CODEWITHSUNDEEP
c#azure-active-directorymicrosoft-graph-api
cah1r
cah1r

Reputation: 1999

Microsoft graph - Insufficient privileges when trying to get user info

I'm trying to get user information from Active Directory (email, phone number and assigned groups) using Microsoft graph and implicit flow in angular + asp.net web api application after user logges into the system.

Now we've set up some privileges for the application registered in Azure AD and all the code seems to be working fine using below set up.

enter image description here

The problem is those permissions seem high just for reading profile info and groups of a single user.

According to microsoft documentation delegated User.Read should be enough - link but after changing to below setup and removing User.Read.All for application

enter image description here

below error is thrown:

{
"StatusCode":500,
"Message":"Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.
Inner error: AdditionalData: date: x request-id: x client-request-id: x ClientRequestId: x "
}

The error is thrown when calling Users from graphClient:

    GraphServiceClient graphClient = GetClient();

    return await graphClient.Users[userObjectId].Request()
        .GetAsync();

private GraphServiceClient GetClient()
{
    IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create(ADClientId)
                .WithTenantId(TenantId)
                .WithClientSecret(ApplicationSecret)
                .Build();

    ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

    GraphServiceClient graphClient = new GraphServiceClient(authProvider);

    return graphClient;
}

Now I'm not sure how to limit those privileges. Whether there is something incorrect with the flow, the C# code or maybe the privileges are incorrect.

Any help would be greatly appreciated.

Regards.

Upvotes: 0

Views: 1536

Answers (1)

Allen Wu
Allen Wu

Reputation: 16498

User.Read Delegated permission allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

So you can only get https://graph.microsoft.com/v1.0/me or https://graph.microsoft.com/v1.0/user/{userObjectId of the signed-in user} with this permission.

If you want to get other user's information, please use User.ReadBasic.All or User.Read.All Delegated permission (based on your needs). Please note you need to add Delegated permission rather than Application permission.

enter image description here

Reference here.

Upvotes: 1

Related Questions