Getting "Application is not authorized to perform this operation" error but the application is authorized...

Question

Getting "Application is not authorized to perform this operation" error but the application is authorized...

Haibert Barfian 0

Hi there,

As you can see in the screenshot bellow, my application has all the permissions it need to run the following code. I have logged into the customer azure portal and confirmed that we do in fact have all permissions granted by an administrator.

Yet I keep getting error
"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementServiceConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All"

I always use

https://graph.microsoft.com/.default offline_access

as my scope for both when I get an authorization code, and when I exchange it for an accessToken and so on... can anyone help with this?

 let response = await client
            .api('/deviceManagement/windowsAutopilotDeviceIdentities')
            .version('v1.0')
            .get()
            .catch((error) => {
                console.error(
                    'Error getting device property keys from Intune',
                    error.error_description
                )
                throw error
            })

Answer 1

@Haibert Barfian, Thanks for posting in Q&A. Based on the error message you are receiving, it seems that the application is missing one of the required scopes for the operation you are trying to perform. The error message specifically mentions that the application must have one of the following scopes: DeviceManagementServiceConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All.

It appears that you are currently using the scope "https://graph.microsoft.com/.default offline_access" for both getting an authorization code and exchanging it for an access token. However, this scope does not include the required Device Management Service scopes mentioned in the error message.

To resolve this issue, you should update your application's scope to include the required Device Management Service scopes. You can do this by adding the appropriate permissions in the Azure app registration portal, under your application's API permissions page.

References:

403 Forbidden error when you query Intune objects in Graph Explorer

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Haibert Barfian 0 Reputation points

2023-11-10T05:02:15.6466667+00:00

Yes I'm using the scope https://graph.microsoft.com/.default offline_access because I read that that means it will just ask for all the permissions that my app already has configured in azure portal.

That is not true.. In my front end I had to change the scope to the following

'DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All User.ReadWrite.All offline_access openid'

only when I specify the exact permissions I need while asking for the authentication_code, does the token I exchange that code for have the correct permissions.

It makes no sense.. if https://graph.microsoft.com/.default is supposed to already include all of this in there because its in the API permission of my app and they all had Admin Consent granted.
Crystal-MSFT 36,431 Reputation points Microsoft Vendor

2023-11-10T05:22:52.85+00:00

@Haibert Barfian, Thanks for the reply. For the scope https://graph.microsoft.com/.default offline_access. I am not sure if it can include all the permission. You can open case to see if you can get more help on this

https://learn.microsoft.com/en-us/mem/get-support

Answer 2

No that did not help. As ive stated in my original post. my application already has all those permissions needed, and they are admin consent granted so you can spare that answer as well.

strangely what fixed the issue was changing my scope from https://graph.microsoft.com/.default offline_access, to the exact permissions I need granted for my app. Like so:

'DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All User.ReadWrite.All offline_access openid'

In the documentation it says that using https://graph.microsoft.com/.default asks for all the permissions that you already have configured in your application set up in azure portal.. I guess that is not true. very weird.

Answer 3

CarlZhao-MSFT 31,896

Hi @Haibert Barfian

This depends on the authentication flow you are using. It looks like you are using a delegated authentication flow, the delegated authentication flow only supports delegated permissions, but you are granting application permissions to the calling app in the portal, so when you request the token using the .default scope, these application permissions will not be mapped to the user token.

You can try granting delegated permissions to your app in the portal, then you will be able to request an access token containing the above permissions using the .default scope. Or put dynamic permissions in the scope and consent to them when interacting with the user, as you are doing now.

Haibert Barfian 0

im not sure I understand.

here is how I get the authorization code in the front end

const codeChallenge = await generateCodeChallenge(codeVerifier)
        const clientId = encodeURIComponent(
            '06f642f2-5d14-484d-90f3-795a47887221'
        )
        const redirectUri = encodeURIComponent(
            'http://localhost:3000/integrations/azure-success'
        )
        const scope = encodeURIComponent(
            'DeviceManagementServiceConfig.Read.All DeviceManagementServiceConfig.ReadWrite.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All User.ReadWrite.All offline_access openid'
        )
        const authUrl = `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=${clientId}&response_type=code&redirect_uri=${redirectUri}&response_mode=query&scope=${scope}&state=12345&code_challenge=${codeChallenge}&code_challenge_method=S256`

Ideally my scope would be just .default..

Then in the back end I exchange it for a token like so


        const url = new URL(
            `https://login.microsoftonline.com/common/oauth2/v2.0/token/`
        )

        const params = new URLSearchParams()
        params.append('client_id', INVA_AZURE_CLIENT_ID)
        params.append('scope', scope)
        params.append('code', authorizationCode)
        params.append('redirect_uri', AZURE_REDIRECT_URI)
        params.append('grant_type', 'authorization_code')
        params.append('client_secret', AZURE_CLIENT_SECRET_ID)
        params.append('code_verifier', codeVerifier)

        const response = await axios.post(url.toString(), params, {
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded',
            },
        })

and when I need to use the refresh token to get a new access token I do it like so

export const getNewAccessTokenWithRefreshToken = async (
    refreshToken: string
) => {
    const tokenUrl = `https://login.microsoftonline.com/common/oauth2/v2.0/token`
    const params = new URLSearchParams()
    params.append('client_id', INVA_AZURE_CLIENT_ID)
    params.append('scope', 'https://graph.microsoft.com/.default')
    params.append('refresh_token', refreshToken)
    params.append('grant_type', 'refresh_token')
    params.append('client_secret', AZURE_CLIENT_SECRET_ID)

    try {
        const response = await axios.post(tokenUrl, params.toString(), {
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded',
            },
        })

        return response.data.access_token
    } catch (error: any) {
        console.error(
            'Error refreshing token: ',
            error?.response?.data || error?.message
        )
        throw error
    }
}

Im doing something wrong here?

CarlZhao-MSFT 31,896 Reputation points

2023-11-10T07:09:53.32+00:00

Your code snippet looks great. Does it report any errors while running?
Haibert Barfian 0 Reputation points

2023-11-10T19:17:02.09+00:00

No no errors.

its just the scope... it should work with .default but I guess it doesnt. I even though my application is configured 100% correctly and permissions are granted... I still cannot use .default scope. I have to mention each permission in the request.
CarlZhao-MSFT 31,896 Reputation points

2023-11-13T06:37:19.96+00:00

Hi @Haibert Barfian

As I said in the answer, you need one of the DeviceManagementServiceConfiguration.Read.All, DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfiguration.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All delegated permissions, but what you granted in the azure portal are application permissions, which do not map to the delegated token.

If you want to use the .default scope to request a token that contains the above permissions, then you should grant the corresponding delegated permissions to the calling app in the azure portal.
CarlZhao-MSFT 31,896 Reputation points

2023-11-15T02:03:04.8433333+00:00

Hi @Haibert Barfian

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!

Getting "Application is not authorized to perform this operation" error but the application is authorized...

3 answers

Activity