Authorization_RequestDenied when trying to get groups from Azure Active Directory using Graph API

Question

I'm trying to get information about Azure Active Directory groups using the Graph API, but I keep getting an "Authorization_RequestDenied" response.

This question is similar to Insufficient privileges error when trying to fetch signed in user's group membership using Azure AD Graph API, but that question's answer didn't work for me.

Here's what I've done:

• Logged onto the Azure portal using my Microsoft account (e.g. example@hotmail.com)
• Set up an Azure Active Directory instance for testing. The domain of the instance is something like examplehotmail247.onmicrosoft.com
• Created a user (TestMember@examplehotmail247.onmicrosoft.com)
• Created some groups, and made the user part of those groups
• Created an ASP.NET application configured to authenticate to AAD using OpenID Connect.
• Registered the application in AAD, created client secret, reply URL, etc.
• Modified the manifest of the application in AAD so that group membership claims are returned.

The authentication part works fine. After the user logs on, I can see all the information I expect (name, ID, etc.), along with claims containing the IDs of all the groups the user belongs to.

So far, so good.

Now, I want to translate those group IDs to human-readable group names. For this, I'm using the Microsoft.Azure.ActiveDirectory.GraphClient NuGet package, which provides a GetObjectsByObjectIdsAsync method. This method seems to be a wrapper for the getObjectsByObjectIds REST method.

To try and get this working, I've done the following:

• In the Azure portal, I've granted the "Sign in and read user profile" and "Read directory data" permissions to my application.
• Logged in to my ASP.NET application at least once using my Microsoft account

What I see: When I log in to my ASP.NET application using my Microsoft account, everything works. However, when I log in using the AAD account I created (TestMember@examplehotmail247.onmicrosoft.com), it fails with the following error:

[DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"1234e0bb-3144-4494-a5fb-12a937147bcf","date":"2016-12-06T18:39:13"}}] System.Data.Services.Client.BaseAsyncResult.EndExecute(Object source, String method, IAsyncResult asyncResult) +919 System.Data.Services.Client.QueryResult.EndExecuteQuery(Object source, String method, IAsyncResult asyncResult) +116

Trying the equivalent query using the REST api directly (i.e. taking ASP.NET out of the picture) gives the same result.

So what am I missing here?

Update: I also granted the application the following delegated permissions (to Windows Azure Active Directory): Sign in and read user profile, Read directory data, Access the directory as the signed-in user. However, it didn't make any difference.

Update #2: I even made the TestMember@examplehotmail247.onmicrosoft.com a Global Administrator for the AAD instance, and it still didn't help.

Update #3: Ok, so first, some clarification. After a user logs on, my ASP.NET app gets an authorization code from the OpenID Connect flow. Once I get the code, I'm exchanging it for an access token using AcquireTokenByAuthorizationCodeAsync. The access token is tied to the user, and so I want to rely on delegated permissions, not application permissions.

Answer 1

The problem was that although the proper delegated permissions were granted to my ASP.NET app in the Azure portal, the user never had an opportunity to consent to them.

I started over by creating a completely new app registration in azure for my ASP.NET app, and here's what I found: When a user logs on for the first time, they are asked for consent to whatever delegated permissions are required. However, if I change which delegated permissions are required after they've logged on for the first time, the user is not asked for consent (for the newly-required permissions) the next time he logs on.

This is definitely not what I expected, so I'm going to open a new question about this.