Getting "Application is not authorized to perform this operation" error but the application is authorized...

Haibert Barfian 0 Reputation points
2023-11-09T20:40:30.2366667+00:00

Hi there,

As you can see in the screenshot bellow, my application has all the permissions it need to run the following code. I have logged into the customer azure portal and confirmed that we do in fact have all permissions granted by an administrator.

Yet I keep getting error
"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementServiceConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All"

I always use

https://graph.microsoft.com/.default offline_access

as my scope for both when I get an authorization code, and when I exchange it for an accessToken and so on... can anyone help with this?
2

 let response = await client
            .api('/deviceManagement/windowsAutopilotDeviceIdentities')
            .version('v1.0')
            .get()
            .catch((error) => {
                console.error(
                    'Error getting device property keys from Intune',
                    error.error_description
                )
                throw error
            })
Microsoft Security | Intune | Other
Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Crystal-MSFT 53,991 Reputation points Microsoft External Staff
    2023-11-10T03:56:43.1433333+00:00

    @Haibert Barfian, Thanks for posting in Q&A. Based on the error message you are receiving, it seems that the application is missing one of the required scopes for the operation you are trying to perform. The error message specifically mentions that the application must have one of the following scopes: DeviceManagementServiceConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All.

    It appears that you are currently using the scope "https://graph.microsoft.com/.default offline_access" for both getting an authorization code and exchanging it for an access token. However, this scope does not include the required Device Management Service scopes mentioned in the error message.

    To resolve this issue, you should update your application's scope to include the required Device Management Service scopes. You can do this by adding the appropriate permissions in the Azure app registration portal, under your application's API permissions page.

    References:

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. CarlZhao-MSFT 46,376 Reputation points
    2023-11-10T06:25:10.8966667+00:00

    Hi @Haibert Barfian

    This depends on the authentication flow you are using. It looks like you are using a delegated authentication flow, the delegated authentication flow only supports delegated permissions, but you are granting application permissions to the calling app in the portal, so when you request the token using the .default scope, these application permissions will not be mapped to the user token.

    You can try granting delegated permissions to your app in the portal, then you will be able to request an access token containing the above permissions using the .default scope. Or put dynamic permissions in the scope and consent to them when interacting with the user, as you are doing now.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.