question

$$ANON_USER$$ avatar image
2 Votes"
$$ANON_USER$$ asked saldana-msft edited

"Insufficient privileges to complete the operation" while using Graph API

The access token I get from the following curl request
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
does not have the permission to list or create user.

Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub......


Response
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-14T17:27:10",
"request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce",
"client-request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce"
}
}
}


Curl request I made was from App service. I have enabled managed identity, and also added it as contributor in access control from subscription.
What am I doing wrong?


My goal is to get an access token from an App-Service as shown above and use it to create a user in azure ad.
If there is any alternative way it will be good.

azure-ad-graphazure-rbac
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShivaKeshavVarma-2446 avatar image ShivaKeshavVarma-2446 ·

You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions.

0 Votes 0 ·
$$ANON_USER$$ avatar image $$ANON_USER$$ ShivaKeshavVarma-2446 ·

Yes, my token doesn't have the permission so what can I do to add scope or permissions while granting a access_token.

0 Votes 0 ·

4 Answers

ShivaKeshavVarma-2446 avatar image
2 Votes"
ShivaKeshavVarma-2446 answered RadhakrishnaGuntur-9216 commented

You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions. Please make sure to add any permissions specified here.

(If the reply was helpful please don't forget to upvote or accept as answer, thank you)

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RadhakrishnaGuntur-9216 avatar image RadhakrishnaGuntur-9216 ·

824c81eb-e3f8-4ee6-8f6d-de7f50d565b7

0 Votes 0 ·
amanpreetsingh-msft avatar image
6 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi anonymous user · Thank you for reaching out.

To add required permissions in the token, you need to first copy the Client ID (aka App ID) that you are using in your request to get the Access Token and then navigate to:

Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the ClientID/AppID copied earlier.

In that application Navigate to:

Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions as shown below. Once the permissions are added, click on Grant Admin Consent for your_tenant button.

48332-image.png

Note: Delegated permissions are used when token is acquired under user context. If you are acquiring token under the context of Service Principal, you need to select Application permissions under Microsoft Graph while adding permissions.

After adding the permissions, you need to request for a new token and make sure the token includes the required permissions by decoding it at https://jwt.ms or https://jwt.io

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.




image.png (27.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

$$ANON_USER$$ avatar image $$ANON_USER$$ ·

I can't see my App service ClientId in all applications.

0 Votes 0 ·
amanpreetsingh-msft avatar image amanpreetsingh-msft $$ANON_USER$$ ·

Hi anonymous user · To find the clientID, you need to check the request being sent to https://login.microsoftonline.com for authentication. Client ID is sent as a parameter in the request url as highlighted in below sample request:

https://login.microsoftonline.com/xxxxxx.onmicrosoft.com/oauth2/v2.0/authorize?client_id=d736a5a0-xxxx-xxxx-xxxx-d192b45e4aa7&response_type=code&redirect_uri=https://jwt.ms&state=1234&response_mode=query&scope=openid

0 Votes 0 ·
YogendraKapoor-3057 avatar image
0 Votes"
YogendraKapoor-3057 answered DanielWachtel-6897 published

@amanpreetsingh-msft I have all the required permission in my app registeration but still it show me 403 when i try to create user through postman or java sdk.

197931-screen-shot-2022-04-30-at-33939-pm.png




The error message that i got is
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-04-30T14:37:36",
"request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb",
"client-request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb"
}
}
}

403 response status code.


screen-shot-2022-04-30-at-33939-pm.png (2.2 MiB)
· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SommerMartin-3003 avatar image SommerMartin-3003 ·

How did you solve it after all? Are you able to create user?

0 Votes 0 ·
iibuan avatar image iibuan ·

I'm having the same issue accessing Graph API. I have set all the privileges needed for the application but I keep getting insufficient privileges as a response.

0 Votes 0 ·
DanielWachtel-6897 avatar image DanielWachtel-6897 iibuan ·

Me as well.
Did you manage to find the problem?

0 Votes 0 ·
Sankar-4878 avatar image
1 Vote"
Sankar-4878 answered AmarAgnihotri-6676 commented

Hi Please add,

UserAuthendicationMethod.Read.All
UserAuthendicationMethod.ReadWrite.All

I added the above API permission and I got the response.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AmarAgnihotri-6676 avatar image AmarAgnihotri-6676 ·

Thanks @Sankar-4878

0 Votes 0 ·