Insufficient privileges error when trying to access Azure Graph APIs

c# azure oauth

13,616

Solution 1

Privileges are missing for your application which is barring the azure AD to read the details of users present in your custom AD. Here is what you need to do:

Go to your custom AD on windows azure management portal -> Click applications tab -> Click on the name of your AD application to go to its details view. On the details view go to configure tab.

Now scroll down to the bottom of the page to reach "permissions to other applications" section. There you will see all permissions currently assigned to "Windows Azure Active Directory" application in delegated permissions multi-select list box as shown below:

Application access rights for Azure AD

Check the box against "Access your organization's directory" and "Read directory data". Click save in bottom tool bar to save the changes. Save button appears automatically as soon as you make any changes on the page. Save button is not visible in the screenshot above as I had already saved the changes when I took the screenshot.

Now try again accessing your AD user details using graph API. It should not give the "Insufficient privileges" error any more. Hope this helps!

Solution 2

In my case, I had to delete the Azure AD App Registrations that I created in the New Portal and re-create them in the Classic Portal. After doing this, the "insufficient privileges" error went away and everything worked fine.

As a prerequisite, make sure you are added as a co-admin to your subscription from the classic portal as well, otherwise Azure won't even let you into the Classic Portal anymore.

Seems like Microsoft still has some issues to hammer out with the New Portal...

13,616

Matt Hintzke

Software Engineer @ SkyKick in Seattle, WA. Building modern microservice applications in the Azure Cloud using a .NET, Node and Angular stack

Updated on September 16, 2022

Comments

Matt Hintzke over 1 year
I have set up an Azure AD application that I want to use with my web application. I have obtained an oAuth token using the following steps:

First I requested my authorization code:
```
https://login.windows.net/common/oauth2/authorize?redirect_uri={REDIRECT_URI}&client_id={CLIENT_ID}&response_type=code&state=o365&prompt=admin_consent
```
This takes the user to the login.windows.net page where they must accept permissions that my application is going to use on their AD.

After that I get the oAuth Token using this endpoint https://login.windows.net/common/oauth2/token with this payload using C#:
```
{"code": {AUTH_CODE}},
{"state", {STATE}},
{"grant_type", "authorization_code"},
{"redirect_uri", "{REDIRECT_URI}"},
{"client_id", "1ff78c4b-414f-44c7-834b-09bdae96f440"},
{"client_secret", "{CLIENT_SECRET}"},
{"resource", "https://graph.windows.net"}
```
Everything comes back just fine and I get my oAuth Token. However when I try to curl the Graph API using the token I get this error
```
curl https://graph.windows.net/{tenant}/users?api-version=1.5 -H "Authorization: Bearer [AUTH_TOKEN]"

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
```
I have tried the actual domain for the {tenant}, the "me" alias and the "myorganization" alias and they all don't work. The "me" alias returns an error saying the 'users' resource doesn't exist. I am confused on what the problem is here
Vladimir over 8 years

Hi Basik, I don't have "Enable sign-on and read users' profiles" option in my AAD: i.imgur.com/zDtpMHt.png Could you advice why that can be so?
Muhammad Murad Haider over 7 years

@Vladimir did you get any solution for your comment above?
Alexander over 7 years

@Vladimir The screenshot shows the Application permissions, the missing permission would be found under Delegated permissions. Are you sure you looked for it in the right place?