I am running into an issue with Microsoft Flow to create appointments on another calendar that my account as Send As permission to. I am able to create appointments in the UI for this second account. However in Flow, it is asking for a CalendarID. The drop down only shows calendars directly related to the account in the connection. When I manually enter the CalendarID to the second account, I receive this error: "The specified object was not found in the store."
Any help / tutorials will be greatly appreciated.
"The specified object was not found in the store."
This is an EWS permissions error so whatever you doing isn't going to work with SendAS rights. You will need to assign full access permission to the Mailbox (or at least rights to the calendar folder via Add-MailboxFolderPermission) for this to work with EWS. SendAs permission by definition only gives a user rights to SendAS another user not access folders in their Mailbox. You can test all this with the EWSEditor https://ewseditor.codeplex.com/ which is going to be making the same calls. If it works in the EWSEditor with the same creds as flow but not in your other code then you know the rights are good but whatever you doing in Flow is the issue.
Related
Using Exchange 2016 on premises, I'm trying to logon to another users mailbox from my admin account using the RDOSession.LogonExchangeMailbox method. The admin account has impersonation access to all other mailboxes so should have rights to do this. After running the logon method the RDOSession object shows ExchangeConnectionMode as olCachedConnectedFull, but the RDOSession.CurrentUser.name shows as UNKNOWN. If I try to access the inbox using GetDefaultFolder I get a MAPI_E_LOGON_FAILED message. Can you suggest what I might be doing wrong, or haven't done to allow this ?
LogonExchangeMailbox always uses the identity of the current user to connect to the mailbox in the RPC mode (no longer supported by Exchange 2016). To open another mailbox, you can call RDOSession.GetSharedMailBox / GetSharedMailBoxEx.
You can also use LogonHostedExchangeMailbox - it takes explicit credentials instead of connecting as the current local user.
Reviewing this, but not clear. Not looking to do this for just my user and can run with elevated application rights with access to all calendars.
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/calendar_list_events
Yes you just need to make sure you give your application the following permission
Calendars.Read.Shared Read user and shared calendars Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.
ref https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
So as long as the calling account then has access to the Room Mailbox (eg via Delegation so they can access the same thing in Outlook etc) you just use the following endpoint
https://graph.microsoft.com/v1.0/users('room#domain.com')/calendar/events
I'm making an application that requires access to the shared/room-resource calendars in an Office 365 instance, using non-admin accounts. I've registered an app (in the Microsoft Application Registration Portal) using the V2 endpoint and Auth Code Grant. This successfully allows me to log in, and gives me a functional token with the Calendars.ReadWrite.Shared scope. With this token, I can retrieve my own calendars, and calendars that have been explicitly shared with me (and therefore added to my list of calendars). All of this is doable with just the normal Calendars.ReadWrite scope.
However, I get errors when requesting access to any other shared calendars, like the room calendars. Here's an example. If I make a GET call to https://graph.microsoft.com/beta/users/my-own-email#business.com/calendars it successfully returns a list of my calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/calendars I get a 404 (Not Found) Error. The same error occurs for any other user, not just meeting rooms. Note that I can see these calendars when I'm logged into Office 365 online with the same account.
A different error occurs if I ask for events not calendars. If I make a GET call to https://graph.microsoft.com/beta/users/meetingroom1.4#business.com/events, I get a 500 (Internal Server) Error.
I've checked all the other threads I can find on the issue, and this one from November How to access shared calendars from Office REST API? says there's some kind of blocking issue on Microsoft's end. It's using the Office REST API rather than Graph, but on the back-end the APIs call the same stuff. Is this issue still about? Alternatively, am I missing some further permissions? I tried adding quite a few different permissions on top of Calendars.ReadWrite.Shared, but none of them fixed it. Is there a correct combination?
Thanks so much for any help, and let me know if any other info would be useful for diagnosis.
So if anyone else happens to be interested in this, I figured out a way to access room resource calendars without using the Calendars.ReadWrite.Shared permission. This allows you to use just the Calendars.ReadWrite permission to access the room resources, by moving them into the list of calendars of the email you're authenticating with. However, it will only work for specific accounts that you share the calendars with, so won't be usable in apps that have to work for any account. This is good enough for my use-case, but may not be for yours.
First, find or make an account that is a delegate to, and has full access to, the room resource calendar you want to use. On that account click 'Open another mailbox' in the dropdown list under your profile image.
Open another mailbox location
In the pop-up that follows, put in the email address of the room resource calendar that you want to use.
Then, on the new page that opens (which should be the Office account of the room resource calendar):
Navigate to the calendar page
Click 'Share'
Share the default calendar with the account you plan to authenticate with.
Then log into that 'authentication' account, check its email for the notification of the shared calendar, and click 'accept'. What this will do is move the calendar into the authenticated account's list of calendars, meaning you can access it with just a call to the https://graph.microsoft.com/v1.0/me/calendars endpoint. You'll have to repeat it for every calendar you want to be able to access, sadly.
I have a service account that I want to be able to access another users calendar through the ews api in such a way that it can create appointments, update appointments they have created and delete appointments they have created but NOT be able to read all items on the users calendar.
This appears to be possible in office 365 (see screenshot) but is it possible with Exchange 2010? If so how?
Sure the image you have posted is just the Folder permissions from Outlook these permission are the same from Exchange 2007 to Office365. The two ways you can set permission pro-grammatically like you have shown is first use one of the Mailbox Access API's like Mapi or EWS and set the Folder permission eg https://msdn.microsoft.com/en-us/library/office/dn641962(v=exchg.150).aspx
Or you can use the Exchange Management Shell and Add-MailboxFolderPermissions https://blogs.technet.microsoft.com/ilvancri/2009/11/24/exchange-2010-and-then-there-is-the-long-awaited-cmdlet-add-mailboxfolderpermission/ this can be a better approach as it just requires delegated admin rights via an RBAC role where setting the folder permission via EWS because it uses a User API would require the account setting those permissions to be the Mailbox owner, have been delegate Full Access rights on the Mailbox (eg add-mailboxpermission) or use Impersonation.
I am making a very simple marketplace app using the new SDK (Oauth 2.0). One of the steps would be to automatically invite team members for a closed group so I would need access to team members (users in same domain) from the user that is starting the process going through the default "navigator icon in google navigation menu".
This is working fine, however it is only working for administrators (tried with both Directory API and Profiles data API).Is there a way to simply "read" the email from users without needing to have administrator rights? It seems quite an overkill to ask a user to be administrator just for the purpose of being able to invite his team members.
These email addresses are in the user contact list for example, when writing an email they are automatically there so it shoulnt be much of permission problem I guess. can anyone help a bit on how I can accomplish this? Maybe a different API that I have not found?
Very much appreciated,
Best regards,
Joao Garin
You can use "Service Accounts" to access the Directory API on behalf of the Administrator when any user accesses the App.
The Drive API has a really good set of samples here - https://developers.google.com/drive/delegation
This same technique will work with Admin SDK. The end result is the auth is not made on behalf of the user at the keyboard but as an authorized Service Account. This Service Account is authorized by the admin at the time of install.