Slow download speed using GRAPH api
I wanted to start a little discussion because I can't find any information about my issue with download speed of GRAPH api. So Let's start with some information that I have a python app that connect to my One drive Business. I have there two folders with pdf's one is about 70k and one is 7k. I connect to them successfully. I know that this API has some limitation with the amount it can download on one request but still I think it is not fault but my and lack of knowledge. The biggest problem is when I use some search feature in my app that requires searching a specific file(it just freeze my whole app). I make all communication inside my python code and I don't see any room to further optimization. I will just mention that this is my first time working with API and clearly don't know where to ask for any help.
Graph API : Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
Hi Team, I have a Graph app and user configured with the following resourceAccess scopes: Code "resourceAccess": [ { "id": "06da0dbc-49e2-44d2-8312-53f166ab848a", "type": "Scope" }, { "id": "9c7a330d-35b3-4aa1-963d-cb2b9f927841", "type": "Scope" }, { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" }, { "id": "b340eb25-3456-403f-be2f-af7a0d370277", "type": "Scope" } ] However, when trying to pull presence data, I receive the following error in Postman: Code StatusCode: Forbidden Message: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. Graph Explorer also fails to return presence for a specific user using: https://graph.microsoft.com/beta/users/{user-id}/presence But the endpoint for the signed-in user works fine: https://graph.microsoft.com/beta/me/presence Admin consent has been granted, and even the Global Admin cannot retrieve presence for other users. Other permissions work fine — the app can list users and connect without issue. Presence is the only operation failing. Question: How can I investigate this behavior in Azure/Entra using the request-id or client-request-id from the error response? Or what could cause this behavior? Thanks in advance!
Getting 403 Unauthorized on Graph API Mail Access (School Project with Consent Given)
Hi everyone, I'm currently working on a school project involving the Microsoft Graph API, and I'm running into an issue. I hope someone in here can help me with it. The project is called Sumday. it’s a concept app that pulls in emails daily from a user's mailbox, summarizes them using the ChatGPT API into a to-do list, and then creates tasks in Microsoft To Do. The goal is to provide users with a daily productivity summary and action plan based on their incoming mail. The issue is this: Even though another user has granted consent to my app registration (via delegated permissions), I receive a 403 Unauthorized error on every API call when trying to read their mailbox. I understand that delegated permissions require the signed-in user to match the mailbox being accessed, but since this is just a school project and not a production application, I’m wondering: Is there any workaround or sandbox approach that allows this kind of delegated access to be simulated? Is the issue caused by Microsoft 365 education/school tenant restrictions? Since I can log in and access my own mailbox just fine, is there a way I can safely test cross-user scenarios for demo purposes? Important note: I did manage to get this working using a Logic App, but that’s not the approach I want to take for this project. My goal is to integrate everything within my own app and codebase, so relying on Logic Apps is more of a temporary workaround rather than a long-term solution. I’m not trying to bypass any limitations just hoping to better understand what’s possible in this context and how I can move forward with developing and testing the core idea. If anyone has insights, experience, or advice on this, I’d really appreciate your help. Thanks in advance! Best, Chris
Grant "read" role for a DriveItem to an Entra ID app
Context My web app uses an Entra ID application to organize file transfer from Sharepoint to the local storage. For this to work, a combination of “Files.Read.All” Delegated permission and FilePicker SDK v7.2 for JavaScript is used. A user authorizes using his Microsoft work account, agrees with the consent, selects a file, and the web app reads and downloads that file. Question How to have a stable way for the Entra ID app to read any file, which was previously selected by any user, at any time? (Have a permanent “read” access) What I have tried Files.SelectedOperations.Selected Application permission. I can request a JWT token for the Entra ID app (POST /tenant_id/oauth2/v2.0/token), but a call (POST /v1.0/sites/site_Id/drives/drive_Id/items/item_Id/permissions) to grant “read” role for a DriveItem by siteId, driveId and itemId retrieved from FilePicker SDK's response returns 403 “accessDenied”. Apparently, that’s the user who must grant access to that file, but on UI he cannot share it with an Entra ID app, only with another user. Re-usage of user’s accessToken which comes from FilePicker SDK to backend to grant "read" role for the Entra ID app to the file he has just selected. This accessToken is not full and cannot be used to perform such an operation. Ultimate Goal (just for more context) Implement OneDrive file auto-synchronization service for the web app. For example, a user uploads a file to the web app. A month later he updates this file on Sharepoint in a site-collection or My Files. A background task is launched daily to update obsoleted files in the web app. The application must be able to read and download the respective DriveItem without any user interaction. Business Restrictions Excessive Application type permissions (Files.Read.All, FullControl, etc.) are not allowed. Sites.Selected is highly NOT preferred because it requires global changes for users to transfer (copies of) their content on a special site-collection the Entra ID app will have to monitor. So is actual if each customer Users should not be involved into using developer tools, like sending POST requests through Postman or Graph Explorer. Authorization flows which involve refreshing the received users' accessTokens are not allowed. I am grateful for any information and ideas!
