Reputation: 179
Getting Authorization error when trying to retrieve all members of an AD Group using Microsoft.Graph
I'm using Microsoft Graph to retrieve all members of a Group. But I am getting the below authorization error message. I am not being able to figure it out as i started to learn it from today. I also went through some blogs regarding this but couldn't find out the root cause.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. Inner error: AdditionalData: date: 2021-09-24T11:25:11 request-id: ef3e82a6-f1df-4018-bccb-2eea075a934f client-request-id: ef3e82a6-f1df-4018-bccb-2eea075a934f ClientRequestId: ef3e82a6-f1df-4018-bccb-2eea075a934f
Following is my code:
private static string appId = ConfigurationManager.AppSettings["ida:AppId"];
private static string appSecret = ConfigurationManager.AppSettings["ida:AppSecret"];
private static string redirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
private static List<string> graphScopes =
new List<string>(ConfigurationManager.AppSettings["ida:AppScopes"].Split(' '));
public static async Task<IEnumerable<Event>> GetEventsAsync()
{
var graphClient = GetAuthenticatedClient();
var members = await graphClient.Groups["00000000-0000-0000-0000-000000000000"].Members.Request().GetAsync();
}
private static GraphServiceClient GetAuthenticatedClient()
{
return new GraphServiceClient(
new DelegateAuthenticationProvider(
async (requestMessage) =>
{
var idClient = ConfidentialClientApplicationBuilder.Create(appId)
.WithRedirectUri(redirectUri)
.WithClientSecret(appSecret)
.Build();
var tokenStore = new SessionTokenStore(idClient.UserTokenCache,
HttpContext.Current, ClaimsPrincipal.Current);
var accounts = await idClient.GetAccountsAsync();
var result = await idClient.AcquireTokenSilent(graphScopes, accounts.FirstOrDefault())
.ExecuteAsync();
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
}));
}
AppSettings:
<appSettings>
<add key="ida:AppID" value=[App Id] />
<add key="ida:AppSecret" value=[App Secret] />
<add key="ida:RedirectUri" value="https://localhost:44359/" />
<add key="ida:AppScopes" value="User.Read.All Calendars.Read" />
</appSettings>
I am assuming that I may need to adjust the AppScopes values in the appSettings but not sure. Can anyone provide me some hits to solve this?
Thanks in advance.
Upvotes: 1
Views: 109
Answers (1)
Reputation: 20725
To get a list of group's members you need the following permissions
In your app settings you specified different set of permissions: User.Read.All Calendars.Read
Check permissions for your application in Azure Portal
Resource:
Upvotes: 1
Related Questions
- Microsoft.Graph get all users of a group
- Using GraphServiceClient to retrieve group info of Azure Ad members
- get group members from azure ad via microsoft graph
- How to fetch all users from Azure Active Directory Group using C#
- Microsoft graph api returns 403 forbidden when calling groups/xxxx/members
- Getting 401: Unauthorized response when querying groups endpoint of Azure AD Graph API
- Microsoft graph API: getting 403 while trying to read user groups
- Get Users in Group from Azure AD via Microsoft Graph
- Authorization_RequestDenied when trying to get groups from Azure Active Directory using Graph API
- Exception when querying the members of group in Microsoft.Graph Client