So I got a hotmail mailbox, which I read from 'https://outlook.live.com/mail/0/', which is part of my personal microsoft account. Basically I just want to read my mails from php, and assign a category to some emails. As it is not possible with imap, I started to search any solution with Azure portal.
I logged in in https://portal.azure.com/ with my Microsoft accound mail adress and passowrd, created an app, gave it some permissions (User.ReadAll, Mail.ReadWrite), get client id, tenant id, and secret, and used this script to open my mailbox : https://github.com/CoasterKaty/PHPGraphMailer/blob/main/graph_mailer.php
I get a token with success, but I have this error code in my webpage : "NoPermissionsInAccessToken The token contains no permissions, or permissions can not be understood". This seems to be, because my app doesn't have grant permission. Searching on Google, seems I have to do that : log in as global administrator and go to Azure > Enterprise applications, and grant permission. As I am the only person using this mail adress, I thought I would be admin, obviously, but it seems not. In any case, the "Enterprise applications" page is running a loading icon endlessly and in the mean time Azure portal display a notification which says "Détails : AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application 'blablablabla' (Azure Portal) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account."
On docs microsoft, they say this error would be linked to "This error message can occur if you have a subscription that is recently expired, inactive, or orphaned. To resolve this, you will either need to claim a new Azure subscription or transfer the subscription to a new account" or "That message can happen if you have a personal "Microsoft" account using the same email address as your O365 "Work or School" account. To resolve this, go to microsoft.com/accounts using an incognito browser so that no credentials carry over, and choose the Microsoft account when logging in".
This is really confusing, is Azure only working when you have 365 ? No need to use it with only Microsoft personal account ?
Many thanks for your support !
Détails : AADSTS50020: User account '{EmailHidden}' from identity
provider 'live.com' does not exist in tenant 'Microsoft Services' and
cannot access the application 'blablablabla' (Azure Portal) in that
tenant. The account needs to be added as an external user in the
tenant first. Sign out and sign in again with a different Azure Active
Directory user account."
We have tried to add the User who has personal outlook account and trying to access it through Graph api its throwing the below error:
If we trying to access one user who is associate and user type = Member with our tenant we can able to see the mails from graph API
This error message can occur if you have a subscription that is
recently expired, inactive, or orphaned. To resolve this, you will
either need to claim a new Azure subscription or transfer the
subscription to a new account" or "That message can happen if you have
a personal "Microsoft" account using the same email address as your
O365 "Work or School" account. To resolve this, go to
microsoft.com/accounts using an incognito browser so that no
credentials carry over, and choose the Microsoft account when logging
in".
This error might occurs If you are using azure free trial , and if your subscription expired you need to get a new azure free trial or convert the free trail to PAy-As-You-Go .Another thing is that even if you are creating azure subscription using your personal mail account ,the users gets stored in the format as shown in below image :
Related
I have created my service account, following the Google documentation as best I can. I created a JSON Key File and have used it successfully to create and refresh my access token, but when I try to call the Google Ads API using that access token I get a 401 with the message "User in the cookie is not a valid Ads user."
I am using a PHP cURL request, not the Google Client library.
My suspicion is that I have something set up incorrectly somewhere between the Master Ad account, the service account and the project in the Google Cloud Console, but I am finding the documentation confusing and unhelpful.
I submitted a question to the Google Ads API google group, and the support person said that my setup looked OK, but also admitted that he cannot see all of it from his end.
I have created the following pieces of the puzzle:
Google Ads Master Account
Developer Token
Project in Google Cloud Console
Service Account in Project
Private Key for Service Account
Set email of Master Ads Account to role of Owner of Service Account
Enabled Domain-Wide Delegation for the Service Account with scope "https://www.googleapis.com/auth/adwords"
Requested and received Access Token with the private key in the JSON file
Please let me know what extra details I should provide to get my issue resolved. Thanks in advance.
My error was that when I created my Access Token, I passed the Gmail account that owns the Google Ads Manager Account to the parameter $sub, but to access Google Ads API the Service Account must impersonate a user in the domain that is registered with the Google Workspace. This point is made in the documentation, but is rather understated.
To fix the issue I granted access to the Google Ads Manager Account to an email account in the Workspace domain, and passed that email address to $sub; now I have made a successful test call to the Google Ads API.
I attach an anonymized summary of my configuration in case it helps anyone who might be reading this in the future.
I have problem using Service Account to authenticate:
putenv('GOOGLE_APPLICATION_CREDENTIALS='/path/to/google.json');
$client = new \Google_Client();
$client->addScope(\Google_Service_Drive::DRIVE);
$client->useApplicationDefaultCredentials();
$client->setAccessType('offline');
$client->setSubject('xxx#xxx.com');
But it display error like this:
{
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method."
}
When I removed
$client->setSubject('xxx#xxx.com');
It works(I have access), but there is other problem, I can't see any files created through application in my google drive(using UI). From what I heard it's just because I use Service Account and it's creating files on his own space where I can have access only through API. I need to have access to files from API and from google drive application too.