Authentication issue while using Client Credential through Oauth2.0
Hi Community Hope you are doing well. I am unable to authenticate to our registered app in azure. I am looking to test the get/users graph api using insomnia (similar tool as postman). During Token generation we are getting 401 error. we are provide correct Client ID and Secret with right scope url. I created the app, added the necessary permissions and the client credentials. Do I need to add a redirect uri to the app? Does the app need to be registered account types as "accounts in any organization directory"? I am getting a 401 unauthorized error Can you please assist what I'm what is missing here? I will really do appreciate your help. Thanks VatanError getting new token
Hi, i want to add a new member to a private channel. I follow the authentication flow as follows: a) starting with url https://login.microsoftonline.com/#tenantid#/oauth2/v2.0/authorize?client_id=#clientid#&response_type=code&response_mode=query&redirect_uri=https://www.dashandwerk.net/dashandwerk/api/graph/webhook&scope=offline_access%20TeamMember.ReadWrite.All%20ChannelMember.ReadWrite.All%20User.Read&state=1234" b) my redirect_uri will open and i am getting a new code c) this new code will be used to get a new token with this url https://login.microsoftonline.com/#tenant#/oauth2/v2.0/token?client_id=#client_id# &client_secret=#client_secret# &scope=offline_access%20TeamMember.ReadWrite.All,ChannelMessage.Send%20User.Read%20Mail.Read%20ChannelMember.ReadWrite.All' &code=#code# &redirect_uri=https://www.dashandwerk.net/dashandwerk/api/graph/webhook &grant_type=authorization_code But when getting the new token, i am getting this error: "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '640a5194-77b1-40cf-b774-fc9eb9a6d128' named 'dashandwerk-teams'. Send an interactive authorization request for this user and resource. Trace ID: 34a8ea64-b664-448c-9b7c-b4c9a92e0300 Correlation ID: 77e80082-9e58-4da9-8752-2d7bc75d7262 Timestamp: 2025-03-03 11:11:08Z","error_codes":[65001],"timestamp":"2025-03-03 11:11:08Z","trace_id":"34a8ea64-b664-448c-9b7c-b4c9a92e0300","correlation_id":"77e80082-9e58-4da9-8752-2d7bc75d7262","suberror":"consent_required"} Searching on google shows this: Make sure you have followed the steps to https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent#construct-the-url-for-granting-tenant-wide-admin-consent. You can do this under Application > API permissions > Grant admin consent. But all grants have admin consent in the office admin center for intra at the app registration. Any ideas to solve this issue ?
Approvals Not updating
I'm having a problem when retrieving the approvals created. Until 2024-12-26 at 13:16:48 UTC, when I created an approval, either through the application or through the API, it immediately appeared when I used get in the endpoint: https://graph.microsoft.com/beta/solutions/approval/approvalItems. Now I'm only able to see the approvals from before 2024-12-26 at 13:16:48 UTC, there is no record of the new approvals. I also noticed that, in the application, it's not showing the name of the person to whom the approval request was sent, only the name of the person who approved it, both for the new requests and for the old requests that have already been completed.Approvals Not updating
I'm having a problem when retrieving the approvals created. Until 2024-12-26 at 13:16:48 UTC, when I created an approval, either through the application or through the API, it immediately appeared when I used get in the endpoint: https://graph.microsoft.com/beta/solutions/approval/approvalItems. Now I'm only able to see the approvals from before 2024-12-26 at 13:16:48 UTC, there is no record of the new approvals. I also noticed that, in the application, it's not showing the name of the person to whom the approval request was sent, only the name of the person who approved it, both for the new requests and for the old requests that have already been completed.PowerApp Graph Custom Connector without User Login
So I've been trying to create an app that will allow users to set and edit their own pronouns and then store those pronouns in Graph for use in Email Signatures and the such. I've been following this tutorial <https://www.m365princess.com/blogs/azure-ad-directory-extensions/> in doing so, and I've basically got it down I've made the app and it works. However, it only works for me, i.e. admins. Whenever another user logs in and they are able to view their pronouns, i.e. GET graph.microsoft.com/me, but can't update their pronouns, PATCH graph.microsoft.com/me?$select=pronouns They get this error: My question is what can I do to get this app to be able to make the changes to this one specific item in graph, or allow for users to be able to edit this for themselves, or something that would make this work. Or perhaps I'm going about it the wrong way. Any help is appreciated, KamalaIntune Discovered Apps
Hello All, In the process of trying to use Graph to pull out the apps installed on user devices from Intune for a database being created in PowerApps for our IT Admin to ensure that licenses are removed from a device after it is returned by the user. Our process of licensing apps is less than streamlined, so if a user is licensed for something like Adobe or Navisworks, they are manually installing these themselves. As a result they arent visible in detectedApps, only in the Discovered Apps list. Have had a solid dig through the available resources and through various discussion boards but havent found a way that the Discovered Apps list can be pulled through Graph. Has anyone found a way to get this data out or is this a feature yet to be made available? Thanks in advance.
