Monday, September 24, 2018

Access denied when try to get Azure AD group’s unseencount through Graph API

Some time ago I faced with interesting problem: when tried to get properties of Azure AD group using app token with app permissions (without available user context) through Graph API:

https://graph.microsoft.com/v1.0/groups/{groupId}?$select=visibility,unseencount

the following error was shown:

{
     "error": {
         "code": "ErrorAccessDenied",
         "message": "Access is denied. Check credentials and try again.",
         "innerError": {
             "request-id": "…",
             "date": "…"
         }
     }
}

Here is example from Postman:

01

Investigation showed that problem was caused by unseencount property. When I tried to remove it – another selected property (visibility) was returned successfully:

https://graph.microsoft.com/v1.0/groups/{groupId}?$select=visibility

{
     "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(visibility)/$entity",
     "visibility": "Public"
}

02

What was even more stranger is that in Graph explorer it worked:

03

Communication with MS support both on forums (see Can't get group's unseenCount) and via Azure support ticket helped to figure out the reason of this problem: in Postman I used app token with app permissions, while in Graph explorer I was authenticated with my own account (see above). I.e. in Graph explorer delegated permissions were used. And there is known issue in MS Graph (see Known issues with Microsoft Graph): unseencount may be retrieved only using delegated permissions:

“Examples of group features that support only delegated permissions:

  • Group conversations, events, photo
  • External senders, accepted or rejected senders, group subscription
  • User favorites and unseen count
  • Microsoft Teams channels and chats”

Hope that this information will help someone.

No comments:

Post a Comment