Graph API - Insufficient privileges to complete the operation

c# azure permissions azure-active-directory azure-ad-graph-api
79,305

Solution 1

Please refer to below steps :

  1. From your screenshot , seems you grant Read and write directory data application permission for Windows Azure Active Directory(azure ad graph api) . Since you are using microsoft graph (https://graph.microsoft.com/) , you need to grant application permission for Microsoft Graph : enter image description here

  2. Since you are admin in your AAD, You could grant permission for users in organization by click Grant permission button shown in above screenshot .

  3. Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All permission in roles claim .

Solution 2

Grant permission Make sure click "Grant Permissions" and than Yes for all users accounts.

Solution 3

For me the key to solve this problem was hint:

To use the Graph API with your B2C tenant, you will need to register a dedicated application by using the generic App Registrations menu (All Services and there it is by default not Favourite starred) in the Azure Portal, NOT Azure AD B2C's Applications menu. You can't reuse the already-existing B2C applications that you registered in the Azure AD B2C's Applications menu.

Find more on page AD B2C API access demo

Solution 4

In my case, delete user was not working. I took below steps & it started working for me.

Go to Azure Active Directory > Roles and administrators > Click on 'User administrator' > click on '+ Add assignment' to add your app. (i.e. console app using AAD Graph REST API to interact with Azure Active Directory).

Hope it helps someone.

Solution 5

In some cases the actual issue happens because we use "Application permissions" instead of "Delegated permissions". In my application, I have tried to list all the users with application permissions and it wasn't working. When I switched to a delegated permissions, it worked.

So, some quick check would be like this:

  1. Check if you are using Microsoft Graph API or something else
  2. Use Delegated permissions
  3. Click Grant permissions button to propagate permissions :)

Hopefully, this would help someone.

Share:
79,305
j9070749
Author by

j9070749

C# Software Engineer.

Updated on July 28, 2022

Comments

  • j9070749
    j9070749 almost 2 years

    When trying to access the Graph Service Client using I am receiving the error :

    Code: Authorization_RequestDenied
    Message: Insufficient privileges to complete the operation.

    After researching this error the most common solution was to set the permissions for the API. This had already been done and has permissions to read basic/full profiles.

    I've delete and re-added the APIs.

    Below is the code in my AzureAuthenticationProvider class which inherits from IAuthenticationProvider: 

    public class AzureAuthenticationProvider : IAuthenticationProvider
{
    private string _azureDomain = "myDevDom.onmicrosoft.com";

    public async Task AuthenticateRequestAsync(HttpRequestMessage request)
    {
        try
        {
            string clientId = "2b823c67-1b0d-4a10-a9e1-737142516f5q";
            string clientSecret = "xxxxxx";

            AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/" + _azureDomain + "/oauth2/token");

            ClientCredential credentials = new ClientCredential(clientId, clientSecret);

            AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", credentials);

            request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
        }
        catch (Exception ex)
        {
        }
    }
}

    I've tried changing the client secret to an invalid Id and it threw an error, so the client key is correct. I've also tried to verify that the access token is valid by altering the access token, this also returns a error.

    The above code seems to work fine.

    Below is the code where I'm trying to access Azure AD:

    public async Task<IGraphServiceUsersCollectionPage> GetUsersByLastName(string lastname)  
{
    GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
    string filter = String.Format("startswith(surname, '{0}')", lastname);
    IGraphServiceUsersCollectionPage users = await graphClient.Users.Request().Filter(filter).GetAsync(); //Fails on this line
    return users;
}

    Any help is much appreciated, and thanks in advance for any help. azureADpermissionProperties

  • j9070749
    j9070749 almost 7 years
    The Access Token is not null, and looks valid. If I change the the access token at run time I get a different error, suggesting that the access token the method is returning is correct. I've added a screenshot to my OP. Thanks
  • j9070749
    j9070749 almost 7 years
    Thank you for your help. Sorry for the confusion with the screenshot, but I have actually granted permissions for Microsoft graph too. I think the problem might be that I'm not an admin, and although I have selected the permissions for the application, I am not able to grant permissions (I get an error stating 'failed to grant permissions for application'. I'm currently in the process of testing this where I'm an admin on azure AD. Thanks again for the suggestion.
  • LeeM
    LeeM over 3 years
    you don't want to this - it's using a sledgehammer to drive a nail if you give it Global Admin rights just to read the users
  • whites11
    whites11 over 2 years
    While I agree with @LeeM this is actually the only way to make it work. And not mentioned anywhere I could find in Microsoft docs. Thanks Langy
  • LeeM
    LeeM over 2 years
    This is just FYI for later readers, but It's important to identify what exactly seems to need global admin. You may need GA to initially grant the application identity the appropriate rights to the users. After that, to simply read user properties, the app should not need GA. Even granting User Administrator is better, but that should be part of trying to troubleshoot the issue if the app isn't doing writes. GA is not needed for nearly all per-user management tasks. Certainly for none that I manage, incl user/mailbox/group creations, MFA/SSPR etc.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to get bearer token from Azure AD to use with API App
Check if username exist in Microsoft Azure Active Directory
On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
How to get Azure AD user's last login time?
How do I get Azure AD OAuth2 Access Token and Refresh token for Daemon or Server to C# ASP.NET Web API
The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false
Find a User by Email Address
Querying the Windows Azure Active Directory Graph Api by Rest Call
In Azure Active directory user disable option is there?
Azure AD exception - AADSTS50105 - "The signed in user is not assigned to a role for the application"