"Insufficient privileges to complete the operation" while using Graph API

Anonymous

The access token I get from the following curl request
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
does not have the permission to list or create user.

Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub......

Response
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-14T17:27:10",
"request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce",
"client-request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce"
}
}
}

Curl request I made was from App service. I have enabled managed identity, and also added it as contributor in access control from subscription.
What am I doing wrong?

My goal is to get an access token from an App-Service as shown above and use it to create a user in azure ad.
If there is any alternative way it will be good.

Shiva Keshav Varma 411 Reputation points

2020-12-14T17:51:47.807+00:00

You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions.
Anonymous

2020-12-15T06:50:47.313+00:00

Yes, my token doesn't have the permission so what can I do to add scope or permissions while granting a access_token.
Ram Fattah 1 Reputation point

2022-12-20T04:36:19.067+00:00

Thanks for this tip @Shiva Keshav Varma
Hugo BERNERON 20 Reputation points

2023-06-22T09:20:30.6666667+00:00

Hello, I have the same error : "resulted in a 403 Forbidden response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."" when I want to update a user with the request "PATCH https://graph.microsoft.com/v1.0/users/{userId}".

Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".

My others request like "GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName" work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.

Can you help me please ?
Harris K 46 Reputation points

2023-10-22T10:56:22.79+00:00

I've managed to fix this issue by adding a "User administrator" assignment to my app.

Head over to Microsoft Entra ID> Roles and administrators > Click on 'User administrator' > click on '+ Add assignment' to add your app registration (searching by either name or ID).
Ger Groot 0 Reputation points

2024-03-27T12:58:22.9333333+00:00

Thanks Harris, this seems to be the solution
Rav Panchalingam 0 Reputation points

2024-05-16T04:29:36.67+00:00

make sure GroupMember.Read.All and User.Read.All are Application permissions (not delegated)
Ayoub Salhi 0 Reputation points

2024-08-06T14:58:47.4+00:00

Harris, you deserve a medal! I spent 2 days trying to figure out.

9 answers

AmanpreetSingh-MSFT 56,646 Reputation points

2020-12-15T08:15:48.563+00:00

Hi anonymous user · Thank you for reaching out.

To add required permissions in the token, you need to first copy the Client ID (aka App ID) that you are using in your request to get the Access Token and then navigate to:

Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the ClientID/AppID copied earlier.

In that application Navigate to:

Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions as shown below. Once the permissions are added, click on Grant Admin Consent for your_tenant button.

Note: Delegated permissions are used when token is acquired under user context. If you are acquiring token under the context of Service Principal, you need to select Application permissions under Microsoft Graph while adding permissions.

After adding the permissions, you need to request for a new token and make sure the token includes the required permissions by decoding it at https://jwt.ms or https://jwt.io

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

12 people found this answer helpful.
Anonymous

2020-12-15T11:48:25.47+00:00

I can't see my App service ClientId in all applications.

AmanpreetSingh-MSFT 56,646 Reputation points

2020-12-16T13:45:01.06+00:00

Hi anonymous user · To find the clientID, you need to check the request being sent to https://login.microsoftonline.com for authentication. Client ID is sent as a parameter in the request url as highlighted in below sample request:

https://login.microsoftonline.com/xxxxxx.onmicrosoft.com/oauth2/v2.0/authorize?**client_id=d736a5a0-xxxx-xxxx-xxxx-d192b45e4aa7**&response_type=code&redirect_uri=https://jwt.ms&state=1234&response_mode=query&scope=openid

Todd Albers 1 Reputation point

2023-01-14T00:29:09.8633333+00:00

This was very helpful.

But, I don't like the security concerns regarding the very last step.

After adding the permissions, you need to request for a new token and make sure the token includes the required permissions by decoding it at https://jwt.ms or https://jwt.io

Posting your secret token to one of these URLs just seems like a bad idea. You are giving away your token to these sites. What assurance is there that these are associated with Microsoft? What assurance is there that these sites aren't used to collect app tokens for malicious reasons? I recommend avoiding the very last step above without further clarification and verification. Even with that, it's still a bad idea. Keep your secret token secret.

