This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 31%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hello, I have created App on Azure and added to my app one user. I added required permissions. For me all api requests work well, but for other user don't work. I log in with that user and make request. Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub...... { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2021-03-01T09:04:03", "request-id": "d062cc41-7e91-4e50-a71b-c206f4346fb6", "client-request-id": "d062cc41-7e91-4e50-a71b-c206f4346fb6" } } }
This is decoded token: "scp": "Calendars.ReadWrite Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All OnlineMeetings.Read OnlineMeetings.ReadWrite User.Read User.Read.All User.ReadBasic.All User.ReadWrite.All profile openid email"
POST https://graph.microsoft.com/v1.0/me/events
{"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be
understood.","innerError":{"oAuthEventOperationId":"9f590106-a3c2-47d0-8e70-d79196213d4a","oAuthEventcV":"HKqZWfjNykC7JrgpoVj3iw.1.1.1","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"4081c9ec-9d4e-492b-9034-f408dcaf908f","date":"2021-03-01T09:26:29"}}}
Which endpoint are you calling and did you consent to said permissions as admin (most of them require admin consent). You also seem to be using the EWS impersonate permissions, is your app based on the Graph API or EWS?
My app based on the Graph API. Permissions are consented.
I added user using POST https://graph.microsoft.com/v1.0/invitations
It seems that there are constraints for guest user. So then I have created user via POST https://graph.microsoft.com/v1.0/users, for this user works fine.
So how to give guest user all required permissions?
Guests indeed have limited permissions as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions#compare-member-and-guest-default-permissions
And here on how to change the permissions: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions
Thank you, I have changed permission on https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions , then it works fine!)
It works for create, get, delete USER. But still doesn't work for api GET, POST https://graph.microsoft.com/v1.0/me/calendar/events
Response:
{"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be
understood.","innerError":{"oAuthEventOperationId":"24644fd6-b13a-4707-aeb9-c5be029af47c","oAuthEventcV":"CqeSMPwQw0Gth7U1tBxI5w.1.1.1","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"83383f44-dfee-41f6-a2e3-1e0282b0151a","date":"2021-03-02T11:35:14"}}}