CODEWITHSUNDEEP
azure-active-directoryadalazure-ad-graph-api
Thomas Segato
Thomas Segato

Reputation: 5223

ADAL insufficient privileges to complete the operation

I am trying to get a simple ADAL sample up for getting groups that a user belongs to in AAD. I have added all permissions for AAD and Office Graph: Permissions

I keep getting following error:

"Insufficient privileges to complete the operation."

I can see in other threads people having same error, but because they didnt set Graph permissions.

Code:

public static async Task<string> AcquireTokenAsync()
{
    if (TokenForApplication == null)
    {

        Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authenticationContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext("https://login.microsoftonline.com/thomaseg.onmicrosoft.com", false);

            ClientCredential clientCred = new ClientCredential(Constants.ClientId,
                Constants.AppKey);
            AuthenticationResult authenticationResult =
                await authenticationContext.AcquireTokenAsync("https://graph.windows.net",
                    clientCred);
            TokenForApplication = authenticationResult.AccessToken;
        }
        return TokenForApplication;
    }

    /// <summary>
    ///     Get Active Directory Client for Application.
    /// </summary>
    /// <returns>ActiveDirectoryClient for Application.</returns>
    public static ActiveDirectoryClient GetActiveDirectoryClient()
    {
        Uri baseServiceUri = new Uri("https://graph.windows.net/thomaseg.onmicrosoft.com");
        ActiveDirectoryClient activeDirectoryClient =
            new ActiveDirectoryClient(baseServiceUri,
                async () => await AcquireTokenAsync());
        return activeDirectoryClient;
    }

Upvotes: 0

Views: 237

Answers (1)

Chan
Chan

Reputation: 914

You need to add this parameter prompt=admin_consent when you request users to log in.

See this article: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent

here is a sample in Startup.Auth.cs

RedirectToIdentityProvider = context =>
{
    context.ProtocolMessage.Prompt = "admin_consent";
    return Task.FromResult(0);
},

Upvotes: 1

Related Questions