0

Having installed the AzureGraph package in R, I am trying to use it to run a query that will return Microsoft Teams usage data for my organisation. By investigating the Microsoft Graph documentation, I can see that a query exists that should allow me to obtain the data. IT within my organisation have also given me permission for Reports.Read.All to allow me to run the example query that is specified in the documentation.

Within R, having specified my tenant, my username and my password, I created a login by using the the following code:

gr <- create_graph_login(tenant = my_tenant, username = my_username, password = my_password)

I know the login works, as the following code returns my user details:

call_graph_endpoint(gr$token, operation = "me", api_version="v1.0")

I then tried the following (example query from documentation), however this time I was given an error.

call_graph_endpoint(gr$token,
                    operation = "reports/getTeamsUserActivityUserDetail(period='D7')",
                    api_version="v1.0")

The error was as follows:

Error in process_response(res, match.arg(http_status_handler), simplify) : Forbidden (HTTP 403). Failed to complete operation. Message: {"error":{"code":"S2SUnauthorized","message":"Invalid permission."}}.

From another post regarding the AzureGraph package, I have deduced that the error is being generated as I don't have the required Microsoft Graph API permissions, but if I log onto the Microsoft Graph Explorer, I can see that an admin account has consented for me to have permission to Reports.Read.All.

Does anyone know where I'm going wrong? I am very new to using the Microsoft Graph API and the AzureGraph package so any help at all would be greatly appreciated!

LouUniSP
  • 1
  • 2
  • Has your admin added you as a member of an Azure AD limited administrator role? Reading report data is sensitive so you not only need the necessary permission but also a limited administrator role as the documentation on that API states – Fiona Matu Mar 31 '21 at 10:58
  • No, I don't think I have been added as limited administrator role. When I log into the Azure Portal and navigate to 'Roles and administrators', by selecting 'Your Role' I can see I am a Message centre reader, Reports reader and a Security reader. Should I request for my admin to assign me the limited administrator role by following this documentation? https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal – LouUniSP Mar 31 '21 at 13:58
  • Refer the [report permissions for Microsoft Graph API](https://learn.microsoft.com/en-us/graph/permissions-reference#reports-permissions), and make sure you have the necessary permissions/roles to access them. – Dev Apr 01 '21 at 03:54

1 Answers1

0

AzureGraph author here. To authenticate properly, run

create_graph_login(tenant = my_tenant)

ie, without the username and password arguments. See the authentication scenarios vignette in the latest release of the AzureAuth package for more information. You'll know it works when R opens your browser to show the Azure login page.

(Short explanation: by passing both username and password, you're using what's called the resource owner authentication flow, rather than the standard flow that goes through your browser. Resource owner isn't really meant for interactive use, and it's possible that the Graph API doesn't support it fully.)

2 other points:

  • The Reports.ReadAll permission has to be assigned to the app registration you use to authenticate with. You'll also need to specify the app ID in the create_graph_login call above.

  • You can try using the Microsoft365R package to talk to Teams. It doesn't have report querying (yet) as a built-in feature, but it should handle all the lower-level details like authentication and response parsing.

Hong Ooi
  • 56,353
  • 13
  • 134
  • 187