"Insufficient privileges to complete the operation" while using Graph API

Anonymous
2020-12-14T17:46:54.273+00:00

The access token I get from the following curl request
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
does not have the permission to list or create user.

Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub......

Response
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-14T17:27:10",
"request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce",
"client-request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce"
}
}
}

Curl request I made was from App service. I have enabled managed identity, and also added it as contributor in access control from subscription.
What am I doing wrong?

My goal is to get an access token from an App-Service as shown above and use it to create a user in azure ad.
If there is any alternative way it will be good.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
830 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,117 questions
{count} votes

9 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,646 Reputation points
    2020-12-15T08:15:48.563+00:00

    Hi anonymous user · Thank you for reaching out.

    To add required permissions in the token, you need to first copy the Client ID (aka App ID) that you are using in your request to get the Access Token and then navigate to:

    Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the ClientID/AppID copied earlier.

    In that application Navigate to:

    Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions as shown below. Once the permissions are added, click on Grant Admin Consent for your_tenant button.

    48332-image.png

    Note: Delegated permissions are used when token is acquired under user context. If you are acquiring token under the context of Service Principal, you need to select Application permissions under Microsoft Graph while adding permissions.

    After adding the permissions, you need to request for a new token and make sure the token includes the required permissions by decoding it at https://jwt.ms or https://jwt.io

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    12 people found this answer helpful.

  2. Shiva Keshav Varma 411 Reputation points
    2020-12-14T17:54:34.713+00:00

    You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions. Please make sure to add any permissions specified here.

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    2 people found this answer helpful.

  3. Sankar 11 Reputation points
    2022-06-29T12:02:54.467+00:00

    Hi Please add,

    UserAuthendicationMethod.Read.All
    UserAuthendicationMethod.ReadWrite.All

    I added the above API permission and I got the response.

    2 people found this answer helpful.

  4. Chu Xu 6 Reputation points
    2022-11-24T00:01:18.27+00:00

    I'm getting this dreaded error too when calling Get-AzADGroup. What microsoft.graph permission is necessary? I am so frustrated.
    I have had Application.Read.All, Directory.Read.All. What am I missing?

    1 person found this answer helpful.
    0 comments No comments

  5. Yogendra Kapoor 1 Reputation point
    2022-04-30T14:41:48.553+00:00

    @AmanpreetSingh-MSFT I have all the required permission in my app registeration but still it show me 403 when i try to create user through postman or java sdk.

    197931-screen-shot-2022-04-30-at-33939-pm.png

    The error message that i got is
    {
    "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
    "date": "2022-04-30T14:37:36",
    "request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb",
    "client-request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb"
    }
    }
    }

    403 response status code.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.