Necessary permissions to query /users/{user}/manager?

Question

Hi there!

I've got an Entra ID app with permissions on User.Read and User.Read.All, and want to fetch the supervisor (/users/{user}/manager) of a given user on command.

I've got the OAuth2.0 workflow running and am receiving a valid tokens for the Entra ID app client ID and secret in question, but my requests to /users/{user}/manager in particular are coming back with 403 Forbidden - Insufficient Permissions.

As I said, the app has permissions for User.Read and User.Read.All. Are there any other permissions necessary for /manager that I need, or other issues that I might've overlooked?

Answer 1

Hi @Louise Seale

I have tested your problem, the test was successful, and I did not encounter the problem, so I will share with you the process of my test and the places that need to be paid attention to, you can refer to the comparison to find the problem where you have a 403 error.

First of all, the app we created in the Entra ID needs to grant the delegated permission of user.read.all, and it needs the consent of the administrator, as shown in the image below.

Next, we need to obtain the token through the auth code flow, which is how we can parse the token we obtained through the jwt.ms, and make sure that the token has the user.read.all permission, as shown in the following figure.

Finally, post my test results.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.