"Insufficient privileges to complete the operation" while using Graph API

Anonymous

The access token I get from the following curl request
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
does not have the permission to list or create user.

Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub......

Response
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-14T17:27:10",
"request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce",
"client-request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce"
}
}
}

Curl request I made was from App service. I have enabled managed identity, and also added it as contributor in access control from subscription.
What am I doing wrong?

My goal is to get an access token from an App-Service as shown above and use it to create a user in azure ad.
If there is any alternative way it will be good.

Shiva Keshav Varma 411 Reputation points

2020-12-14T17:51:47.807+00:00

You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions.
Anonymous

2020-12-15T06:50:47.313+00:00

Yes, my token doesn't have the permission so what can I do to add scope or permissions while granting a access_token.
Ram Fattah 1 Reputation point

2022-12-20T04:36:19.067+00:00

Thanks for this tip @Shiva Keshav Varma
Hugo BERNERON 20 Reputation points

2023-06-22T09:20:30.6666667+00:00

Hello, I have the same error : "resulted in a 403 Forbidden response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."" when I want to update a user with the request "PATCH https://graph.microsoft.com/v1.0/users/{userId}".

Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".

My others request like "GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName" work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.

Can you help me please ?
Harris K 46 Reputation points

2023-10-22T10:56:22.79+00:00

I've managed to fix this issue by adding a "User administrator" assignment to my app.

Head over to Microsoft Entra ID> Roles and administrators > Click on 'User administrator' > click on '+ Add assignment' to add your app registration (searching by either name or ID).
Ger Groot 0 Reputation points

2024-03-27T12:58:22.9333333+00:00

Thanks Harris, this seems to be the solution
Rav Panchalingam 0 Reputation points

2024-05-16T04:29:36.67+00:00

make sure GroupMember.Read.All and User.Read.All are Application permissions (not delegated)
Ayoub Salhi 0 Reputation points

2024-08-06T14:58:47.4+00:00

Harris, you deserve a medal! I spent 2 days trying to figure out.

9 answers

Mieszko Bugajski 0 Reputation points

2023-01-20T12:14:01.8533333+00:00
In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.

Error: Authorization_RequestDenied

Solution:

We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:

Application.ReadWrite.All

AppRoleAssignment.ReadWrite.All

Directory.ReadWrite.All
Please sign in to rate this answer.
Moitra, Suprateem 0 Reputation points

2024-06-06T15:54:59.83+00:00

Pls go to Entara ID ( Active Directory ) in Azure for your tenant. Under User and Adminstration, select App administrator, this will move the page to Role Assignments, either add you AD ID there or the SPN ID. if there is an SPN through which you are raising for the connection between ADO and Azure Tenant, then SPN should be added as application administrator. Also SPN should have the following API permissions User.ReadBasic.All, User.Read.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All, Application.ReadWrite.All Directory.AccessAsUser.All
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Sagar Ambesange 0 Reputation points

2023-06-08T07:25:53.0333333+00:00

I have gone through the various queries related to this topic, and may be mine is a duplicate.

But I am kind of stuck with this now, kindly advice the solution to this.

I have been using the Application authorisation to get users [https://graph.microsoft.com/v1.0/me] via graph API in postman.
For this I have followed the comments and decoded the access token from https://jwt.ms

I am seeing roles as in attached image in the decoded token:

Kindly suggest, what needs to be done to fix this.
Please sign in to rate this answer.
Hugo BERNERON 20 Reputation points

2023-06-22T09:19:12.14+00:00

Hello, I have the same error : "resulted in a 403 Forbidden response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."" when I want to update a user with the request "PATCH https://graph.microsoft.com/v1.0/users/{userId}".

Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".

My others request like "GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName" work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.

Can you help me please ?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ezaldden 0 Reputation points

2024-08-04T13:59:45.8+00:00

If anyone still have problem, I solved it by going to the app registration -> api management -> Choose Microsoft Graph that appears in the top and select needed permissions. For me, User.Read wasn't enough and I have to add User.ReadAll
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Krunal Parmar 0 Reputation points

2024-08-26T10:24:35.64+00:00

Here is my code.
I've resolved the problem with upgrading the user password.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

"Insufficient privileges to complete the operation" while using Graph API

9 answers

Your answer