Logic app managed identity with Microsoft Graph API gives error "Insufficient privileges to complete the operation"

Question

I want to call Microsoft Graph API from my logic app using managed identity but am getting the error

Insufficient privileges to complete the operation.

I have taken all the required steps mentioned in this document: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-app?tabs=azure-powershell

I am sure I am using correct permissions because the same works when I use app reg secret and oAuth.

Kindly answer the following two questions:

1. Please let me know if I am missing anything?
2. Is there a way I can verify the auto-generated token?

Here is the screenshot of managed identity setting in my logic app:

Here is the screenshot of permissions in service principal created by PowerShell script:

Here is how I am using it in the logic app:

Update:

Using the GUID for MSGraph 00000003-0000-0000-c000-000000000000 as the Audience value in the logic app makes it work as expected. Which is strange!

Answer 1

• Thank you @Priyank Panchal for the solution that worked for you which you have mentioned in your comment. I am reposting the same solution with more elaboration so that other SO community members might benefit from it.

When you want to call ‘Microsoft Graph API’ from a logic app with system managed identity enabled, then you must provide the following permissions to your system managed identity which is created as an enterprise application in your tenant’s Azure AD. Also, to provide specific permissions to Microsoft Graph API for this created enterprise application of the system managed identity, you will have to first ensure that you have the privilege of assigning roles to any identity created in your tenant/directory.

• And to get the privilege/authority of assigning roles-based control to any identity, you should have the built-in Azure AD role of ‘Privilege Role Administrator’ as it has the permissions of ‘microsoft.directory/roleAssignments/allProperties/allTasks’ and ‘microsoft.directory/roleDefinitions/allProperties/allTasks’ which enables it or authorizes it assign the required roles to any identity in that tenant.

The following are the permissions required for the managed identity enterprise application to assign to Microsoft Graph API for the above said purpose: -

You will need to assign application-based permissions to Microsoft Graph API as MS Graph API being an orchestrator application will execute the trigger-based tasks defined in logic apps workflow using the privileges acquired through the assignment of permissions in the managed identity enterprise application. Thus, the permissions required are ‘Application.ReadWrite.All, Directory.Read.All, User.Read.All, Policy.Read.All’ only to carry out the tasks through the logic app created.

• Once, the logic app and its workflow are created successfully with the configuration as below, then kindly change the audience for Microsoft Graph to ‘00000003-0000-0000-c000-000000000000’ in the ‘Authentication’ section as this is required correct value to be entered in there. Hence, when the configuration required for the logic app to work correctly is configured as stated until now, then the logic app workflow will surely work as expected.