Also I need to have access to my google drive without login to my google account(without redirecting user to google login page).
If you could help me with this problem and show some examples I would be very thankful.
You need to remember that a service account is not you. A service account is a dummy user it has its own google drive account. There will be no files on the service acccounts google drive account until you upload them.
There is no web view for a service account.
You can share a folder on your personal google drive account with the service account like you would any other user using the email address. Just make sure to have the serivce account update the permissions or you will have files on your drive account you dont have access to.
the service account can create a folder on its google drive account and share it with you. You should then be able to see it in the web view of your google drive account.
Storage limit of a service account is linked to the owner of the service account not the account it is uploading to.
Service accounts is used to act on behalf a user. You can set the user to be your account. This way, the service account is acting on your behalf and you can see everything (using the UI) got created via you app.
To avoid the error you are facing, ensure that the following is done:
Create Service account using the instructions in the link below. Please note that step number 6 is an important step and don't ignore it. https://support.google.com/a/answer/7378726?hl=en
Once a service account is created, you need to grant that account permissions using G-suite.
Copy the client_id. You can find it in the json file (service account credential file) or Using the Api Console, by going to Credentials > Manage Service Account then 'View Client ID'. Copy the client_id to clipboard
Launch the G-Suite Admin Console
Go to Security>Advanced Settings>Mange API client access.
Paste the client_id in the Client Name field, add the following API scopes and click Authorize:
https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/calendar.readonly,
https://www.googleapis.com/auth/drive
Note: If step 3 is not done, you will get the error you are getting
References:
https://support.google.com/a/answer/7378726?hl=en
https://github.com/sazaamout/gDrive
I am trying to create a website where a user will sign up with a master user name and password, along with their Google analytics. When they log in with the master account they will automatically be logged in to view their GA data ( as well as data from other APIs).
I am currently trying to run HelloAnalytics.php I have created a service account and generated the client secret file. The file is read but I get the following error
"Uncaught exception 'Google_Service_Exception' with message 'Error calling GET https://www.googleapis.com/analytics/v3/management/accounts: (403) User does not have any Google Analytics account
I have read that to fix this you must add the service account email to the GA account you wish to view. I am confused on if this is true and how the service account works as there is only a 1 page guide online. Will all the users who wish to use my website have to add the service account email to their GA accounts? Or am I missing something? Any help will be appreciated.
The point of the service account is that it is not for a person, but for an serverside application (the service).
Your users would authenticate against your service (with whatever authentication scheme you provide yourself), and the service would authenticate against Google Analytics using the credentials from the service account.
The service account needs to be added to all accounts that your service wants to draw data from, as the service account is the "user" for which access is granted.
However it seems you do not need a service account at all; if the users trust you with their data they can provide any email/password combo that is added to their accounts, and you can use that to log in.
I am using Google Web master tools API v3 for Search Analytics. I am using Service Account to retrieve the analytics. I received following message.
(403) User does not have sufficient permission for site 'http://www.1800medexpress.com/'. See also: https://support.google.com/webmasters/answer/2451999.'
I added Service Account Email address also to the Web Master tools as owner. But still received same error.
I used PHP API Library.
I haven't tried but this should work.
In Webmaster tools for the website in question. upper right hand corner there is a cogwheel click on it go to Users and Property Owners click add a new user button add your service account email address.
Then try and run your code.
Service accounts need to be granted access to the data just like you would any other user by default they don't have access to your data.
Update:
By checking the documentation we can see that it is in fact possible to use a Service account with webmaster tools api it just needs to be set up properly. It may be an issue with your code or how you have set it up. Clod should probably be simlar to this. Service account with Google Calendar
A service account is used in an application that calls APIs on behalf
of an application that does not access user information. This type of
application needs to prove its own identity, but it does not need a
user to authorize requests. The Google Accounts documentation contains
more details about service accounts.
I understand that to use the Admin SDK only works with OAuth2.0 protocol, which requires that the logged on to Google and use the credentials that are created in developer console. My situation is that I'm implementing a process to enlist employees in our application and create an account in google, but not all our users have admin permission to enlist google accounts.
I made my user functionality and working properly (because my user is admin) but when upload it to production, another user could not create the user accounts when creating an employee, send the error that had no permissions to use the resource / API, obviously this person did not have administrator permissions.
So how do I send the credentials of an administrator account from server-side so that they can create user accounts on google?
not what I mean?
translated with Google Translate
There are two options available:
1) Store an admin's credentials.
In this method, you have an admin account go through a special authorization flow, and store their access_token and refresh_token in your database. Whenever you need to make a request that requires admin privileges, use the admin's stored credentials instead of the user's credentials.
2) Use a service account to impersonate an admin.
Service accounts can be granted domain-wide authority, allowing them to impersonate any user in the domain. When you need to make a request that requires admin privileges, use the service account to impersonate a domain administrator.
Option #1 is much simpler to code against, but requires a special admin flow in your application.
Open Google Console and select your project. You will find permission menu. When you will add a member at the time you have to give permissions there.