I am using connected system with Oauth2.0 to connect to office365 and get the calendars i m able to authorize using connected system however when testing the base url I get the below error
Invalid credentials
Appian was not able to authenticate with the access token you provided. This request requires Bearer authentication. HTTP/1.1 401 Unauthorized Next Steps
When i run the authorization its executes successfully. Has any one seen this issue before or can someone share the Oauth2.0 configuration related to outlook ( For outlook defining a scope is mandatory)
Discussion posts and replies are publicly visible
Is it difficult to integrate outlook in appian?
It depends, you need appian and Outlook/Azure team to collaborate to integrate it.
Here is the configured permission in Azure AD.
What type of connection mechanism are you using to connect to graph API, is it client credentials grant type or authorization code grant flow? I have it working as a client credentials grant type based on the inputs received from Steven Miccile check the post above for steps. If you are using client credential grant type then you need 2 integration objects one will get the token using POST method and store it in a constant and second will perform a GET request and use the stored token to get data from Azure connected system.
I'm using the 1st approach. I've followed the above steps to generate the token using POST method and also i was able to successfully ping "https://graph.microsoft.com/v1.0".
I'm getting the error when i try to access my user profile or my calendar such as like below.
https://graph.microsoft.com/v1.0/users/<my-email>/calendarview?startdatetime=<start time>&enddatetime=<end time>
Try this
https://graph.microsoft.com/v1.0/users/email@address/calendarview?startDateTime=2020-06-30T03:00:00&endDateTime=2022-11-08T17:00:00&$select=Subject,Start,ENd,Location&$top=1048
Don't try to pull in too much of data it does error out if calendars of more than 2.5 years are requested.
Based on this screenshot, your Azure setup is for "Delegated" permissions which is on behalf of the logged in user you would need an OAuth Authorization Code connected system in Appian (NOT client credentials). Even so, the permissions are not enough since the /users API requires a minimum of User.ReadBasic.All which has not been granted based on the picture.
If you want to use OAuth Client Credentials grant type for a service account type integration, the Azure permissions must be "Application" and not "Delegated".
Steven Miccile Thank you for your help. Per your instruction I've changed the Azure permissions from "Delegated" to "Application" and i was able to access the graph API. Thank you.
Awesome!
Hi Steven Miccile, Ankur VI'm trying to integrate outlook calendar with Appian and followed the above steps with 2 integration objects. I'm able to retrieve the token using first Integration object, but when i invoke the second integration object with the token I'm getting below error. I had stored the Bearer token in ri and passing the same in header.
Permissions defined in Azure portal.
You can always throw the token into https://jwt.io/ to see if it actually has the permissions you think it does.
Hi Steve / Simon,
This is very useful source, i'm on the same steps now.
I've configured my Appian app on Azure AD using app registration and its integrated with SAML authentication for SSO, would like to call Graph API from Appian process model to create a user thru Appian application.
I'm trying to confirm the steps on Appian side of configurations. It will be helpful if someone can correct / confirm the approach below.
1. Create a HTTP connected system object. As its more on application level since Graph API will be called with application permission using service account, I assume preferred authentication method will be "Oauth2.0: Client Credentials Grant"?
Not sure, what we need to enter on "Scope" and "Token Request Endpoint" where to find and get this data(Azure?)
Rest of the steps include creating the service account and Integration object? It will be helpful if you can share the steps what other Appian objects to be created to call/test Graph API from Appian(Any KB / Appian doc link), please...
My previous comment lists out the most likely token endpoint (https://login.microsoftonline.com/<INSERT_ORG_SPECIFIC_URL>/oauth2/v2.0/token) and scope (https://graph.microsoft.com/.default):
https://community.appian.com/discussions/f/integrations/13751/outlook-integration-error/62458#62458
It has been a few years, but last time I tried, I could not get the Appian "Oauth2.0: Client Credentials Grant" feature working with Graph, which typically means they are not following the OAuth spec exactly. Instead, you can set authentication to "none" in the Connected System, then use one Appian integration object to get the token then pass that token to another Appian integration object that calls the resource. That is what I outlined in my previous comment.
The rest of the setup is specific to the Graph API you are calling for which you will need to look at Microsoft documentation. A good first step is to set up the calls in Postman to take Appian out of the equation before setting up your Appian integration objects.
Thanks Steve, Yes, I've tested Azure AD Graph API functions using Postman outside Appian, it's successful.
Created the HTTP connected system object with inputs ClientID, Client Secret and Token Request Endpoint - Authentication: OAuth 2.0 client credentials Grant. - Tested using "Authorize" button. "Authorization Successful".
However, when testing Integration Object using above HTTP connected system object, getting an below error. Any suggestions pls? Thanks.
HTTP Request:
GET /v1.0/users HTTP/1.1 Authorization: Bearer ****** Host: graph.microsoft.com Connection: Keep-Alive User-Agent: Appian Accept-Encoding: gzip,deflate
HTTP Response:
HTTP/1.1 401 Unauthorized Date: Sun, 04 Jul 2021 05:36:22 GMT Content-Type: application/json Transfer-Encoding: chunked Vary: Accept-Encoding WWW-Authenticate: Bearer realm="", authorization_uri="">login.microsoftonline.com/.../authorize", client_id="00000003-0000-0000-c000-000000000000" Strict-Transport-Security: max-age=31536000 request-id: ef4ec847-5229-4ff6-b9c7-fc8586a7bba9 client-request-id: ef4ec847-5229-4ff6-b9c7-fc8586a7bba9 x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"UK South","Slice":"E","Ring":"3","ScaleUnit":"000","RoleInstance":"LN2PEPF00003306"}}
{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2021-07-04T05:36:23","request-id":"ef4ec847-5229-4ff6-b9c7-fc8586a7bba9","client-request-id":"ef4ec847-5229-4ff6-b9c7-fc8586a7bba9"}}}
Hi Steve,
Alternatively, I've tried the suggested approaches on the above chain. i.e. Integration 1 and Integration 2.
Integration 1 is successful. However, Integration 2 displaying an below error as shown below. Not sure what needs to be followed here... Could you please suggest on this? - Thanks.
Authentication is required
This request requires Bearer authentication, but no access token was provided HTTP/1.1 401 Unauthorized Next Steps
{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2021-07-06T15:54:46","request-id":"10a8a3ad-dummy-41d0-a396-e51d854a83be","client-request-id":"10a8xyz123-2b17-41d0-a396-e51d854a83be"}}}
This has been fixed by adding the parameter "resource=https://graph.microsoft.com" on the request body.
However, still wondering why its not possible to achieve using HTTP connected system object.
Update:
Thanks Tim / Steve,
Connected System object Graph integration issue has been fixed with the parameters Scope https://graph.microsoft.com/.default and “OAuth 2.0 token endpoint (v2). (In case of Azure AD personal a/c).