CODEWITHSUNDEEP
azureazure-active-directorymicrosoft-graph-apiazure-ad-graph-api
Amrit Pal Singh
Amrit Pal Singh

Reputation: 7142

Authorization_RequestDenied on setting value for user key object using Microsoft Graph

I want to have an extra claim say "mygroupsrmm" in my jwt token which I want to view post decoding the token. I am trying to add custom claims to my jwt token which I will receive post authentication using Oauth2 flow. I've already modified application manifest file for registered AAD app with

"acceptMappedClaims": true

& followed below steps:

//Step1 - Created custom policy

New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema":[{"Source":"user","ID":"extensionattribute2","SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rmmgname","JwtClaimType":"mygroupsrmm"}]} }') -DisplayName "MyGroupsRMMExtraClaims" -Type "ClaimsMappingPolicy"

//Step2 - assigned policy to my AAD registered app

$appID = <> $sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')" $policyId = <> Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policyId

Above both steps are successful, now I went ahead with authentication calls

//Step3 : GET /authorize API call

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=my-application-id-registered-in-AAD& redirect_uri=http://localhost:3000/callback&scope=openid%20profile%20email%20offline_access%20User.Read%20Files.Read

From this step, authorization code is received, which is passed on to the /token API call

//Step4: POST /token call

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<<my-application-id-registered-in-AAD>>
&client_secret=<<client-secret-value-here>>
&code=<<code-received-from-step3>>
&redirect_uri=http://localhost:3000/callback

The above call is successfully executed & returned both access_token & id_token But post decoding token I'm unable to view my added custom claims i.e "mygroupsrmm" (viewed decoded token through jwt.io)

On checking my user details from Graph explorer, "extensionattribute2" is null, so for this key field tried updating the value using

//Step5: Navigate to Microsoft Graph Explorer & execute the call

/PATCH https://graph.microsoft.com/beta/me
body
{
    "onPremisesExtensionAttributes": {
        "extensionAttribute2": "myrmm-g2"
    }
}

Above call throws

"Forbidden - 403 - 492ms. You need to consent to the permissions on the Modify permissions (Preview) tab"

while on viewing "Modify permissions (Preview)", all the required permissions i.e User.ManageIdentities.All, User.ReadWrite.All, User.ReadWrite, Directory.ReadWrite.All, Directory.AccessAsUser.All are already granted(Consented)

//response
{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2021-02-23T12:08:05",
            "request-id": "06ddd00b-db0f-4a7c-ae03-471763139939",
            "client-request-id": "c07843cf-89d4-10a7-89fa-f3b71445bc1f"
        }
    }
}

Authorization token used for above request contains below consented permissions/scopes

"scp": "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All OnlineMeetings.ReadWrite openid profile User.ManageIdentities.All User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All email"

Since above request is failed, I've tried modifying another user object key value i.e jobTitle to check user update response

/PATCH https://graph.microsoft.com/beta/me
{ "jobTitle" : "sr.mts"}

This call too throws 403 error with code Authorization_RequestDenied

I would like to know what specific permission is required to set values for above keys i.e jobTitle or extensionAttribute2 to view the custom claim key-value in decoded jwt token. Any sort of assistance will be greatly appreciated.

Upvotes: 0

Views: 279

Answers (1)

Carl Zhao
Carl Zhao

Reputation: 9539

You must be an administrator to modify this attribute. I have tested it just now.

enter image description here

Update : Post assigning Directory writer role to the AAD user, above issue is fixed. See here for success calls

Upvotes: 1

Related Questions