One of our customers faced an issue while using our Add-in for Microsoft Office.
When we call getUserIdentityTokenAsync it fails with an error
{"value":null,"status":"failed","error":{"name":"InternalServerError","message":"The Exchange server returned an error. Please look at the diagnostics object for more information.","code":9042},"diagnostics":{"ErrorText":"The token for this extension could not be retrieved."}}
It happened on Microsoft Exchange 2016 on perm.
In dev console, I found the following API call
/owa/service.svc?action=GetClientAccessToken&EP=1&ID=-23&AC=1
with the following request header
"name": "X-OWA-ActionName",
"value": "Ext_GetUserIdentityToken"
and these headers in the response
{
"name": "X-OWA-Version",
"value": "15.1.1847.7"
},
{
"name": "X-OWA-OWSVersion",
"value": "V2017_08_18"
},
{
"name": "X-OWA-DiagnosticsInfo",
"value": "29;12;3"
},
{
"name": "X-OWA-Error",
"value": "Microsoft.Exchange.Services.Core.Types.ErrorInvalidClientAccessTokenRequestException"
},
I believe it is customer's Exchange misconfiguration but could someone help me to understand what exactly not configured on Exhcange side?
Could it be a proxy configuration or something?
There is an X-OWA-CorrelationId response header, where I can find any information with that code?
many thanks.
Related
I'm working on a Microsoft Teams tab and am planning to use some of the new RSC endpoints to retrieve members of the Team/group the app has been added to.
I have followed all steps from the RSC docs looked at the RSC sample code but still have an issue making Graph API calls to the beta rsc endpoints.
I have listed the RSC permission in the Teams manifest:
"webApplicationInfo": {
"id": "{AD_APP_CLIENT_ID}",
"resource": "https://notapplicable"
},
"showLoadingIndicator": true,
"authorization": {
"permissions": {
"orgWide": [],
"resourceSpecific": [
{
"name": "Member.Read.Group",
"type": "Application"
},
{
"name": "TeamSettings.Read.Group",
"type": "Application"
},
{
"name": "ChatSettings.Read.Chat",
"type": "Application"
},
{
"name": "ChatMember.Read.Chat",
"type": "Application"
},
{
"name": "ChannelSettings.Read.Group",
"type": "Application"
},
{
"name": "TeamMember.Read.Group",
"type": "Application"
}
]
}
}
Query Graph API like so:
GET https://graph.microsoft.com/beta/teams/{{group_id}}/channels/{{channel_id}}
Authorization: Bearer {{access_token}}
content-type: application/json
Where access_token is retrieved like so:
POST https://login.microsoftonline.com/{{ad_tenant_id}}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={{ad_app_client_id}}&client_secret={{ad_app_client_secret}}&scope=https://graph.microsoft.com/.default
When I make the GET request to a group+channel which is in the same AAD as where the AAD Application is registered it works fine and information is returned. However, when I run the exact same code on a group+channel which is in a different AD it returns 403 Forbidden.
{
"error": {
"code": "Forbidden",
"message": "Missing role permissions on the request. API requires one of 'TeamMember.Read.All, TeamMember.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, TeamMember.Read.Group, Member.Read.Group'. Roles on the request 'Group.Selected'. Resource specific consent grants on the request ''.",
"innerError": {
"date": "2022-04-06T14:13:26",
"request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4",
"client-request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4"
}
}
}
The response mentions "Resource specific consent grants on the request ''." which seems to suggest it's either missing a header or another access token.
As mentioned before, this exact same code works perfectly fine when I use a group_id and channel_id from within the same AD tenant.
What other steps need to be done to get RSC calls working?
I have a Teams integration with link unfurling set up. I have the messaging endpoint pointed to a public ngrok URL and ngrok proxying a local node.js server that returns the example payload Microsoft has in it's documentation.
This is my endpoint (express.js):
app.post('/bot-test', (req, res) => {
res.send({
"composeExtension": {
"type": "result",
"attachmentLayout": "list",
"attachments": [
{
"contentType": "application/vnd.microsoft.teams.card.o365connector",
"content": {
"sections": [
{
"activityTitle": "[85069]: Create a cool app",
"activityImage": "https://placekitten.com/200/200"
},
{
"title": "Details",
"facts": [
{
"name": "Assigned to:",
"value": "[Larry Brown](mailto:larryb#example.com)"
},
{
"name": "State:",
"value": "Active"
}
]
}
]
}
}
]
}
});
});
When I post a URL in a message in Teams, I see it POST to that endpoint and it responds without errors, but nothing shows up in Teams. What's going wrong? I can't find any logs on Microsoft's side either. I would expect that Teams renders a card with the response payload.
Office 365 Connector cards are not supported for link unfurls ("Message extension previews" in MS parlance). Changing the response to a supported card type worked. Unfortunately, MS doesn't surface this problem anywhere and it just silently discards the response. I was able to find a somewhat useful error description by inspecting the network request that went out from the Teams web client, however.
