I’ve been doing a lot of SPFx, NET Core and Office 365 related development and I have several stories to share.
During the implementation of one of the features in a custom API application, I had to create a schema extension in Microsoft Graph for a Group object, for the purposes of classification. As I stumbled upon a non-intuitive behaviour of the API in Graph Explorer, I hope to save you a couple of hours if you have to do the same.
I went to the extensive Graph documentation to see how to perform such a call to MS Graph. It didn’t seem particularly difficult, just a POST with JSON data on the schemaExtensions endpoint.
In Graph Explorer application that I was using, I kept getting “Request denied due to insufficient permissions”. I double and triple-checked that my Graph Explorer indeed had the needed permissions (Directory.AccessAsUser.All). No matter what I did, I kept getting the same error.
In the end, it seemed to be a limitation on Graph Explorer client. To overcome it, Microsoft added a workaround:
- Register another Web / API application in Azure Active Directory
- Add the required permissions to create schema extension to that application
- In Graph Explorer, prepare a POST request to schemaExtensions endpoint
- Add “owner” property in the JSON payload, with the value of the authorized application App ID
- Voilà! The schema extension is created.
My schema creation request JSON payload was like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
{ "id": "classificationGroup", "owner": "937451d2-b057-4d16-8ea0-fd50b9531fef", "description": "Custom group classification", "targetTypes": [ "Group" ], "properties": [ { "name": "classificationValue", "type": "String" } ] } |