GRAPH API does not work for Schedule/Shifts 403 Error

Question

GRAPH API does not work for Schedule/Shifts 403 Error

Darwin Ranzone 20

I am triying to retrieve shifts using the graph API

I have created a test channel and created test schedules and shifts

But i am getting 403 error when i try to retrieve it, i have checked the documentation and it seems i have done as described but when i try to retrieve Schgedules or Shifts i get an error 403

https://learn.microsoft.com/en-us/graph/api/schedule-get?view=graph-rest-1.0&tabs=http

https://learn.microsoft.com/en-us/graph/api/schedule-list-shifts?view=graph-rest-1.0&tabs=http

I added the permissions described in the documentation to my app registration, i am using application permissions in this case:

Modified

Below is my sample code

I am able to run a request agaiinst "https://graph.microsoft.com/v1.0/teams/$($TeamGUID)" without any issues but i cannot run a request against the other 2 URIs

# Azure AD App Credentials
$ApplicationClientID = 'aaaaaaaaa'
$TenantID = 'bbbbbbbbbbbbbbbbbbbbb'
$ClientSecret = 'cccccccccccccccccccccc'
$TeamGUID = 'ddddddddddddddddddddddddd'

# Function to acquire access token
function Get-GraphAccessToken {
    $tokenEndpoint = "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token"
    $body = @{
        grant_type    = "client_credentials"
        scope         = "https://graph.microsoft.com/.default"
        client_id     = $ApplicationClientID
        client_secret = $ClientSecret
    }
    
    $response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body
    return $response.access_token
}

# Acquire the access token
$token = Get-GraphAccessToken

# Function to make a GET request to the Graph API
function Invoke-GraphApiRequest {
    param (
        [string]$RequestUrl
    )

    $headers = @{
        Authorization = "Bearer $token"
        "Content-Type" = "application/json"
    }

    try {
        $response = Invoke-RestMethod -Headers $headers -Uri $RequestUrl -Method Get
        return $response
    }
    catch {
        Write-Error "Error: $_"
    }
}

# Prompt for the Graph API URL
#$graphApiUrl = Read-Host -Prompt "Enter the Graph API URL"

$graphApiUrl = "https://graph.microsoft.com/v1.0/teams/$($TeamGUID)"
#$graphApiUrl = "https://graph.microsoft.com/v1.0/teams/$($TeamGUID)/schedule"
#$graphApiUrl = "https://graph.microsoft.com/v1.0/teams/$($TeamGUID)/schedule/shifts"


# Make the Graph API request
$response = Invoke-GraphApiRequest -RequestUrl $graphApiUrl

# Output the response
$response | ConvertTo-Json | Write-Output

Is this a bug?

Usama Asghar 0 Reputation points

2023-11-12T13:17:14.6933333+00:00

Receiving a 403 error in this context typically indicates a permissions issue. Given that you're able to successfully execute requests against one endpoint but not others, it suggests your application has some permissions, but not all the required ones for accessing schedules and shifts in Microsoft Graph.

Here are a few expert-level steps and considerations to troubleshoot and resolve this issue:

1. Review Required Permissions: Double-check the permissions required for the specific endpoints you're trying to access. The Schedule and Shifts APIs might require different or additional permissions compared to the Teams API.

Permissions like Schedule.Read.All, Schedule.ReadWrite.All, Group.Read.All, or Group.ReadWrite.All could be necessary.

2. Consent to Permissions: Ensure that admin consent has been granted for the required permissions in Azure AD. This is a common oversight. Even if permissions are listed in your app registration, they might not be effective until an admin has consented to them, especially for application permissions.

3. Token Scope: Verify that the token you're acquiring includes the necessary scopes. Since you're using client credentials flow, the scope is set to .default, which should include all the permissions granted to the application. You can decode the access token using a tool like jwt.io to confirm the scopes present in it.

4. Endpoint URLs: Confirm that the endpoint URLs you're using are correct. In your script, it appears you have commented out the specific endpoints for schedules and shifts. Make sure you're using the right format as per the documentation.

4. Team's Availability for Graph API: Ensure that the team whose GUID you're using is indeed available for Graph API operations related to schedules and shifts. Sometimes, features or data might not be fully integrated or accessible via the API, depending on various factors like how the team is set up or its settings.

5. Error Details: When you catch the error, try to output the entire error response. This often includes more detailed information about why the request was forbidden, which can be critical for troubleshooting.

6. Application Registration Settings: Revisit your application registration in Azure AD to ensure all configurations are correct. This includes checking the manifest file for any anomalies.

7. Microsoft Documentation and Support: Since you've followed the documentation but are still encountering issues, consider reaching out to Microsoft Support or checking Microsoft forums for similar issues. Sometimes, there could be ongoing issues or updates that affect API functionality.

8. Test with Graph Explorer: As a final check, try to perform the same operations using the Microsoft Graph Explorer. This can help determine if the issue is with your code or with the permissions/setup in Azure AD.

If you've gone through all these steps and the issue persists, it might be worth considering if there's a temporary bug or service issue on Microsoft's end, though this is less likely if other endpoints are working fine.

For more check this documentation:

https://learn.microsoft.com/en-us/graph/resolve-auth-errors/describing-word

Answer 1

CarlZhao-MSFT 31,736

Hi @Darwin Ranzone

When you call the above API using an application-only token, you need to provide the MS-APP-ACTS-AS request header.

User's image

Test:

User's image

By the way, the user you provide in the request header must be a member of the current team.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

CarlZhao-MSFT 31,736 Reputation points

2023-11-15T02:00:30.9666667+00:00

Hi @Darwin Ranzone

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!
Darwin Ranzone 20 Reputation points

2023-11-19T02:49:18.55+00:00
Hi Carl
Yes that did resolve the issue

I added a static variable in the first section of the script with the guid for the user and added the user as a member of all teams i had to fetch schedule and shifts
Ex:
$UserId = "4af7c4e1-ab8e-4a40-980a-946cdc9878ac"

then i just added it to the header like this:

$headers = @{ Authorization = "Bearer $token" "Content-Type" = "application/json" "MS-APP-ACTS-AS" = $UserId # Adding the MS-APP-ACTS-AS header}

GRAPH API does not work for Schedule/Shifts 403 Error

0 additional answers

Activity