Reputation: 25
Graph API Access denied error
We have been using the Graph API’s calendar endpoints for reading the current calendar events of all conference rooms at our organization (as needed in our application).
Our AAD application had the required permissions setup for cert based delegated access.
AAD permissioning setup
We were able to read the events but starting last Friday, we noticed that all our calls are failing with the access denied error message when we try to hit the endpoint.
Delegated permissions setup
Sample Errors:
"{\r\n \"error\": {\r\n \"code\": \"ErrorAccessDenied\",\r\n \"message\": \"Access is denied. Check credentials and try again.\",\r\n \"innerError\": {\r\n \"request-id\": \"4e86b67f-c790-4622-8c52-5560ada18809\",\r\n \"date\": \"2017-12-20T00:59:42\"\r\n }\r\n }\r\n}"
"{\r\n \"error\": {\r\n \"code\": \"ErrorAccessDenied\",\r\n \"message\": \"Access is denied. Check credentials and try again.\",\r\n \"innerError\": {\r\n \"request-id\": \"43986eec-2b2a-4e0c-b2e6-d5cacfd9e583\",\r\n \"date\": \"2017-12-20T01:15:04\"\r\n }\r\n }\r\n}"
Additional info: Token payload data:
{
"aud": "https://graph.microsoft.com/",
"iss": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"iat": 1513731142,
"nbf": 1513731142,
"exp": 1513735042,
"aio": "<removed>",
"app_displayname": "<removed>",
"appid": "17e23349-efa0-4b31-b04f-c8e16754bcb8",
"appidacr": "2",
"e_exp": 262800,
"idp": "https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"oid": "028bc190-3171-4699-90ad-65a0b6cc9d21",
"sub": "028bc190-3171-4699-90ad-65a0b6cc9d21",
"tid": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"uti": "nTP0r5PyPUqQoNS3WmUKAA",
"ver": "1.0"
}
I did notice the token payload is missing any scope but given that it was working earlier and no known changes were made to our AAD instance, I doubt whether that is the real issue but let me know if I am missing something there.
I tried switching the AAD application to another one which also has the admin consented permissions setup but that resulted in the same error as above.
Upvotes: 1
Views: 5972
Answers (1)
Reputation: 58723
Since there are no scopes/roles in the token, the problem is probably that the permissions have not been granted.
You can grant the permissions in your tenant by clicking the Grant permissions button there.
You can also find some information about how grants work and how you can debug this kind of problems in my blog: https://joonasw.net/view/the-grant-requires-admin-permission
Upvotes: 1
Related Questions
- Graph API - Insufficient privileges to complete the operation
- Authorization_IdentityNotFound Error while accessing graph API
- MS Graph api user authentication failing
- Microsoft graph api access
- Getting Forbidden/Access Denied error from Azure AD Graph Education API
- Azure AD Graph api returns Forbidden
- Microsoft graph api returns 403 forbidden when calling groups/xxxx/members
- Azure function Graph API Insufficient privileges
- Getting 403: "Insufficient privileges to complete the operation." when attempting to query Graph API
- 403 Forbidden from Azure Graph API