I want my app to be able to edit all events for which user is admin. It appears that the app can only update events that were created by the app. I've tested this a few different ways and it always comes the same. It returns error 200, permissions error.
Is this by design or is it a bug? Is there anyway to grant permission to the app to allow updating events not created by the app?
Events that were initially created by the app can be updated by the app.
This appears to be by design. The app must be designated as admin of the event. It can only be assigned as admin if the app creates the event. There is no way to find all admins of an event, either.
Related
I've created an application in https://apps.dev.microsoft.com (Platforms: Web)
This app needs the admin consent for certain permissions. I remember, in the past, accessing https://login.microsoftonline.com/{tenant name}/adminconsent?client_id={application id}&state={some state data}&redirect_uri={redirect uri} with an admin account in order to give permission to access resources in our organization that only an admin can grant. From there, users needed to give user-level consent in order to use the application.
Now, I can successfully login with an admin account and the app works as expected BUT I still get a prompt, for users, with the following message:
You can't access this application
APP NAME needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
Have an admin account? Sign in with that account
Return to the application without granting consent
The error message is: AADSTS90094: The grant requires admin permission. which doesn't seem to be documented anywhere..
If I click on the Have an admin account? Sign in with that account and sign in with an admin account, it works but trying again with a regular user account I get the above message again.
EDIT:
So I stripped permissions down to a bare minimum.
Scopes in my application are now: openid, profile, user.read
And Microsoft Graph Permissions are now, for Delegated Permissions: Mail.Send, User.Read. Nothing in Application Permissions and I STILL get the above message for regular users!
Anybody from Microsoft have some info on the AADSTS90094 error code?
OK, so I ended up contacting Microsoft support for this since, as of this date, there is no information on this error message.
To put it briefly, Microsoft has made some recent changes with regards to permissions. In the past, if your app required any of the openid, profile or offline_access, you could just place them in your app as scopes, they weren't available on https://apps.dev.microsoft.com. An admin would've given consent and your app would function properly.
What you should now do is mirror your app's scopes with the permissions you have on https://apps.dev.microsoft.com or else you'll keep on getting that error message so make sure you have the same thing on both sides now, especially if you're used to the old behavior.
Those three scopes/permissions (openid, profile and offline_access) can now be selected for your app on the dev portal.
The admin consent endpoint doesn't help in dynamic scope and dynamic consent scenario .
Using the admin consent endpoint will grant the permissions registered in the app registration portal . You can locate Microsoft Graph Permissions section, and then add the permissions that your app requires. After doing admin consent by using the admin consent endpoint , your app can gather permissions for all users in a tenant, including admin-restricted scopes .
I am using MSAL and the 2.0 endpoint (login.microsoft...), I am developing a Multi-Tenant Application.
My Organization has 2 Tenants
One of them is essentially our Dev instance (and I have global admin rights). I registered my app in the Tenant that I don't have Admin Rights on and performed Admin Consent for said app in the Tenant where I can perform the Consent myself. My users can Login Successfully and have consent to the resources they need.
However, when I created the App Registration (all Converged Apps on apps.dev.mic) from the account where I have global admin rights, the login for my users gets the AADSTS90094 Error.
The only way I've come to "resolve" this error is,
On Initial Login to the application the scope would be openid the user then consents to that, when that is completed I have to do another login with the scope defined for the application and everything works. Obviously that UX is wonky to say the least.
i try to develop a web-service which displays some user information from an Office 365 instance using the Microsoft Graph.
I'm able to query groups, user details and so on, but i'm not able to get the user profile picture as described here http://graph.microsoft.io/docs/api-reference/v1.0/api/profilephoto_get. It always return a 403, even when my service had all rights (for testing purpose).
The webservice is a deamon as described here: http://graph.microsoft.io/docs/authorization/app_only, so no actual user is logged in. Could that be an issue? Is it possible to query the photo information using a deamon?
As mentioned above, the problem could be solved by two things:
Use app permissions istead of delegated
If implementation reuses the Auth-Token, restart the apache (or other webserver) running the app after changing permissions for the app. The cached token doesn't seem to get updated rights.
Okay so I am building a website in laravel it consists of users which has one to many relationship with orders. What I want to know is if its possible to implement a messaging system with web socket for each particular order. So essentially user to user, with the exception of admin being able to chat via admin panel. Any advice on this matter will be great.
I'm currently working on adding Facebook integration into a website of mine via the PHP SDK. I'm requesting and planning to use the offline_access permission so I'm storing the access_token in a database. However, I'm giving the user the option to remove the integration with Facebook after they add it and therefore then removing this access_token from the database. This is where the issue comes in:
The first time they add the integration, my app redirects to Facebook correctly and asks for the permissions, etc. Then, however, if they remove the integration and then re-add it, it doesn't ask for the permissions again (which makes sense since those permissions are still technically given to my app on that user's profile unless they went into Facebook and manually deleted them).
My question is if theres a way to tell Facebook to remove my app and its permissions from that user's Facebook profile so that if they go to re-add the integration, they are once again prompted to accept the permissions.
Perhaps something like $facebook->expireAllAppPermissions() I guess.
You can issue an HTTP DELETE request to /PROFILE_ID/permissions to revoke authorization for an app.
this is because you are just deleting access token from your data base , it will not remove your app from user profile. user is still authenticated with your app. he has to remove the app manually.
I've created a simple Facebook app that doesn't need any data/info from users. When I try to view the app on Facebook, it's requesting permission to access my personal info.
I want the app to display without this request, for both logged in and not logged in users.
What's the code to do this?
Edit with more info:
I have a working Facebook app which I want to leave alone, I've duplicated the apps code and created a new app through the Facebook dev area. I've changed the relevant App ID, API ID and Secrets throughout the code. The original app works without any permission needed, but my duplicated version for some reason requests permission.
Simple solution is to create the app in the developers area, do all the settings to an iframe and create the application path to your website. Now in your website remove all the PHP code related to FACEBOOK GRAPH API and let it be a simple website that is independent of facebook. This will make what you want.