Develop Reference

403 Forbidden on Microsoft Teams RSC graph api calls, except on own tenant

I'm working on a Microsoft Teams tab and am planning to use some of the new RSC endpoints to retrieve members of the Team/group the app has been added to.
I have followed all steps from the RSC docs looked at the RSC sample code but still have an issue making Graph API calls to the beta rsc endpoints.
I have listed the RSC permission in the Teams manifest:
"webApplicationInfo": {
"id": "{AD_APP_CLIENT_ID}",
"resource": "https://notapplicable"
},
"showLoadingIndicator": true,
"authorization": {
"permissions": {
"orgWide": [],
"resourceSpecific": [
{
"name": "Member.Read.Group",
"type": "Application"
},
{
"name": "TeamSettings.Read.Group",
"type": "Application"
},
{
"name": "ChatSettings.Read.Chat",
"type": "Application"
},
{
"name": "ChatMember.Read.Chat",
"type": "Application"
},
{
"name": "ChannelSettings.Read.Group",
"type": "Application"
},
{
"name": "TeamMember.Read.Group",
"type": "Application"
}
]
}
}
Query Graph API like so:
GET https://graph.microsoft.com/beta/teams/{{group_id}}/channels/{{channel_id}}
Authorization: Bearer {{access_token}}
content-type: application/json
Where access_token is retrieved like so:
POST https://login.microsoftonline.com/{{ad_tenant_id}}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={{ad_app_client_id}}&client_secret={{ad_app_client_secret}}&scope=https://graph.microsoft.com/.default
When I make the GET request to a group+channel which is in the same AAD as where the AAD Application is registered it works fine and information is returned. However, when I run the exact same code on a group+channel which is in a different AD it returns 403 Forbidden.
{
"error": {
"code": "Forbidden",
"message": "Missing role permissions on the request. API requires one of 'TeamMember.Read.All, TeamMember.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, TeamMember.Read.Group, Member.Read.Group'. Roles on the request 'Group.Selected'. Resource specific consent grants on the request ''.",
"innerError": {
"date": "2022-04-06T14:13:26",
"request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4",
"client-request-id": "ce212ed2-48dc-4a8e-a7ea-4172d0cfd4c4"
}
}
}
The response mentions "Resource specific consent grants on the request ''." which seems to suggest it's either missing a header or another access token.
As mentioned before, this exact same code works perfectly fine when I use a group_id and channel_id from within the same AD tenant.
What other steps need to be done to get RSC calls working?

How do you subscribe to push notifications in microsoft graph?

I have been trying to figure out how to use the beta notifications resource to send push notifications to users in Teams, but I cannot get past step 1.
User signs in to your application, which creates a subscription with the Microsoft Graph notification service.
I am not using a language with Microsoft library support so I cannot use their SDKs. Instead, I am manually sending http requests. I have tried many, but I can't even nail down what the "resource" is supposed to be in the subscription type. Here are some of the things I have tried and the results:
Sending this message:
{
"changeType": "created",
"notificationUrl": "https://(...)/notifications",
"resource": "me/notifications",
"expirationDateTime": "2020-11-04T18:23:45.9356913Z"
}
Results in:
{
"error": {
"code": "InvalidRequest",
"message": "Subscription for resource 'me/notifications' is not supported.",
"innerError": {
"date": "2020-11-04T17:12:24",
"request-id": "66172d3c-298d-47d4-babb-52d96ef42179",
"client-request-id": "1c20849c-fcda-0b07-56e3-5bed08bb28e4"
}
}
}
The above message also correctly calls my server's /notifications route with this param:
Validation: Testing client application reachability for subscription Request-Id: 2f3cc3b8-b2c2-5922-451c-433add43bc74
Sending this one:
{
"changeType": "created",
"notificationUrl": "https://(...)/notifications",
"resource": "notification",
"expirationDateTime": "2020-11-04T18:23:45.9356913Z"
}
Results in:
{
"error": {
"code": "BadRequest",
"message": "Resource not found for the segment 'notification'.",
"innerError": {
"date": "2020-11-04T17:21:15",
"request-id": "d894c93b-9dac-4051-a3af-cb6039f1394b",
"client-request-id": "84d18ec7-2c67-8240-b576-03641b3b5a59"
}
}
}
I have also tried "notifications", "users/me/notifications", and a few others to no avail. What's the deal, Microsoft? This resource isn't even listed under the possible subscription types in the beta docs, so is it supported or not?

At this point I'm pretty sure this functionality just doesn't work/exist.

office 365 outlook Graph api custom email message header

In order to organize emails into single thread GMail requires custom headers to be set within incoming message. Is there any way to set custom headers when sending Office O365 Outlook message through the Graph API? The documentation states about custom headers option through the InternetMessageHeaders property, however it is required to start header name with 'x-' appendix, which makes it not usable. For example, this message is supposed to set some custom headers, however, due to the 'x-' prefix limitation, this can't be used for organizing GMail messages:
POST https://graph.microsoft.com/v1.0/me/sendMail
Content-type: application/json
{
"message": {
"subject": "9/9/2018: concert",
"body": {
"contentType": "HTML",
"content": "The group represents Nevada."
},
"toRecipients": [
{
"emailAddress": {
"address": "AlexW#contoso.OnMicrosoft.com"
}
}
],
"internetMessageHeaders":[
{
"name":"x-custom-header-group-name",
"value":"Nevada"
},
{
"name":"x-custom-header-group-id",
"value":"NV001"
}
]
}
}
https://learn.microsoft.com/en-us/graph/api/user-sendmail?view=graph-rest-1.0&tabs=http
Is there any way to specify custom headers: 'References', 'In-Reply-To' without the prefix 'x-'?
https://gsuiteupdates.googleblog.com/2019/03/threading-changes-in-gmail-conversation-view.html
When trying to set custom email headers without 'x-' prefix, the Graph API returns following error message:
{
"error": {
"code": "InvalidInternetMessageHeader",
"message": "The internet message header name 'References' should start with 'x-' or 'X-'.",
"innerError": {
"request-id": "441e21b7-d4ca-47d3-957a-a72bcc854a67",
"date": "2019-12-10T14:28:35"
}
}
}

