Authorization_RequestDenied:Insufficient privileges to complete the operation.

Durjan Hussain 155

Hi there,

I am experiencing issues with Graph API permissions, even though I've granted all the necessary permissions and consents.

Interestingly,the same app works in some tenants and but not in others.

This is an old app that's why it's Windows Active Directory Permissions

Please see the screenshots.

@Tay Jorge

User's image

2 answers

CarlZhao-MSFT 38,356 Reputation points

2024-05-16T02:02:06.1733333+00:00

Hi @Durjan Hussain

Permissions for Azure AD Graph API cannot be applied to MS Graph API, you must grant the corresponding permissions for the calling app under MS Graph API.

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Please sign in to rate this answer.
durjan hussain 5 Reputation points

2024-05-16T08:03:12.5466667+00:00

Hi @CarIZhao-MFT,

It's been working for the last 4 years, and it also works for other tenants to which we applied admin consent years ago. Recently we granted admin consent to our tenant and then it broke.

Kind regards,

Durjan

CarlZhao-MSFT 38,356 Reputation points

2024-05-16T08:37:06.31+00:00

Hi @Durjan Hussain

Try decoding your access token using jwt.ms and share the screenshot.

Durjan Hussain 155 Reputation points

2024-05-16T09:59:46.03+00:00

Hi @CarlZhao-MSFT,

Here is the token decode screenshot.

Durjan Hussain 155 Reputation points

2024-05-16T10:02:02.4+00:00

Hi @CarlZhao-MSFT,

Here is the token decode screenshot.

CarlZhao-MSFT 38,356 Reputation points

2024-05-17T02:15:57.7666667+00:00

Hi @Durjan Hussain

Checking the token roles claim, you can see that the token is missing the permissions for the /getMemberGroups endpoint. Like I said in my answer, permissions for Azure AD Graph API cannot be applied to MS Graph API, you need to grant corresponding permissions under MS Graph API.

Durjan Hussain 155 Reputation points

2024-05-17T10:39:36.21+00:00

Hi @CarlZhao-MSFT,

I do understand, but how is it possible that this JWT token works when it was generated using a different tenant?

CarlZhao-MSFT 38,356 Reputation points

2024-05-17T10:47:59.1533333+00:00

The multi-tenant app may have corresponding permissions in other tenants. Go to the target tenant and see if it has the corresponding permissions under MS Graph API.

Durjan Hussain 155 Reputation points

2024-05-17T10:51:33.0466667+00:00

Hi @CarlZhao-MSFT,

All same permissions as you can see from the screenshots.

Thanks

Durjan Hussain 155 Reputation points

2024-05-20T15:44:18.45+00:00

Hi @CarlZhao-MSFT,

It was "wids" value which you can see above in both JTW tokens are different.

Assigning a "Directory Reader" role to the app resolve the issue.

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#directory-readers

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/manage-roles-portal#assign-a-role

It's all been sorted now.

Thank you very much for you help.
Sign in to comment
Durjan Hussain 155 Reputation points

2024-05-21T08:03:45.2666667+00:00

Hi @CarlZhao-MSFT,

It was "wids" value which you can see above in both JTW tokens are different.

Assigning a "Directory Reader" role to the app resolve the issue.

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#directory-readers

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/manage-roles-portal#assign-a-role

It's all been sorted now.

Thank you very much for you help.
Please sign in to rate this answer.
CarlZhao-MSFT 38,356 Reputation points

2024-05-21T08:23:00.9266667+00:00

Hi @Durjan Hussain

Glad to know your issue has been resolved. It looks like the "Directory Reader" role is the key to fixing the error :)
Sign in to comment

Share via

Authorization_RequestDenied:Insufficient privileges to complete the operation.

2 answers