Mit Out 0 Reputation points

2023-06-07T18:39:29.0633333+00:00

I got to Api Permissions > Add a permission > Microsoft Graph > Delegated permissions but I don't know what "Expand User" means. The phrase does not exist, nor is there any User link to expand. Under Openid permissions is only offline_access and openid appear.

Duncan Gates 0 Reputation points

2024-09-06T18:49:03.1233333+00:00

Last part here helped me, I had made client before granting permissions, order matters here apparently.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Shiva Keshav Varma 411 Reputation points

2020-12-14T17:54:34.713+00:00

You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions. Please make sure to add any permissions specified here.

(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
Please sign in to rate this answer.

2 people found this answer helpful.
Radhakrishna Guntur 1 Reputation point

2022-01-28T09:58:31.537+00:00

824c81eb-e3f8-4ee6-8f6d-de7f50d565b7
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Sankar 11 Reputation points

2022-06-29T12:02:54.467+00:00

Hi Please add,

UserAuthendicationMethod.Read.All
UserAuthendicationMethod.ReadWrite.All

I added the above API permission and I got the response.
Please sign in to rate this answer.

2 people found this answer helpful.
Amar Agnihotri 921 Reputation points

2022-08-03T08:00:46+00:00

Thanks @Sankar

Anonymous

2022-09-06T15:13:39.137+00:00

I added all possible permissions but it didn't work for me. Is there a solution to this problem? ![238313-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180654.png][1]![238314-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180639.png][2]![238321-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180757.png][3] [1]: /api/attachments/238313-знімок-екрана-2022-09-06-о-180654.png?platform=QnA [2]: /api/attachments/238314-знімок-екрана-2022-09-06-о-180639.png?platform=QnA [3]: /api/attachments/238321-знімок-екрана-2022-09-06-о-180757.png?platform=QnA
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Chu Xu 6 Reputation points

2022-11-24T00:01:18.27+00:00

I'm getting this dreaded error too when calling Get-AzADGroup. What microsoft.graph permission is necessary? I am so frustrated.
I have had Application.Read.All, Directory.Read.All. What am I missing?
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Yogendra Kapoor 1 Reputation point

2022-04-30T14:41:48.553+00:00

@AmanpreetSingh-MSFT I have all the required permission in my app registeration but still it show me 403 when i try to create user through postman or java sdk.

The error message that i got is
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-04-30T14:37:36",
"request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb",
"client-request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb"
}
}
}

403 response status code.
Please sign in to rate this answer.
Anonymous

2022-06-02T13:55:57.277+00:00

How did you solve it after all? Are you able to create user?

Ismael Ibuan 136 Reputation points

2022-06-08T14:31:27.37+00:00

I'm having the same issue accessing Graph API. I have set all the privileges needed for the application but I keep getting insufficient privileges as a response.

Daniel Wachtel 1 Reputation point

2022-07-06T07:10:12.387+00:00

Me as well.
Did you manage to find the problem?

Todd Albers 1 Reputation point

2023-01-14T00:47:07.3533333+00:00

I am still getting this error also even though permissions granted like you have. It says to make sure it generates a new token. Not sure how to do that. But, I suspect that is the issue.

De La Cruz, Brendan 15 Reputation points

2023-09-14T19:50:28.05+00:00

Has anyone been able to find a solution for this? I have added all the permissions and I am still getting the same error. Not sure what else needs to be done.

sanjay 0 Reputation points

2024-07-09T07:32:20.5533333+00:00

Has anyone found a solution for this problem?

sanjay 0 Reputation points

2024-07-09T07:59:22.12+00:00

i found the solution

Regitze 0 Reputation points

2024-08-21T10:48:31.6233333+00:00

What was the solution?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.