One workaround might be to use the Extended properties to set those values eg the In-Reply-to https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/pidtaginreplytoid-canonical-property should look something like
"singleValueExtendedProperties": [
{
"id":"String 0x1042",
"value":"342342343234#domain.com"
}
]

GoCardless API using Classic ASP

I'm creating the following request in vbscript and sending to the gocardless sandbox:
url="https://api-sandbox.gocardless.com/"
typ="GET"
Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP")
xml.Open typ, url, False
xml.setRequestHeader "Authorization", "Bearer " & GCAccessToken
xml.SetRequestHeader "GoCardless-Version", "2015-07-06"
xml.SetRequestHeader "Accept","application/json"
xml.SetRequestHeader "Content-Type", "application/json"
xml.Send
GetGC = xml.responseText
Set xml = Nothing
The response I always get despite any tweaks I do is:
{"error":{"message":"not found","errors":[{"reason":"not_found","message":"not found"}],"documentation_url":"https://developer.gocardless.com/api-reference#not_found","type":"invalid_api_usage","request_id":"0AA4000DECCD_AC121CEB1F90_5BE18701_19AD0009","code":404}}
Any help would be appreciated. Have successfully done similar for Stripe but now need to use GC.

If you read the response from the API
{
"error": {
"message": "not found",
"errors": [{
"reason": "not_found",
"message": "not found"
}
],
"documentation_url": "https://developer.gocardless.com/api-reference#not_found",
"type": "invalid_api_usage",
"request_id": "0AA4000DECCD_AC121CEB1F90_5BE18701_19AD0009",
"code": 404
}
}
The error appears to be a HTTP status code (as is common with RESTful APIs) - 404 Not Foundlooking at the documentation link provided in the response;
404
Not Found. The requested resource was not found or the authenticated user cannot access the resource. The response body will explain which resource was not found.
So the issue could be;
You have failed to authenticate using the token in the code provided.
You authenticated but don't have permission to access the resource.
The resource you are looking for does not exist.
In this particular instance, I would suggest it is because the resource doesn't exist as the code doesn't specify a resource, only the base URL of the API which won't constitute an API endpoint you can interact with.
Looking at the documentation it's clear you need to provide a valid endpoint in the URL, at the time of writing there are 15 core endpoints to interact with along with 2 helper endpoints.
For example, a create payment request/response would look like;
POST https://api.gocardless.com/payments HTTP/1.1
{
"payments": {
"amount": 100,
"currency": "GBP",
"charge_date": "2014-05-19",
"reference": "WINEBOX001",
"metadata": {
"order_dispatch_date": "2014-05-22"
},
"links": {
"mandate": "MD123"
}
}
}
HTTP/1.1 201 (Created)
Location: /payments/PM123
{
"payments": {
"id": "PM123",
"created_at": "2014-05-08T17:01:06.000Z",
"charge_date": "2014-05-21",
"amount": 100,
"description": null,
"currency": "GBP",
"status": "pending_submission",
"reference": "WINEBOX001",
"metadata": {
"order_dispatch_date": "2014-05-22"
},
"amount_refunded": 0,
"links": {
"mandate": "MD123",
"creditor": "CR123"
}
}
}
Unfortunately, the code sample provided in the question doesn't really do anything so it's difficult to suggest what you are trying to do. In conclusion, I would suggest re-visiting the documentation for the API and look through the samples provided.

Microsoft Graph - Can't read/write the calendar of other users

I have a web app registered on Azure with the goal of being able to read and write the calendars of other users. To do so, I set these permissions for this app on Azure.
However, when I try to, for example, create a new event for a given user, I get an error message. Here's what I'm using:
Endpoint
https://graph.microsoft.com/v1.0/users/${requester}/calendar/events
HTTP Header
Content-Type application/json
Request Body
{
"subject": "${subject}",
"body": {
"contentType": "HTML",
"content": "${remarks}"
},
"start": {
"dateTime": "${startTime}",
"timeZone": "${timezone}"
},
"end": {
"dateTime": "${endTime}",
"timeZone": "${timezone}"
},
"location": {
"displayName": "${spaceName}",
"locationEmailAddress": "${spaceEmail}"
},
"attendees": [
{
"emailAddress": {
"address": "${spaceEmail}",
"name": "${spaceName}"
},
"type": "resource"
}
]
}
Error message
{
"error": {
"code": "ErrorItemNotFound",
"message": "The specified object was not found in the store.",
"innerError": {
"request-id": "XXXXXXXXXXXXXXXX",
"date": "2018-07-11T09:16:19"
}
}
}
Is there something I'm missing? Thanks in advance for any help!
Solution update
I managed to solve the problem by following the steps described in this link:
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service

From your screenshot it's visible that you used application permission (although it'd be nice to include this information in your question):
Depending on kind of the permission you have given, you need to use proper flow to obtain access token (on behalf of a user or as a service. For application permissions you have to use flow for service, not on behalf of a user.
You can also check your token using jwt.io and make sure it's payload contains appropriate role. If it doesn't, it's very likely you used incorrect flow.
Regarding the expiration time of it, you may have found the information about refresh token (for example here). Keep in mind that it applies only to rights granted on behalf of a user. For access without a user you should make sure that you know when your token is going to expire and request a new one accordingly.