This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 18%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi There,
I have been learning MS Graph API for the past few weeks to provision MS Teams Shifts using Powershell in my organization.
I have made a script to list all all Teams a user is a member of using their UPN and it worked fine.
But when it comes to the Script to List all Shift schedules in a Team, I always get a 403 Forbidden request. I am not sure how to resolve this issue as my Azure App Reg has all the required permissions. Also when I tested it on MS Graph Explorer it works fine but while on Powershell I have been facing the same error.
I have attached bellow a copy of my code along with the permissions that I have set for the API
Permissions Applied to the API following MS Graph Documentation
Updated API Permissions
Microsoft Graph>Delegated>email
Microsoft Graph>Delegated>Group.ReadWrite.All
Microsoft Graph>Delegated>profile
Microsoft Graph>Delegated>User.Read.All
Microsoft Graph>Delegated>WorkforceIntegration.ReadWrite.All
Microsoft Graph>Delegated>Schedule.ReadWrite.All
Microsoft Graph>Application>Schedule.ReadWrite.All
Microsoft Graph>Application>User.Read.All
Microsoft Graph>Application>Group.ReadWrite.All
Code Snippet
Import-Module Microsoft.Graph.Teams -ErrorAction SilentlyContinue
Import-Module Microsoft.Graph.Authentication -ErrorAction SilentlyContinue
# App Registration details
$clientId = "REDACTED"
$clientSecret = "REDACTED"
$tenantId = "REDACTED"
$teamId = "REDACTED"
# Set Microsoft Graph API URL and token endpoint
$graphAPIURL = "https://graph.microsoft.com/beta/teams/$teamId/schedule/shifts"
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Set the scope for accessing Microsoft Graph
$scope = "https://graph.microsoft.com/.default"
# Create a token request
$tokenRequestBody = @{
grant_type = "client_credentials"
client_id = $clientId
client_secret = $clientSecret
scope = $scope
}
# Get the access token
$tokenResponse = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $tokenRequestBody -ContentType "application/x-www-form-urlencoded"
# Call the Microsoft Graph API to list all shifts in the specified team
$headers = @{
"Authorization" = "Bearer $($tokenResponse.access_token)"
}
try {
$response = Invoke-RestMethod -Uri $graphAPIURL -Method Get -Headers $headers -ContentType "application/json"
# Display the shifts
$response.value
}
catch {
Write-Host "StatusCode: $($_.Exception.Response.StatusCode.Value__)"
Write-Host "StatusDescription: $($_.Exception.Response.StatusDescription)"
}
Hi @Karim Saleh
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Hi @Karim Saleh
This is a known issue.
When you call this API endpoint in the application context, you need to add the MS-APP-ACTS-AS request header:
$headers = @{
"Authorization" = "Bearer $($tokenResponse.access_token)"
"MS-APP-ACTS-AS" = $userId
}
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Hi @Karim Saleh
Hope things are going well. I am writing to see if the above suggestions help. If there's anything else we can help, feel free to let us know.
Hi @CarlZhao-MSFT I have attempted the proposed solution but ended up getting this as the output
Hi @Karim Saleh
This is because you have not instantiated the $userId object, try assigning a value to the $userId object:
$userId = "{user object id}"
$headers = @{
"Authorization" = "Bearer $($tokenResponse.access_token)"
"MS-APP-ACTS-AS" = $userId
}
Hope this helps.
If it helps you, don't forget to click "Accept Answer".
Thanks,
Carl
Faced with a 401 error, I was hoping to have the PS Script self authenticate using Client ID and Secret
Please share your error message. You must provide the above headers when calling this endpoint in the application context.
Here is a snippet of my code
Import-Module Microsoft.Graph.Teams -ErrorAction SilentlyContinue
Import-Module Microsoft.Graph.Authentication -ErrorAction SilentlyContinue
# App Registration details
$clientId = "REDACTED"
$clientSecret = "REDACTED"
$tenantId = "REDACTED"
$teamId = "REDACTED"
# Set Microsoft Graph API URL and token endpoint
$graphAPIURL = "https://graph.microsoft.com/v1.0/teams/$teamId/schedule/shifts"
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Set the scope for accessing Microsoft Graph
$scope = "https://graph.microsoft.com/.default"
# Create a token request
$tokenRequestBody = @{
grant_type = "client_credentials"
client_id = $clientId
client_secret = $clientSecret
scope = $scope
}
# Get the access token
$tokenResponse = Invoke-RestMethod -Uri $tokenEndpoint -Method Get -Body $tokenRequestBody -ContentType "application/x-www-form-urlencoded"
Write-Host $tokenResponse.access_token
$userId = "REDACTED"
# Call the Microsoft Graph API to list all shifts in the specified team
$headers = @{
"Authorization" = "Bearer $($tokenResponse.access_token)"
"MS-APP-ACTS-AS" = $userId
}
Write-Host $tokenResponse.access_token
Write-Host $graphAPIURL
Write-Host $headers | Format-List
try {
$response = Invoke-RestMethod -Uri $graphAPIURL -Method Get -Headers $headers -ContentType "application/json"
# Display the shifts
$response.value
}
catch {
Write-Host "StatusCode: $($_.Exception.Response.StatusCode.Value__)"
Write-Host "StatusDescription: $($_.Exception.Response.StatusDescription)"
Write-Host "Error Message: $($_.Exception.Message)"
Write-Host "Error Details:" $_.Exception | Format-List -Force
}
Here is return result
https://graph.microsoft.com/v1.0/teams/REDACTED/schedule/shifts
System.Collections.DictionaryEntry System.Collections.DictionaryEntry
StatusCode: 401
StatusDescription: Unauthorized
Error Message: The remote server returned an error: (401) Unauthorized.
Error Details: System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
Requesting an access token should be a Post request not a Get request, and that's what's causing the issue.
I am sorry once again I got a 404 error
StatusCode: 404
StatusDescription: Not Found
Error Message: The remote server returned an error: (404) Not Found.
Error Details: System.Net.WebException: The remote server returned an error: (404) Not Found.
at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
Have you created shift instances for the users in the request header?
There are shifts in the Team that I have created manually. I have attampted to use the Graph API to create shift instances and got the same 404 error
Is the shift instance created using the user in the request header?
Yes. the Shifts are created by the user in the requested header.
Ok, please try to use Postman to call the api endpoint for testing and see if the result reports an error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 49%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Hello together,
it is really nice that you provided a solution (thanks for that!), but is there any information on why the MS-APP-ACTS-AS header is needed and if it will change in the future?
For me, this seems like a bug and not a feature: If one is using the app-only access (which I'm clearly doing here) there should be no need for a MS-APP-ACTS-AS header (since the App is not acting as someone else but should authenticate by its own).
This is still an issue for me since my customer is really unhappy that we need a user id in a header of an app only access prozess (since this is not really security comliant).
Has anyone more information on this?
Thanks!
Simon
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 24%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
For those who're still struggling with this problem, my test result is that the required uid is one of the members in the Team (you looking for the Shifts in this Team).
(Sorry) In Python:
url = 'https://graph.microsoft.com/v1.0/users/<UPN of a Team member user>'
r = requests.get(url=url, headers=headers).json()
uid = r['id']
headers = {
'Authorization': f'Bearer {access_token}',
'Content-Type': 'application/json',
'MS-APP-ACTS-AS': f'{uid}'
}
The query result if the uid is not a Team member:
{'error': {'code': 'NotFound', 'message': '{"error":{"code":"NotFound","message":"Sorry, the user was not found and may have been deleted","details":[],"innererror":{"code":" ...