question

JaspreetBakshi-6612 avatar image
1 Vote"
JaspreetBakshi-6612 asked BKyle-0576 edited

Unable to retrieve photos from the Graph API

Our app uses the following link to obtain photos from the Graph API.

https://graph.microsoft.com/beta/users/USER_ID/photo/$value

and this was working well until recently. 3-4 days ago we noticed that guest users in our Azure AD no longer have access to any profile images in the system, and get the following error:

 {
     "error": {
         "code": "UnknownError",
         "message": "{\r\n  \"errorCode\": \"ErrorAccessDeniedForUser\",\r\n  \"message\": \"Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileUnauthorizedException' was thrown.\",\r\n  \"target\": null,\r\n  \"details\": null,\r\n  \"innerError\": null,\r\n  \"instanceAnnotations\": []\r\n}",
         "innerError": {
             "date": "2021-12-21T14:25:36",
             "request-id": "9684bb8a-c2d9-4ecc-a97c-e2ea683038d6",
             "client-request-id": "9684bb8a-c2d9-4ecc-a97c-e2ea683038d6"
         }
     }
 }

"Regular" users are still able to access the profile images, it is just the guest users who cannot.

We also tried the same with the new, non-beta endpoint

https://graph.microsoft.com/v1.0/users/USER_ID/photo/$value

But we get the same result. We know that this was working until recently but no longer does.



microsoft-graph-users
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CarlZhao-MSFT avatar image
0 Votes"
CarlZhao-MSFT answered BKyle-0576 edited

Hi @JaspreetBakshi-6612

It should be that the default access permissions of the guest user are restricted. You can log in to the Azure portal as a global administrator, then find User settings>External collaboration settings, and then choose Guest users have the same access as members (most inclusive).
1.
159799-401.png
2.
159922-image.png
Another method is to grant guest users the role of user administrator.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





400.png (54.5 KiB)
401.png (63.1 KiB)
image.png (28.4 KiB)
· 13
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JaspreetBakshi-6612 avatar image JaspreetBakshi-6612 ·

Thanks for your answer Carl.

The issue we are seeing is that guest users cannot see any photos (for any person in the tenant). So it is not a matter of the guest users setting up their photos. It is that they cannot see photos of members or guest in the tenant. Inhouse users (non-guests) can see all photos.

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT JaspreetBakshi-6612 ·

Hi @JaspreetBakshi-6612 Oh, that's it, I changed the answer.

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT JaspreetBakshi-6612 ·

Hi dear @JaspreetBakshi-6612 Would you please provide us with an update on the status of your issue?

0 Votes 0 ·
JaspreetBakshi-6612 avatar image JaspreetBakshi-6612 JaspreetBakshi-6612 ·

Hi Carl,

Thanks for your answer. I did try it but it doesn't seem to address the issue. I still see these "401, Unauthorized" responses for photo fetches, when making the request as a guest.

These are our current access settings, set as per your instructions:


160982-image.png

But still we get the 401 message response:


160946-image.png


0 Votes 0 ·
image.png (165.8 KiB)
image.png (123.3 KiB)
CarlZhao-MSFT avatar image CarlZhao-MSFT JaspreetBakshi-6612 ·

Hi @JaspreetBakshi-6612 I need to check your access token, can you use https://jwt.ms/ to parse your token and share screenshots?

0 Votes 0 ·
JaspreetBakshi-6612 avatar image JaspreetBakshi-6612 JaspreetBakshi-6612 ·

Hi Carl, I have the token information. Would it be possible for me to email this to you instead of sharing it here?

0 Votes 0 ·
CarlZhao-MSFT avatar image CarlZhao-MSFT JaspreetBakshi-6612 ·

Very sorry @JaspreetBakshi-6612 , but we have been told that it is not allowed to contact customers by private email. Can you share a screenshot of your token here? Only the privacy information needs to be hidden.

0 Votes 0 ·
JaspreetBakshi-6612 avatar image JaspreetBakshi-6612 JaspreetBakshi-6612 ·

Carl, here is info about the token:

161409-image.png

I hope I have not gone overboard with the information hiding. Please let me know if you need the value of any specific field.


0 Votes 0 ·
image.png (261.7 KiB)
CarlZhao-MSFT avatar image CarlZhao-MSFT JaspreetBakshi-6612 ·

Hi @JaspreetBakshi-6612 I have reproduced your problem using a guest user. I think this is an unknown error and I need to discuss it with the team.

3 Votes 3 ·
Show more comments