Programatically resetting redemption status for external access from within a logic app HTTP action

Question

Programatically resetting redemption status for external access from within a logic app HTTP action

Kumara Raghuramaiah-JHG 60

Hi Team, We are trying resetting redemption status for external access as per https://learn.microsoft.com/en-us/entra/external-id/reset-redemption-status#use-microsoft-graph-api-to-reset-redemption-status. We have an issue with the App ********-8ff9a not having access for resetRedemption. App does have User.Invite.All role set. Normal Invite via graphAPI works fine, the issue is just with reset-redemption. Microsoft documentation doesn't clearly specify if Application level permissions should work for reset redemption.

URI -

https://graph.microsoft.com/v1.0/invitations

{
  "error": {
    "code": "Unauthorized",
    "message": "Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'. ControllerName=MSGraphInviteAPI, ActionName=CreateInvite, URL absolute path=/api/****e719/invites",
    "innerError": {
      "request-id": "37325c19-cb09-43f4-80fb-891b8e8d74b8",
      "date": "2026-04-23T05:49:10",
      "client-request-id": "****74b8"
    }
  }
}

Kumara Raghuramaiah-JHG 60

I am using HTTP action and ActiveDirectoryOAuth authentication via LogicApp,

{
  "type": "Http",
  "inputs": {
    "uri": "@{concat(variables('constants')['graph_endpoint'], '/v1.0/invitations')}",
    "method": "POST",
    "headers": {
      "Content-Type": "application/json"
    },
    "body": {
      "inviteRedirectUrl": "@{triggerBody()['AppUrl']}",
      "invitedUserEmailAddress": "@{triggerBody()['Email']}",
      "sendInvitationMessage": "@not(equals(body('Get_invite_status')?['value']?[0]?['externalUserState'], 'Accepted'))",
      "invitedUserMessageInfo": {
        "messageLanguage": "en-AU",
        "customizedMessageBody": "@{triggerBody()?['Message']}"
      },
      "invitedUser": {
        "id": "@{triggerBody()?['UserId']}"
      },
      "resetRedemption": true
    },
    "authentication": {
      "type": "ActiveDirectoryOAuth",
       "tenant": "****ce719",
      "audience": "https://graph.microsoft.com",
      "clientId": "@body('Get_Client_Id')?['value']",
      "secret": "@body('Get_Client_Secret')?['value']"
    }
  },
  "runAfter": {
    "Get_invite_status": [
      "Succeeded"
    ]
  }
}

Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-24T05:35:17.9466667+00:00

Hello Kumara Raghuramaiah-JHG

Can you please grant User.ReadWrite.All along with User.Invite.All API permission to the Microsoft Entra ID application and regenerate the access token and call the API?
Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-27T04:16:36.2766667+00:00

Hello Kumara Raghuramaiah-JHG

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Otherwise we can connect offline!

Answer accepted by question author

0 additional answers

Your answer

Kumara Raghuramaiah-JHG 60 Reputation points

2026-04-24T05:33:37.5133333+00:00

I am using HTTP action and ActiveDirectoryOAuth authentication via LogicApp,

{ "type": "Http", "inputs": { "uri": "@{concat(variables('constants')['graph_endpoint'], '/v1.0/invitations')}", "method": "POST", "headers": { "Content-Type": "application/json" }, "body": { "inviteRedirectUrl": "@{triggerBody()['AppUrl']}", "invitedUserEmailAddress": "@{triggerBody()['Email']}", "sendInvitationMessage": "@not(equals(body('Get_invite_status')?['value']?[0]?['externalUserState'], 'Accepted'))", "invitedUserMessageInfo": { "messageLanguage": "en-AU", "customizedMessageBody": "@{triggerBody()?['Message']}" }, "invitedUser": { "id": "@{triggerBody()?['UserId']}" }, "resetRedemption": true }, "authentication": { "type": "ActiveDirectoryOAuth", "tenant": "****ce719", "audience": "https://graph.microsoft.com", "clientId": "@body('Get_Client_Id')?['value']", "secret": "@body('Get_Client_Secret')?['value']" } }, "runAfter": { "Get_invite_status": [ "Succeeded" ] } }
Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-24T05:35:17.9466667+00:00

Hello Kumara Raghuramaiah-JHG

Can you please grant User.ReadWrite.All along with User.Invite.All API permission to the Microsoft Entra ID application and regenerate the access token and call the API?
Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-27T04:16:36.2766667+00:00

Hello Kumara Raghuramaiah-JHG

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Otherwise we can connect offline!

Answer 1

Rukmini 40,485 Microsoft External Staff Moderator

Hello Kumara Raghuramaiah-JHG

Can you please share the details on how you are generating the token and also can you decode the token in jwt.ms and share the screenshot?

Based on this Microsoft Document, For app-only calls, the redemption status can't be reset if there are any roles assigned to the target user account.

Hence, grant User.ReadWrite.All along with User.Invite.All API permission to the Microsoft Entra ID application and regenerate the access token and call the API
And the call fails if if there are any roles assigned to the target user account.

Let me know if any further queries - feel free to reach out!

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Kumara Raghuramaiah-JHG 60 Reputation points

2026-04-27T04:56:06.1133333+00:00

Hello Rukmini, User.ReadWrite.All seems to be working fine. Thanks
Rukmini 40,485 Reputation points Microsoft External Staff Moderator

2026-04-28T01:50:26.39+00:00

Hello Kumara Raghuramaiah-JHG If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Programatically resetting redemption status for external access from within a logic app HTTP action

0 additional answers

Your answer