Getting "Application is not authorized to perform this operation" error but the application is authorized...

Haibert Barfian 0 Reputation points
2023-11-09T20:40:30.2366667+00:00

Hi there,

As you can see in the screenshot bellow, my application has all the permissions it need to run the following code. I have logged into the customer azure portal and confirmed that we do in fact have all permissions granted by an administrator.

Yet I keep getting error
"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementServiceConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All"

I always use

https://graph.microsoft.com/.default offline_access

as my scope for both when I get an authorization code, and when I exchange it for an accessToken and so on... can anyone help with this?
2

 let response = await client
            .api('/deviceManagement/windowsAutopilotDeviceIdentities')
            .version('v1.0')
            .get()
            .catch((error) => {
                console.error(
                    'Error getting device property keys from Intune',
                    error.error_description
                )
                throw error
            })
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,557 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,320 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Crystal-MSFT 50,591 Reputation points Microsoft Vendor
    2023-11-10T03:56:43.1433333+00:00

    @Haibert Barfian, Thanks for posting in Q&A. Based on the error message you are receiving, it seems that the application is missing one of the required scopes for the operation you are trying to perform. The error message specifically mentions that the application must have one of the following scopes: DeviceManagementServiceConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All.

    It appears that you are currently using the scope "https://graph.microsoft.com/.default offline_access" for both getting an authorization code and exchanging it for an access token. However, this scope does not include the required Device Management Service scopes mentioned in the error message.

    To resolve this issue, you should update your application's scope to include the required Device Management Service scopes. You can do this by adding the appropriate permissions in the Azure app registration portal, under your application's API permissions page.

    References:

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Haibert Barfian 0 Reputation points
    2023-11-10T05:06:39.5233333+00:00

    No that did not help. As ive stated in my original post. my application already has all those permissions needed, and they are admin consent granted so you can spare that answer as well.

    strangely what fixed the issue was changing my scope from https://graph.microsoft.com/.default offline_access, to the exact permissions I need granted for my app. Like so:

    'DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All User.ReadWrite.All offline_access openid'
    

    In the documentation it says that using https://graph.microsoft.com/.default asks for all the permissions that you already have configured in your application set up in azure portal.. I guess that is not true. very weird.

    0 comments No comments

  3. CarlZhao-MSFT 43,411 Reputation points
    2023-11-10T06:25:10.8966667+00:00

    Hi @Haibert Barfian

    This depends on the authentication flow you are using. It looks like you are using a delegated authentication flow, the delegated authentication flow only supports delegated permissions, but you are granting application permissions to the calling app in the portal, so when you request the token using the .default scope, these application permissions will not be mapped to the user token.

    You can try granting delegated permissions to your app in the portal, then you will be able to request an access token containing the above permissions using the .default scope. Or put dynamic permissions in the scope and consent to them when interacting with the user, as you are doing now.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.