Insufficient privileges to add Azure AD user

Question

I created a console application to create an Azure AD user as follows (doc referred: https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http):

static async Task Main(string[] args)
        {
            var credential = new ClientCredential("", "");
            var authProvider = new HttpRequestMessageAuthenticationProvider(
                                                        credential,
                                                        "https://login.windows.net/",
                                                        "https://graph.microsoft.com/");

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "Test User",
                MailNickname = "testuser",
                UserPrincipalName = "testuser@M365xxxxxxx.onmicrosoft.com ",
                PasswordProfile = "xxxxxxxxxxxx"
                OnPremisesImmutableId = "id"
            };

            await graphClient.Users
                .Request()
                .AddAsync(user);
        }

API permissions added to app are Group.ReadWrite.All and User.ReadWrite.All.

On running this code, I see the following error:

Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

What am I missing?

Hury Shen · Accepted Answer

For this problem, I summarize the points below which you need to check:

1. It seems your code use client_credentials as grant flow to do the job, so please check you have added the permissions of "Application" but not "Delegated". And don't forget grant admin consent.

2. If still show Authorization_RequestDenied message, please remove the permission Group.ReadWrite.All because this permission is unnecessary. And the Group permission may affect other permissions in my past tests.

3. It seems you develop the specific code in class HttpRequestMessageAuthenticationProvider, actually there is an off-the-shelf SDK avaiable for us to use. I provide my code below for your reference, the code works fine to create a user.

using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System;
using System.Threading.Tasks;

namespace ConsoleApp23
{
    class Program
    {
        static async Task Main(string[] args)
        {
            Console.WriteLine("Hello World!");

            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create("")
                .WithTenantId("")
                .WithClientSecret("")
                .Build();

            ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "huryAdd",
                MailNickname = "huryAdd",
                UserPrincipalName = "huryAdd@xxx.onmicrosoft.com",
                PasswordProfile = new PasswordProfile
                {
                    ForceChangePasswordNextSignIn = true,
                    Password = "Password0123"
                },
                OnPremisesImmutableId = "testOnPre"
            };

            await graphClient.Users.Request().AddAsync(user);

            Console.WriteLine("====success====");
        }
    }
}

And also provide the packages installed in my project.

Install-Package Microsoft.Identity.Client -Version 4.16.1
Install-Package Microsoft.Graph
Install-Package Microsoft.Graph.Auth -IncludePrerelease

4. By the way, there is a blank space in the end of your UserPrincipalName. Please remove it, otherwise it will show invalid principal name.

Hope it helps~

Insufficient privileges to add Azure AD user

Answers (2)

Related Questions