Reputation: 958
Azure AD - Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'
I work on a task that should invite users and add them in my azure active directory list. Before being able to access my app, the invited user should verify through email. This is the code I use:
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
.Create(_config["AzureAd:ClientId"])
.WithTenantId(_config["AzureAd:TenantId"])
.WithClientSecret(_config["AzureAd:ClientSecret"])
.Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var invitation = new Invitation
{
InvitedUserEmailAddress = "[email protected]",
InviteRedirectUrl = "https://url.com/",
SendInvitationMessage = true
await graphClient.Invitations
.Request()
.AddAsync(invitation);
I found this snippet somewhere on the internet and judging by the comments, it seems to work. However, when I run my app and call this functionality, I get an error that says
Code: Unauthorized Message: Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'. ControllerName=MSGraphInviteAPI, ActionName=CreateInvite, URL absolute path=/...
In API permissions, I have a User.Invite.All permission under Microsoft Graph. Besides this I have User.Read as well but I don't think it's relevant for this at the moment. Has some of you stumbled upon an error like this and managed to successfully solve it? If so, would you be kind to share the solution?
Upvotes: 0
Views: 3727
Answers (1)
Reputation: 11315
You are using client_credentials flow. Which means it is not a User who is performing this task, but rather service credentials. You would need to provide Application permissions, rather than what you have set - Delegated Permissions.
If you don't see Application Permissions, its because you created an Azure AD B2C Application Registration. Rather, create the App Reg with the first option Accounts in this organizational directory only (Contoso only - Single tenant) .
These are the docs you need:
This is correct method for AAD and AAD B2C tenant today.
Upvotes: 1
Related Questions
- Graph API - Insufficient privileges to complete the operation
- Insufficient privilege for operation like Get-AzureADApplication and Set-AzureADApplication
- Azure Active Directory appRoleAssignments "Permission being assigned was not found on application"
- While creating an application using Microsoft Graph - Insufficient privileges to complete the operation
- Authorization_RequestDenied. Insufficient privileges to complete the operation. Graph API
- Azure AAD and Graph API: Insufficient privileges to complete the operation
- "Insufficient privileges to complete the operation" error for only some users
- ADAL insufficient privileges to complete the operation
- Authorization_RequestDenied: Insufficient privileges to complete the operation." error with app, only on thirdparty AD
- Insufficient privileges to complete the operation when using service principal to create Azure AD Application