CODEWITHSUNDEEP
c#azureazure-active-directoryazure-ad-graph-api
Tom
Tom

Reputation: 151

AAD Graph API Permission Issues

I really hope someone can help me out with some permission issues I don't get on with. I'm currently developing a web application with Azure Active Directory access. Everything is working fine so far. Than I tried to implement a conversion from groups to roles which was working fine for a few tests. But now - without changing anything in permissions I always receive:

":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"

Sometime this is with requestId and date sometimes it's not.

The code triggering this permission issue is:

var adClient = Instance.GetADClient(tenantID, signedInUserID, userObjectID);
var pagedCollection = await adClient.Users.GetByObjectId(userObjectID).MemberOf.ExecuteAsync();

The same happens if I try to use

GetMemberGroupsAsync()

So it seems to be a permission issue with retrieving members no matter of what kind.

Anyone got an idea of what am I missing or how I could debug this further?

Thanks very, very much for any idea!

Tom

Upvotes: 0

Views: 1611

Answers (2)

Tom
Tom

Reputation: 151

Thanks to Shawn Tabrizi I found the error source. Beware if you have issues like these, that you click on

Grant Permissions

after modifying your Azure AD app permissions. Probably something many like me just oversee.

Here's the image Shawn has provided: **Grant Permissions** in Azure

Thanks again Shawn for your help!

Upvotes: 1

Shawn Tabrizi
Shawn Tabrizi

Reputation: 12434

This error implies that you have not requested or consented to permissions which grant your application access to those APIs.

When you register your application, you must define the permissions your app wants to the API it is calling. In this case, if you are calling the AAD Graph API, you must request for certain scopes, which you can find here.

Once you have selected the appropriate scopes for the API you need to call, you need to make sure to consent to your application, which ultimately allows your app to actually do the things it is requesting access for.

Note that some scopes specifically require an Admin of the tenant to consent.

If you are looking to debug issues related to permissions, a good place to start would be decoding your access token, and looking at the scp claims, which contains the scopes that have been granted to your application. I normally use this site to decode the access token.

If you see the right scope in your token for the API call you are trying to make, then you should be good to go! Let me know if this helps.

Upvotes: 1

Related Questions