Insufficient privileges to complete the operation Add new user using Azure Active Directory Graph Client API

Question

I am Trying to Add new user in my AD but getting error as insufficient privileges to complete the operation not able to understand which permission is required to the Azure Active Directory Graph API which will not have this issue below is my code snippet which is making api call to AD Graph

using Microsoft.Azure.ActiveDirectory.GraphClient;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Linq;
using System.Threading.Tasks;
using System.Web;


namespace AuthenticationPortal
{
    public class ActiveDirectoryClientModel
    {


        // These are the credentials the application will present during authentication
        // and were retrieved from the Azure Management Portal.
        // *** Don't even try to use these - they have been deleted.
        static string clientID = ConfigurationManager.AppSettings["ida:ClientId"];
        static string clientSecret = ConfigurationManager.AppSettings["ida:ClientSecret"];
        static string tenantId = ConfigurationManager.AppSettings["ida:TenantId"];
        static string domain = ConfigurationManager.AppSettings["ida:Domain"];
        // The Azure AD Graph API is the "resource" we're going to request access to.
        static string resAzureGraphAPI = "https://graph.windows.net";

        // This is the URL the application will authenticate at.
        static string authString = "https://login.microsoft.com/" + tenantId;

        // The Azure AD Graph API for my directory is available at this URL.
        static string serviceRootURL = "https://graph.windows.net/" + domain;

        private ActiveDirectoryClient GetAADClient()
        {
            try
            {
                Uri serviceroot = new Uri(serviceRootURL);
                ActiveDirectoryClient adClient = new ActiveDirectoryClient(serviceroot, async () => await GetAppTokenAsync());
                return adClient;
            }
            catch (Exception ex)
            {
                return null;
            }

        }

        private static async Task<string> GetAppTokenAsync()
        {
            try
            {
                // Instantiate an AuthenticationContext for my directory (see authString above).
                AuthenticationContext authenticationContext = new AuthenticationContext(authString, false);

                // Create a ClientCredential that will be used for authentication.
                // This is where the Client ID and Key/Secret from the Azure Management Portal is used.
                ClientCredential clientCred = new ClientCredential(clientID, clientSecret);

                // Acquire an access token from Azure AD to access the Azure AD Graph (the resource)
                // using the Client ID and Key/Secret as credentials.
                AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(resAzureGraphAPI, clientCred);
                // Return the access token.
                return authenticationResult.AccessToken;
            }
            catch (Exception ex)
            {
                return null;
            }

        }


        public async Task CreateUser()
        {
            var adClient =  GetAADClient();

            var newUser = new User()
            {
                // Required settings
                DisplayName = "Atul Gandhale",
                UserPrincipalName = "atulm@"+ domain,
                PasswordProfile = new PasswordProfile()
                {
                    Password = "Asdf1234!",
                    ForceChangePasswordNextLogin = true
                },
                MailNickname = "atulg",
                AccountEnabled = true,

                // Some (not all) optional settings
                GivenName = "Atul",
                Surname = "Gandhale",
                JobTitle = "Programmer",
                Department = "Development",
                City = "Pune",
                State = "MH",
                Mobile = "1234567890",
            };
            try
            {
                // Add the user to the directory

                adClient.Users.AddUserAsync(newUser).Wait();
            }
            catch (Exception ex)
            {

            }
        }

    }

}

Please help me out i have already send couple of hours but not able to get the solution for this.

Answer 1

You need following permission to create new user in azure portal from your application:

Permission Type : Delegated permissions

Permission Name : Directory.ReadWrite.All

You could see the official docs

Step: 1

Step: 2

Point To Remember:

Once you successfully added your permission afterwords you must have to add Grant consent as shown step 2.

PostMan Test:

Azure Portal:

Note: But my suggestion is to use Microsoft Graph API Which is mostly recommended now. For Microsoft Graph you could refer this docs