Accessing MS Teams via Graph API using unlicensed admin - microsoft-teams

We're trying to access MS Teams (apps : https://graph.microsoft.com/v1.0/teams/_teams_guid_/installedApps?$expand=teamsAppusing) using unlicensed admin and getting next error :
"Admin Login. Teams is disabled in user licenses". What does this error means (googling didn't provide too much info) ? is this means that admin need to be licensed ? or it's something else ?
Thanks

Related

Microsoft Teams Manifest: can contentBotId be of different tenant

I am trying to use contentBotId (Azure bot ID) in my MS Teams manifest file.
https://learn.microsoft.com/en-us/microsoftteams/platform/resources/schema/manifest-schema-dev-preview
When it is from same tenant that of MS teams domain (xyz.com) then its working and loading the data
But when its from different tenant, then MS Teams is not loading anything
{errorCode: 0, message: "<BadArgument>Unknown bot"}
Is there any restriction on this?
Before creating the MS bot, using ML Studio, create multi-tenant bot for perfect App registration.
Follow the procedure to create the bot and register the application.
By mentioning all the required. Check the manifest file for the required ContentBotId. Test the URL after app registration into multi-Tenant.
If still the error occurs. We need to setup the connection settings under configurations.
By adding Oauth connection settings we will get some kind of authentication for different clients for the same authentication URL (website URL).
Able to resolve the issue.
Yes it can be from different tenant.
when we use existing AAD instead of creating from Azure bot template, this issue occurs. Seems like MS Teams is not able to find this AAD/ or Bot Handle.
Root Cause (Might be): Manually created AAD have email address of user who have created this in Owners section (screenshot 1), while AAD created from Azure bot template have "Bot Framework Dev Portal" user (Screenshot 2).
And I am unable to add this user by searching.
Screnshot 1
Screenshot2

Power Automate (MS Flow) Error: "Something went wrong. The requested approval is not accessible to the caller." How do I fix this?

My user tries to access Microsoft Power Automate (Flow) approvals via email notifications that the Flow sends to them. When clicking on the approval, they get an error "Something went wrong. The requested approval is not accessible to the caller." When directly accessing their approvals at us.flow.microsoft.com > Action items > Approvals, they only see approvals up to January. The same approvals are working for other users. How do I fix approval access?
I tried having the user login via an incognito tab. I also checked whether the user still has MS PA licenses assigned to them, and they seem to be correct (the user has MS 365 E1, MS 365 Business Premium, and MS Power Automate Free).
Figured out the what was causing the issue for our user. The user had a duplicate enterprise microsoft account, so both were being sent the email notification about the approvals, but only the duplicate account was being given access to them. Removing the duplicate account fixed the issue.
If we had had two users with the same name & neither can be deleted, another solution would've been to change how the approvals are routed (ie. by email instead of name.)

GetMaxPrivilegeDepthForUser Error when using the CRM Dynamics API

I am trying to integrate CRM Dynamics with Adobe Campaign, but I am getting an error.
Can anyone help me understand the meaning of this error:
'SecLib::GetMaxPrivilegeDepthForUser failed. Returned hr= -2147209463, User: a37d4ef0-7684-e511-8129-c4346bacefdc'
Give the service account user that you're using to authenticate with CRM's System Administrator role and make sure that user is also assigned to the most top-level business unit; if it doesn't work after that I would try creating a new administrator account from scratch.
Our team was using the wrong company id or better to say organisation id for the CRM account. Using the correct value fixed our problem.

Google Classroom - Getting Started

I am just getting started with the google classroom api. I signed up for the developer test accounts and have 1 teacher account and 2 student accounts. I created a couple of classes and enrolled the 2 students in the classes. I want to use the api either via .NEt or Javascript. The prerequisuites state that I need a Google Apps for EDU account with Google Classroom enabled. How do I get this? Also, I assume without having the Google Apps for EDU account I cannot perform the first step:
"a) Use this wizard to create or select a project in the Google Developers Console and automatically turn on the API. Click Continue, then Go to credentials."
When I perform this step when logged in under the teacher account I get an error:
Error
"Developers Console has not been activated for your account. Your account may be suspended or disabled. If you are a Google Apps user, ask your domain administrator to enable Apphosting Admin on your account."
To obtain a Google Apps for Education account, you have to register your domain (or buy one), and fill up this form.
When filling the form, you will get information about the requirements needed to get the account.
To create a project in the Developer Console, you can do it even from your gmail account. After you created the project, you can enable the Classroom API so you application can access it.
When you run the code, you will have to login with a valid account (teacher or student). If you try to access the API with an invalid account you will get an error.
You can also use the Classroom API methods in the documentation. For example the resource curses.list has a "try it" section, where you can try the API before creating any project. There you can see how it works.

Access user accounts in a domain without administrator rights

I am making a very simple marketplace app using the new SDK (Oauth 2.0). One of the steps would be to automatically invite team members for a closed group so I would need access to team members (users in same domain) from the user that is starting the process going through the default "navigator icon in google navigation menu".
This is working fine, however it is only working for administrators (tried with both Directory API and Profiles data API).Is there a way to simply "read" the email from users without needing to have administrator rights? It seems quite an overkill to ask a user to be administrator just for the purpose of being able to invite his team members.
These email addresses are in the user contact list for example, when writing an email they are automatically there so it shoulnt be much of permission problem I guess. can anyone help a bit on how I can accomplish this? Maybe a different API that I have not found?
Very much appreciated,
Best regards,
Joao Garin
You can use "Service Accounts" to access the Directory API on behalf of the Administrator when any user accesses the App.
The Drive API has a really good set of samples here - https://developers.google.com/drive/delegation
This same technique will work with Admin SDK. The end result is the auth is not made on behalf of the user at the keyboard but as an authorized Service Account. This Service Account is authorized by the admin at the time of install.

Resources