See this for supported card types: https://learn.microsoft.com/en-us/microsoftteams/platform/task-modules-and-cards/cards/cards-reference
I have a problem with creating teams using the Microsoft Graph Api. I can get/create groups but when I try to get/create teams I get an error. I'm using postman and the group has owners and members, just as the documentation of MS, also has the permissitions it asks for groups. If somebody can help me, cause I look everywhere for a same error but no found it.
PUT https://graph.microsoft.com/v1.0/groups/{id}/team
Headers: Authorization: bearer token and content-type: json
Body is
{
"memberSettings": {
"allowCreateUpdateChannels": true
},
"messagingSettings": {
"allowUserEditMessages": true,
"allowUserDeleteMessages": true
},
"funSettings": {
"allowGiphy": true,
"giphyContentRating": "strict"
}
}
I always get the same error
{
"error": {
"code": "BadGateway",
"message": "Failed to execute backend request.",
"innerError": {
"request-id": "45eeba8a-9d35-45e8-b42e-c60da7a47dde",
"date": "2020-01-23T21:55:44"
}
}
}
According to the Graph API docs for this, you're not calling the correct endpoint to create a new Team. It should be
POST https://graph.microsoft.com/beta/teams
and a payload similar to
Content-Type: application/json
{
"template#odata.bind": "https://graph.microsoft.com/beta/teamsTemplates('standard')",
"displayName": "My Sample Team",
"description": "My Sample Team’s Description",
"owners#odata.bind": [
"https://graph.microsoft.com/beta/users('userId')"
]
}
Note that it's slightly different, as per the docs, whether you're using delegated versus application permissons.
I have a web app registered on Azure with the goal of being able to read and write the calendars of other users. To do so, I set these permissions for this app on Azure.
However, when I try to, for example, create a new event for a given user, I get an error message. Here's what I'm using:
Endpoint
https://graph.microsoft.com/v1.0/users/${requester}/calendar/events
HTTP Header
Content-Type application/json
Request Body
{
"subject": "${subject}",
"body": {
"contentType": "HTML",
"content": "${remarks}"
},
"start": {
"dateTime": "${startTime}",
"timeZone": "${timezone}"
},
"end": {
"dateTime": "${endTime}",
"timeZone": "${timezone}"
},
"location": {
"displayName": "${spaceName}",
"locationEmailAddress": "${spaceEmail}"
},
"attendees": [
{
"emailAddress": {
"address": "${spaceEmail}",
"name": "${spaceName}"
},
"type": "resource"
}
]
}
Error message
{
"error": {
"code": "ErrorItemNotFound",
"message": "The specified object was not found in the store.",
"innerError": {
"request-id": "XXXXXXXXXXXXXXXX",
"date": "2018-07-11T09:16:19"
}
}
}
Is there something I'm missing? Thanks in advance for any help!
Solution update
I managed to solve the problem by following the steps described in this link:
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
From your screenshot it's visible that you used application permission (although it'd be nice to include this information in your question):
Depending on kind of the permission you have given, you need to use proper flow to obtain access token (on behalf of a user or as a service. For application permissions you have to use flow for service, not on behalf of a user.
You can also check your token using jwt.io and make sure it's payload contains appropriate role. If it doesn't, it's very likely you used incorrect flow.
Regarding the expiration time of it, you may have found the information about refresh token (for example here). Keep in mind that it applies only to rights granted on behalf of a user. For access without a user you should make sure that you know when your token is going to expire and request a new one accordingly.
I've found the following documentation on how to send email using Office 365 rest API.
This is the example given on the doucmentation:
POST https://outlook.office.com/api/v2.0/me/sendmail
{
"Message": {
"Subject": "Meet for lunch?",
"Body": {
"ContentType": "Text",
"Content": "The new cafeteria is open."
},
"ToRecipients": [
{
"EmailAddress": {
"Address": "garthf#a830edad9050849NDA1.onmicrosoft.com"
}
}
],
"Attachments": [
{
"#odata.type": "#Microsoft.OutlookServices.FileAttachment",
"Name": "menu.txt",
"ContentBytes": "bWFjIGFuZCBjaGVlc2UgdG9kYXk="
}
]
},
"SaveToSentItems": "false"
}
This works fine if the user authorizes the application to act on it's behalf. However, I am using client crednetial to build a daemon application that acts on behalf of all users in the given tenant hence "POST https://outlook.office.com/api/v2.0/me/sendmail" couldn't work because its is referencing the "me" and can't tell which user is sending the email.
I would appericiate if you can help with sample example. FYI: I am using Java but your answer doesn't have to be in Java.
Replace the /me bit of the URL with /users/<userid>. You can not use /me for any API call with a token from client credentials.