Reputation: 754
Insufficient privileges to list group members in Graph API
I'm building an API which is called by a SPA (angular). The user is authenticated using Azure AD and the API uses AzureAdBearer for its authentication.
I need the backend to call graph api on behalf of the user to list members of an AD Group.
According to this documentation, I need one of these permissions:
User.ReadBasic.All, User.Read.All, Group.Read.All, Directory.Read.All
So I have added User.ReadBasic.All to my api permissions list in the app registration of my backend.
I used an IAuthenticationProvider to handle the authentication using this code:
var app = ConfidentialClientApplicationBuilder.Create("{my client id}")
.WithAuthority("https://login.microsoftonline.com/{my tenant id}")
.WithClientSecret({my backend secret})
.WithLogging(Log, Microsoft.Identity.Client.LogLevel.Info, true)
.Build();
var token = await _httpContextAccessor.HttpContext.GetTokenAsync("access_token");
var userAssertion = new UserAssertion(token);
var result = await app.AcquireTokenOnBehalfOf(new[] { "https://graph.microsoft.com/.default" }, userAssertion)
.ExecuteAsync();
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
The result is successful, when I check my token using jwt.ms everything seems correct, here is an extract of it:
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/{my tenant id}/",
[...]
"app_displayname": "My app",
"appid": "{my client id}",
[...]
"scp": "User.ReadBasic.All profile openid email",
[...]
However on this call using the GraphApiClient:
var client = new GraphServiceClient(authProvider);
var users = await client.Groups["group guid"].Members.Request().GetAsync();
I get this error:
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
Upvotes: 0
Views: 476
Answers (1)
Reputation: 153
This call var users = await client.Groups["group guid"].Members.Request().GetAsync(); requires a group permission (i.e.Group.Read.All).
You only have user permissions right now (i.e.User.ReadBasic.All).
Upvotes: 3
Related Questions
- Add users as group members with Microsoft Graph Api in Net Core
- Getting Authorization error when trying to retrieve all members of an AD Group using Microsoft.Graph
- Microsoft Graph API / C# SDK can't find Security Group by Display Name
- 'Insufficient privileges to complete the operation' when trying to create group via Microsoft Graph
- Permissions to add member to group via Graph API
- Microsoft graph api returns 403 forbidden when calling groups/xxxx/members
- Microsoft graph API: getting 403 while trying to read user groups
- getMemberGroups “Insufficient privileges to complete the operation”
- MS Graph API GET Group members only get users
- Exception when querying the members of group in Microsoft.Graph Client