Reputation: 1
Azure App Registration Not giving New Refresh Token or Scope because of Permission Error
We are configuring an azure app registration through a service account and believe that we have the correct permissions for the service account yet when the logic app is run an error is thrown when pulling groups from O365 for not having the correct permissions.
enterprise service account access
error within the logic app designer
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
These are the current app registration api permissions we have and all are consented by the administrator
We are also have ensured that this service account has: -app registration owner role -administrator roles -subscription owner -the only conditional access policy is no logons after 8pm which we believe shouldn't have affected this
Upvotes: 0
Views: 1753
Answers (1)
Reputation: 15484
The "Insufficient privileges to complete the operation" occurs if the token doesn't have the required permissions to perform the action.
I created an Azure AD Application and granted API permissions like below:
I generated access token via Postman like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
When I tried to fetch the groups, I am able to do it successfully like below:
Azure App Registration Not giving New Refresh Token or Scope because of Permission Error
To get the Refresh token, make sure to grant offline_access API permission like below:
After assigning the API permission, refresh token got generated successfully like below:
If still the issue persists, check the below:
- If you are generating access token via Client Credentials then grant Application API permissions.
- Re-generate the token and try to access the API.
- Decode the token in jwt.ms and check if the scp and aud are like below:
Reference:
Getting a bearer token from AAD using Logic Apps
Upvotes: 0
Related Questions
- Graph API - Insufficient privileges to complete the operation
- Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token
- Azure App registration using user+app access vs app-only access
- Azure app registration apps list- access needed
- Azure Logic App Giving Incorrect O365 Graph Auth Token
- Get all appRoles on an Azure AD App Registration in ASP.NET
- App Registration via Terrafom: Authorization_RequestDenied: Insufficient privileges to complete the operation
- Delete Azure App Registration API Permission programmatically
- Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation
- Configure Azure App Registration to change Active Directory user password