Reputation: 945
When trying to access the Graph Service Client using I am receiving the error:
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
After researching this error the most common solution was to set the permissions for the API. This had already been done and has permissions to read basic/full profiles.
I've delete and re-added the APIs.
Below is the code in my AzureAuthenticationProvider
class which inherits from IAuthenticationProvider
:
public class AzureAuthenticationProvider : IAuthenticationProvider
{
private string _azureDomain = "myDevDom.onmicrosoft.com";
public async Task AuthenticateRequestAsync(HttpRequestMessage request)
{
try
{
string clientId = "2b823c67-1b0d-4a10-a9e1-737142516f5q";
string clientSecret = "xxxxxx";
AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/" + _azureDomain + "/oauth2/token");
ClientCredential credentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", credentials);
request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
}
catch (Exception ex)
{
}
}
}
I've tried changing the client secret to an invalid Id and it threw an error, so the client key is correct. I've also tried to verify that the access token is valid by altering the access token, this also returns a error.
The above code seems to work fine.
Below is the code where I'm trying to access Azure AD:
public async Task<IGraphServiceUsersCollectionPage> GetUsersByLastName(string lastname)
{
GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
string filter = String.Format("startswith(surname, '{0}')", lastname);
IGraphServiceUsersCollectionPage users = await graphClient.Users.Request().Filter(filter).GetAsync(); //Fails on this line
return users;
}
Upvotes: 61
Views: 165222
Reputation: 6159
You need to add a permission e.g. User.Read.All
for the request to work.
And don't forget to grant the permission which is found next to + add a permission
Upvotes: 1
Reputation: 3629
This answer is for those who are directly trying to use API.
You will have to regenerate the access token once you have added the required permissions. I added the following permissions (might be more than we actually require but it works now).
After adding the permissions, I generated a new access token using:
curl -X POST "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "client_id=535fb089-9ff3-47b6-9bfb-4f1264799865" \
-d "scope=https%3A%2F%2Fgraph.microsoft.com%2F.default" \
-d "client_secret=<your-client-secret>" \
-d "grant_type=client_credentials"
And used it in the api like below:
curl -X GET "https://graph.microsoft.com/v1.0/users" \
-H "Authorization: Bearer {access-token}"
Upvotes: 3
Reputation: 1122
Go to Azure Portal -> Active Directory -> App registrations -> Select Your Application -> API permissions
Now, Click on Add a permission and choose Microsoft Graph, select Application Permission and search for User.Read.All
Add these permissions to your application and it should work.
Upvotes: 2
Reputation: 380
you should give Directory.Read role to the service principal in the AD page, not the app register page.
by the way. I am use python sdk azure-graphrbac with serviceprincipal from msrestazure.azure_active_directory import ServicePrincipalCredentials
credential = ServicePrincipalCredentials(ServicePrincipal_APP_ID,ServicePrincipal_SECRET_VALUE,tenant=ServicePrincipal_TENANT_ID,resource="https://graph.windows.net/")
self.client=GraphRbacManagementClient(credential,TENANT_ID,base_url)
Upvotes: 0
Reputation: 1
I had to add all "groups" (ID, Access, SAML) into the token. This can be configurated in the Azure Active Directory Token Configuration and checked via https://jwt.io/.
Upvotes: 0
Reputation: 785
I am using Credentials flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
and my problem was setting Delegate Permissions
instead of Application Permission
.
I could not get a user because I wasn't using User.Read.All
from Application Permissions
https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
Upvotes: 1
Reputation: 389
In my case, delete user was not working. I took below steps & it started working for me.
Go to Azure Active Directory > Roles and administrators > Click on 'User administrator' > click on '+ Add assignment' to add your app
. (i.e. console app using AAD Graph REST API to interact with Azure Active Directory).
Hope it helps someone.
Upvotes: 16
Reputation: 1242
For me the key to solve this problem was hint:
To use the Graph API with your B2C tenant, you will need to register a dedicated application by using the generic App Registrations menu (All Services and there it is by default not Favourite starred) in the Azure Portal, NOT Azure AD B2C's Applications menu. You can't reuse the already-existing B2C applications that you registered in the Azure AD B2C's Applications menu.
Find more on page AD B2C API access demo
Upvotes: 9
Reputation: 335
Grant permissions by ticking 'Directory.Read.All/ Write' is not enough.
I run into the same issue. and solved by adding service principle to administrator role.
If you application is created recently, this can be done Azure AD Powershell.
$pricinple = Get-AzureADServicePrincipal || Where-Object {$_.DisplayName -eq 'youappname'}
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $pricinple.ObjectId
for detail, see https://learn.microsoft.com/en-us/powershell/module/Azuread/Add-AzureADDirectoryRoleMember?view=azureadps-2.0
If you application was created long time ago, you will need to use MSOnline. see: https://learn.microsoft.com/en-us/powershell/module/msonline/Add-MsolRoleMember?view=azureadps-1.0
Upvotes: 1
Reputation: 2407
In some cases the actual issue happens because we use "Application permissions" instead of "Delegated permissions". In my application, I have tried to list all the users with application permissions and it wasn't working. When I switched to a delegated permissions, it worked.
So, some quick check would be like this:
Hopefully, this would help someone.
Upvotes: 3
Reputation: 379
Make sure click "Grant Permissions" and than Yes for all users accounts.
Upvotes: 16
Reputation: 79
Suppose you want to create group in azure active directory i have to performer the following steps to solve this problem
Upvotes: 2
Reputation: 27588
Please refer to below steps :
From your screenshot , seems you grant Read and write directory data
application permission for Windows Azure Active Directory
(azure ad graph api) . Since you are using microsoft graph (https://graph.microsoft.com/) , you need to grant application permission for Microsoft Graph
:
Since you are admin in your AAD, You could grant permission for users in organization by click Grant permission
button shown in above screenshot .
Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All
permission in roles
claim .
Upvotes: 25