"Insufficient privileges to complete the operation" while using Graph API

Anonymous

The access token I get from the following curl request
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
does not have the permission to list or create user.

Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub......

Response
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-14T17:27:10",
"request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce",
"client-request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce"
}
}
}

Curl request I made was from App service. I have enabled managed identity, and also added it as contributor in access control from subscription.
What am I doing wrong?

My goal is to get an access token from an App-Service as shown above and use it to create a user in azure ad.
If there is any alternative way it will be good.

Shiva Keshav Varma 401 Reputation points

2020-12-14T17:51:47.807+00:00

You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions.
Anonymous

2020-12-15T06:50:47.313+00:00

Yes, my token doesn't have the permission so what can I do to add scope or permissions while granting a access_token.
Ram Fattah 1 Reputation point

2022-12-20T04:36:19.067+00:00

Thanks for this tip @Shiva Keshav Varma
Hugo BERNERON 20 Reputation points

2023-06-22T09:20:30.6666667+00:00

Hello, I have the same error : "resulted in a 403 Forbidden response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."" when I want to update a user with the request "PATCH https://graph.microsoft.com/v1.0/users/{userId}".

Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".

My others request like "GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName" work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.

Can you help me please ?
Harris K 41 Reputation points

2023-10-22T10:56:22.79+00:00

I've managed to fix this issue by adding a "User administrator" assignment to my app.

Head over to Microsoft Entra ID> Roles and administrators > Click on 'User administrator' > click on '+ Add assignment' to add your app registration (searching by either name or ID).
Ger Groot 0 Reputation points

2024-03-27T12:58:22.9333333+00:00

Thanks Harris, this seems to be the solution
Rav Panchalingam 0 Reputation points

2024-05-16T04:29:36.67+00:00

make sure GroupMember.Read.All and User.Read.All are Application permissions (not delegated)

7 answers

Sagar Ambesange 0 Reputation points

2023-06-08T07:25:53.0333333+00:00

I have gone through the various queries related to this topic, and may be mine is a duplicate.

But I am kind of stuck with this now, kindly advice the solution to this.

I have been using the Application authorisation to get users [https://graph.microsoft.com/v1.0/me] via graph API in postman.
For this I have followed the comments and decoded the access token from https://jwt.ms

I am seeing roles as in attached image in the decoded token:

Kindly suggest, what needs to be done to fix this.
Please sign in to rate this answer.
Hugo BERNERON 20 Reputation points

2023-06-22T09:19:12.14+00:00

Hello, I have the same error : "resulted in a 403 Forbidden response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."" when I want to update a user with the request "PATCH https://graph.microsoft.com/v1.0/users/{userId}".

Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".

My others request like "GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName" work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.

Can you help me please ?
Sign in to comment
Mieszko Bugajski 0 Reputation points

2023-01-20T12:14:01.8533333+00:00
In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.

Error: Authorization_RequestDenied

Solution:

We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:

Application.ReadWrite.All

AppRoleAssignment.ReadWrite.All

Directory.ReadWrite.All
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Chu Xu 6 Reputation points

2022-11-24T00:01:18.27+00:00

I'm getting this dreaded error too when calling Get-AzADGroup. What microsoft.graph permission is necessary? I am so frustrated.
I have had Application.Read.All, Directory.Read.All. What am I missing?
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Sankar 11 Reputation points

2022-06-29T12:02:54.467+00:00

Hi Please add,

UserAuthendicationMethod.Read.All
UserAuthendicationMethod.ReadWrite.All

I added the above API permission and I got the response.
Please sign in to rate this answer.

2 people found this answer helpful.
Amar Agnihotri 916 Reputation points

2022-08-03T08:00:46+00:00

Thanks @Sankar

Anonymous

2022-09-06T15:13:39.137+00:00

I added all possible permissions but it didn't work for me. Is there a solution to this problem? ![238313-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180654.png][1]![238314-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180639.png][2]![238321-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180757.png][3] [1]: /api/attachments/238313-знімок-екрана-2022-09-06-о-180654.png?platform=QnA [2]: /api/attachments/238314-знімок-екрана-2022-09-06-о-180639.png?platform=QnA [3]: /api/attachments/238321-знімок-екрана-2022-09-06-о-180757.png?platform=QnA
Sign in to comment
Yogendra Kapoor 1 Reputation point

2022-04-30T14:41:48.553+00:00

@AmanpreetSingh-MSFT I have all the required permission in my app registeration but still it show me 403 when i try to create user through postman or java sdk.

The error message that i got is
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-04-30T14:37:36",
"request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb",
"client-request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb"
}
}
}

403 response status code.
Please sign in to rate this answer.
Anonymous

2022-06-02T13:55:57.277+00:00

How did you solve it after all? Are you able to create user?

Ismael Ibuan 136 Reputation points

2022-06-08T14:31:27.37+00:00

I'm having the same issue accessing Graph API. I have set all the privileges needed for the application but I keep getting insufficient privileges as a response.

Daniel Wachtel 1 Reputation point

2022-07-06T07:10:12.387+00:00

Me as well.
Did you manage to find the problem?

Todd Albers 1 Reputation point

2023-01-14T00:47:07.3533333+00:00

I am still getting this error also even though permissions granted like you have. It says to make sure it generates a new token. Not sure how to do that. But, I suspect that is the issue.

De La Cruz, Brendan 15 Reputation points

2023-09-14T19:50:28.05+00:00

Has anyone been able to find a solution for this? I have added all the permissions and I am still getting the same error. Not sure what else needs to be done.
Sign in to comment