CODEWITHSUNDEEP
pythonazureazure-ad-graph-api
Moritz Schmitz v. Hülst
Moritz Schmitz v. Hülst

Reputation: 3672

How to set correct privileges to use Python Azure SDK for Graph?

I am trying to add a reply_url programmatically to an Azure app registration, but I receive an GraphErrorException: Insufficient privileges to complete the operation.

Problem is I don't understand which privileges my app registration needs.

Basically I am using the credentials of the app registration to change its own reply_urls.

The privileges set are User.Read and Application.ReadWrite.OwnedBy. Both granted.

Which one am I missing? And how can I find out?

This is the SDK I am using: azure-graphrbac==0.61.1

My code looks like this:

class GraphClient:
    def __init__(self, client_id, client_secret, tenant_id, object_id):
        self._credentials = ServicePrincipalCredentials(
            client_id=client_id,
            secret=client_secret,
            tenant=tenant_id,
            resource="https://graph.windows.net"
        )
        self._graph_client = GraphRbacManagementClient(
            credentials=self._credentials,
            tenant_id=tenant_id
        )
        self._application = self._graph_client.applications.get(object_id)

    def get_reply_urls(self) -> List[str]:
        return self._application.reply_urls

    def add_reply_url(self, reply_url) -> None:
        reply_urls: list = self.get_reply_urls()
        self._graph_client.applications.patch(
            self._application.app_id,
            ApplicationUpdateParameters(
                reply_urls=[
                    *reply_urls,
                    reply_url]
            )
        )

EDIT: Added permissions screenshot enter image description here

Upvotes: 1

Views: 486

Answers (1)

Hury Shen
Hury Shen

Reputation: 15754

If use microsoft graph, the resource should be: https://graph.microsoft.com

If use azure ad graph, the resource should be: https://graph.windows.net

According to your code, the resource is https://graph.windows.net, so it request azure ad graph api in the backend. So we need to add the permissions of azure ad graph but not microsoft graph.

The screenshot you provided shows you added the permission Application.ReadWrite.OwnedBy of microsoft graph but not azure ad graph. So please remove it and add the same permission which belongs to azure ad graph. enter image description here

enter image description here

Then don't forget to grant admin consent for it.

enter image description here

Hope it helps~

Upvotes: 1

Related Questions