Solved: Re: Unauthorized: Graph API - Create Planner Plan

FabianAckeret · ‎10-15-2019

Dear community

I'd like to create a Planner plan with Flow and found this article. I went ahead and configured Azure accordingly (which I know it works since I can create a team the same way with Flow). In this video, he explains how to create a plan with the Graph Explorer. This works perfectly - I can create a Planner plan with the Graph Explorer, but I can't get it to work with the HTTP action in Flow. I assume it's because the Graph Explorer runs the code in the user context and the HTTP action does not. How can I run it with the tenant id/client id/client secret?

This is how my Flow looks like:

And I get this error message whenever I run it:

401 - Unauthorized: Access is denied due to invalid credentials.

** Edit **

Can you even do that with Flow? Since it only supports delegated api calls?

Please click Accept as Solution if my post answered your question. Like my answer? Consider giving it a Thumbs Up. Others seeking the same answers will be happy you did.

FabianAckeret · ‎10-17-2019

Hi

That post is from back in the days when Planner plans came along with SharePoint sites. However, since no Planner plan will be provisioned whenever a SharePoint site is being created, this blog post doesn't cover the most important part.

Anyway, I've figured it out. I hope this helps some people 🙂

Configure Azure AD App Permissions with Delegated Group.ReadWrite.All (see MS doc)

Since the "application" permission-type is not supported, you'd need to run it with a user-context. You can do that by creating an HTTP action and use that Authorization token according to the screenshot below. I'm adding a service account to the group since you can only create a plan when you're also part of it.
You can copy the "Parse JSON - get access token" action-Schema here:

{
    "type": "object",
    "properties": {
        "token_type": {
            "type": "string"
        },
        "expires_in": {
            "type": "string"
        },
        "ext_expires_in": {
            "type": "string"
        },
        "expires_on": {
            "type": "string"
        },
        "not_before": {
            "type": "string"
        },
        "resource": {
            "type": "string"
        },
        "access_token": {
            "type": "string"
        }
    }
}

Cheers

Please click Accept as Solution if my post answered your question. Like my answer? Consider giving it a Thumbs Up. Others seeking the same answers will be happy you did.

View solution in original post

v-bacao-msft · ‎10-15-2019

Hi @FabianAckeret ,

Please check this article and see if it helps:

https://daytodaydynamics365.com/creating-a-planner-plan-from-a-d365-psa-project-with-flow/

Best Regards,

Community Support Team _ Barry
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

FabianAckeret · ‎10-17-2019

Hi

That post is from back in the days when Planner plans came along with SharePoint sites. However, since no Planner plan will be provisioned whenever a SharePoint site is being created, this blog post doesn't cover the most important part.

Anyway, I've figured it out. I hope this helps some people 🙂

Configure Azure AD App Permissions with Delegated Group.ReadWrite.All (see MS doc)

Since the "application" permission-type is not supported, you'd need to run it with a user-context. You can do that by creating an HTTP action and use that Authorization token according to the screenshot below. I'm adding a service account to the group since you can only create a plan when you're also part of it.
You can copy the "Parse JSON - get access token" action-Schema here:

{
    "type": "object",
    "properties": {
        "token_type": {
            "type": "string"
        },
        "expires_in": {
            "type": "string"
        },
        "ext_expires_in": {
            "type": "string"
        },
        "expires_on": {
            "type": "string"
        },
        "not_before": {
            "type": "string"
        },
        "resource": {
            "type": "string"
        },
        "access_token": {
            "type": "string"
        }
    }
}

Cheers

Please click Accept as Solution if my post answered your question. Like my answer? Consider giving it a Thumbs Up. Others seeking the same answers will be happy you did.

KhurramJamshed · ‎03-19-2020

Hi isabasu,

i have been stuck with this issue for a whole day now.

i have registered an app in azure and have all the neccessary token values. and using the same app i am able create a group successfully that is required prior to create a plan.

however while trying create a plan in next step using a group id from previous step, i am getting a same error as you have mentioned.

following your reply i am able to get an authorization token but i am stuck with additional step you have performed of adding a SERVICE USER to an AZURE group.

i assume with service user you are referring to an APP we have registered earlier?

but which azure group you have added that user to? isnt the group id required is of an O365 group?

i would appriciated you help becuase i dont see many people have blogged/explained issues related to creating a plan using graph api.

many thanks.

FabianAckeret · ‎03-24-2020

@KhurramJamshed

Sure thing.

With a service user, I just meant a normal user account dedicated to tasks like this. You can call him donald.duck@domain.com if you like. For testing purposes, I have assigned global admin permissions to that service user.

In Planner, you can't create a plan if you are not part of that O365 group you'd like to create it for. That is why, before Flow is trying to create the plan, you'd need to add the user to that O365 group.

You mentioned that you were able to create an O365 group, right? Everything after that is actually quite simple.

Just use the flow Azure AD action "Add user to group". Since you have the id of the group as well as the one from the user, that shouldn't be a problem.

Once you have that, you can call the HTTP Web Service to create a planner plan according to my screenshot in the previous post.

Please click Accept as Solution if my post answered your question. Like my answer? Consider giving it a Thumbs Up. Others seeking the same answers will be happy you did.

KhurramJamshed · ‎03-30-2020

thanks for replying @FabianAckeret - in that case, i dont see what is missing at my end. except for the way you did a few things i.e. adding a user to a group using AD action. which i did while creating a group

i will give another try by adding user using AD group action and let you know.

PURNA429 · ‎08-21-2020

Hi,

I am using PowerShell to create planner by calling Graph API. As mentioned in this article registered the app with all required Delegated permissions including admin consent.

Running the script with a service account. Able to get the auth token . But at the command

$planner = New-PlannerPlan -PlanName $plannerTitle -visibility $plannerVisibility

it is giving below error :

Get-PlannerAuthToken : Authorization Access Token is null, please re-run authentication...

And sometimes its creating group but throwing below error while creating the plan with group id

Request to https://graph.microsoft.com/beta/planner/plans failed with HTTP Status Forbidden Forbidden

Can someone help in understanding what could be the cause..?

Also, can a service account ( which has SharePoint, Teams, Exchange admin roles along with a Group Creation permission ) create the plan by connecting to planner with regular credentials without auth token/app registration path in azure?

Thank you,

Purna

BastienB · ‎10-12-2020

Hello

Thanks @FabianAckeret I use your topic to create the connection to Graph Api

But I have two call one for create a Plan a second to get the groups URL. This task works fine but sometimes without explain I have authorization Error

For the Get Groups Url I have the error randomly "access denied"

For the Create Plan, the error "You do not have the required permissions to access this item, or the item may not exist."

If I use this task in 2 different flow, its work fine, in the same flow I have randomly this error and I dont understand why ?

FabianAckeret · ‎10-12-2020

Hi @BastienB

I would even do it entirely different than in my previous post nowadays.

This post explains how I would do it. Create an app registration, get the client id & client secret, and add it to the OAuth fields.

I hope this helps.

Please click Accept as Solution if my post answered your question. Like my answer? Consider giving it a Thumbs Up. Others seeking the same answers will be happy you did.

Unauthorized: Graph API - Create Planner Plan

Helpful resources

Power Automate News & Announcements

Community Calls Conversations

Power Automate Community Blog

Help make Flow Design easier