Microsoft Graph API FindRooms ErrorAccessDenied

1
votes

We are trying to fetch a list of rooms in the organization via user_findrooms on the beta API.

I am using the php-connect-sample and was directed here after creating an issue there.

Our application is registered, and has the required permissions. The user is logged in and redirected correctly. I can successfully get the /me endpoint

When I try to get the /me/findRooms endpoint like this:

$graph = new Graph();
$graph->setApiVersion('beta');
$graph->setAccessToken($_SESSION['access_token']);

$rooms = $graph->createRequest("get", "/me/findRooms")
                        ->setReturnType(Model\EmailAddress::class)
                        ->execute();

Then I get the following error:

Client error: GET https://graph.microsoft.com/beta/me/findRooms resulted in a 403 Forbidden response: { "error": { "code": "ErrorAccessDenied", "message": "Access is denied. Check credentials and try again.", (truncated...)

So it seems to be a permissions error.

We have the following Graph permissions for our app:

Delegated Permissions: User.ReadBasic.All and User.Read.All

Application Permissions: Calendars.ReadWrite and User.Read.All

Which additional permissions are required to access /me/findRooms?

1
microsoft-graph-api
If you're only running this in the presence of a user, you don't need to specify app permissions. It looks like the delegated permissions you defined are sufficient to query for rooms on the beta endpoint, but there is some other auth issue going on. For additional context: are you using AAD V2 auth? Also, if you decode your token, what do you see in the 'scp' collection?Dmitry Pimenov
Thanks for the reply @DmitryPimenov Yes, I am using the Azure AD v2.0 endpoint to get the oauth token When I decode the token it contains the following under scp: "Calendars.ReadWrite User.Read"karel

1 Answers

1
votes

In your auth flow, you will need to specify User.Read.All instead of User.Read in your scopes since this API requires reading all users in your directory to find conference room availabilities. Here is more information about how to request such scopes during the /authorize and /token requests.