Reputation: 859
getMemberGroups “Insufficient privileges to complete the operation”
I wrote an application which should read the groups of a user. I am using Asp.net core. I created an application inside the azure portal and granted all application permissions for GraphAPI and clicked on the Grant permission button. Then I used some code similar to WebApp-GroupClaims-DotNet to retrieve the users groups:
public async Task<IEnumerable<string>> GetGroupIdsFromGraphApiAsync(string userId)
{
var groupObjectIds = new List<string>();
// Acquire the Access Token
var credential = new ClientCredential(_configHelper.ClientId, _configHelper.AppKey);
var authContext = new AuthenticationContext(_configHelper.Authority);
var result = await authContext.AcquireTokenAsync(_configHelper.GraphResourceId, credential);
var accessToken = result.AccessToken;
var requestUrl =
$"{_configHelper.GraphResourceId}/{_configHelper.Domain}/users/{userId}/getMemberGroups?api-version=1.6";
// Prepare and Make the POST request
var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, requestUrl);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
var content = new StringContent("{\"securityEnabledOnly\":false}");
content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
request.Content = content;
var response = await client.SendAsync(request);
// Endpoint returns JSON with an array of Group ObjectIDs
if (response.IsSuccessStatusCode)
{
var responseContent = await response.Content.ReadAsStringAsync();
var groupsResult = (Json.Decode(responseContent)).value;
foreach (string groupObjectId in groupsResult)
groupObjectIds.Add(groupObjectId);
}
else
{
var responseContent = await response.Content.ReadAsStringAsync();
throw new WebException(responseContent);
}
return groupObjectIds;
}
Unfortunately I do always get the following response:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
Is there no way for an application to query the AD for this information?
Upvotes: 1
Views: 1001
Answers (1)
Reputation: 27528
According to your code , you are making Azure ad graph api calls , Then you need to grant permission for Windows Azure Active Directory(azure ad graph api ) .
https://graph.windows.net is the endpoint for Azure AD Graph APi , in azure portal the name is Windows Azure Active Directory . https://graph.microsoft.com is the the endpoint for Microsoft Graph api , in azure portal the name is Microsoft Graph
Upvotes: 3
Related Questions
- Microsoft graph API getMemberGroups returns 400 bad request. What could be the reason?
- Exception getting Azure AD groups via MS Graph with ASP.NET Core
- Microsoft Graph user/getMemberGroups fails despite correct Permissions
- Microsoft graph api returns 403 forbidden when calling groups/xxxx/members
- Getting 401: Unauthorized response when querying groups endpoint of Azure AD Graph API
- Microsoft graph API: getting 403 while trying to read user groups
- getMemberGroups call fails with insufficient privileges
- Azure GraphAPI getMemberGroups Bad Request error
- Authorization_RequestDenied when trying to get groups from Azure Active Directory using Graph API
- Azure Active Directory: 'Forbidden' error while fetching groupclaims using Graph API