data in your tenant. To do so, please provide the below permissions to Microsoft Graph API and Explorer application and ensure that Admin consent is allowed for each permission requested below: -
Go to Azure AD in your tenant --> Enterprise Applications --> Graph Explorer --> Permissions --> In that, search for the below permissions and select them, please select these permissions under ‘admin consent’ tab as below: -
‘ Directory.AccessAsUser.All, Directory.ReadWrite.All, User.Read, User.ReadBasic.All, User.ReadWrite, User.ReadWrite.All’(These permissions are required at least to read users’ data in Azure AD)
Once, these permissions are granted, you will be able to run the graph query and gain the output correctly. Also, please find the below graph query to read any users’ proxy addresses through graph explorer.
' https://graph.microsoft.com/v1.0/users/user#domain.com?$select=proxyaddresses '
Related
HTTP PATCH request for marking the email as read and for locking the message in mailbox are not working with only ROPC grant.
Other Mail write operations like Delete message is not working only with ROPC grant.
With other grants like Authorization Code grant, they are working.
It was working since last week and it suddenly stopped working.
Mail.ReadWrite and Mail.ReadWrite.Shared API permissions are given to our Azure client and also granted admin consent as well. Please find the API permissions screenshot attached: API Permissions screenshot for our Azure application.
Could you please check this at your earliest time possible?
--
Thanks
Prasanth
My end goal is to register my API to receive notifications of leads generated by LinkedIn for my business's Company Page. The docs here say I need to register at https://api.linkedin.com/v2/leadNotificationUrls using the r_ads_ge_automation permission. I'm trying to acquire this type of access token by using a web browser to hit https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=client_id_for_my_application&redirect_uri=https://my.company.net/api/oauth/linkedin&state=Testing12345&scope=r_ads_leadgen_automation, then logging in as a user that is an admin for the respective company page, then acquiring authentication code, and finally requesting an access token.
The problem is that when I try to hit https://www.linkedin.com/oauth/v2/authorization (with the query params above), I get an error response stating "r_ads_leadgen is not authorized for your application". I can't find any kind of application configuration that is supposed to give this permission to my application.
Can anyone help? Thank you
Permissions are offered to select Partners only. Have you applied to a Partner Program https://business.linkedin.com/marketing-solutions/marketing-partners/become-a-partner?
Asking the question here as the linkedin help forum directed to post things related to API on stackoverflow.
I am developing a feature on our org website to show the top 5 company page feeds setup in linkedin. Ive already setup the required access in developer.linkedin and the whole flow works in the developer.linkedin REST console to fetch the feed.
I am currently recieving this error when i try from my machine to fetch the auth token with a valid client id and secret created.
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id=OMITTED&client_secret=OMITTED
{
"error": "access_denied",
"error_description": "This application is not allowed to create application tokens" }
The documentation also mentions that this flow isn't available by default and the users will need to contact linkedin.
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
"By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow."
What would be the next steps in requesting access to this flow for my org?.
As outlined here:
By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow.
The next step would be to contact them directly or Apply to become a Partner
and if accepted you'll be granted access to additional data outside of the scope of the user authentication flow (which basically means you'll be able to make calls directly from your application to access certain information)
I think the answer is well explained by API-University, since the creation of an application in order to get the access_token, will solve the communication issue.
Link to the explanation: https://api-university.com/blog/api-usage/how-to-use-the-linkedin-api-and-oauth/
I created a Microsoft Account using my work mail.
Using this account, with 50$ credit, i tried to register my bot (already published using visual studio 2017). The problem is that when i tried to obtain the credentials for my bot, i'm getting an error that says i don't have enough privileges (even though i'm supposed to be the administrator of the account)
Button i clicked to get credentials
Error image
Please log into http://aad.portal.azure.com and go to Users and Groups -> User Settings and check if Users Can Register Applications is set to Yes.
We use the LinkedIn API to list companies that a user admins.
We have our App set to get r_fullprofile and rw_company_admin when the user grants permission.
We're trying to list all of the companies the user has admin access to via:
http://api.linkedin.com/v1/companies:(id,name,square-logo-url)?is-company-admin=true
<error>
<status>403</status>
<timestamp>1432323149224</timestamp>
<request-id>XXXXXXXXXX</request-id>
<error-code>0</error-code>
<message>Member [user id] does not have permission to get companies as admin.</message>
</error>
According to the Manage Company Pages docs, as long as we have the rw_company_admin scope, we should be able to call this endpoint.
I've read through the Developer Program Transition docs (https://developer.linkedin.com/support/developer-program-transition) but it doesn't seem to affect this usage of the API.
ETA: This has been flagged as a possible duplicate of LinkedIn API unable to view _any_ company profile
That question is about fetching details for a single company (which the user may or may not administrate). My question is about listing companies that the user specifically does administrate.
According to new api changes user should be administrator of target company. Read this .
All calls to Companies API endpoints will require the authenticated user to be flagged as an administrator of the LinkedIn Company Page that is the target of the API call. You become the administrator of a page when you create it. If the page already exists, you will have to contact the existing administrator to grant admin access to other LinkedIn members.
I faced the same problem and the problem was with the initial authorization code. You should mention the scope=rw_company_admin while doing the initial redirect URL call. Something like this -
https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=your_client_id&redirect_uri=https%3A%2F%2Fwww.google.com/&state=12345&scope=rw_company_admin%20r_emailaddress%20w_share%20r_basicprofile