This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 51%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Hi there,
I am experiencing issues with Graph API permissions, even though I've granted all the necessary permissions and consents.
Interestingly,the same app works in some tenants and but not in others.
This is an old app that's why it's Windows Active Directory Permissions
Please see the screenshots.
@Tay Jorge
Hi @Durjan Hussain
Permissions for Azure AD Graph API cannot be applied to MS Graph API, you must grant the corresponding permissions for the calling app under MS Graph API.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Hi @CarIZhao-MFT,
It's been working for the last 4 years, and it also works for other tenants to which we applied admin consent years ago. Recently we granted admin consent to our tenant and then it broke.
Kind regards,
Durjan
Hi @Durjan Hussain
Try decoding your access token using jwt.ms and share the screenshot.
Hi @CarlZhao-MSFT,
Here is the token decode screenshot.
Hi @CarlZhao-MSFT,
Here is the token decode screenshot.
Hi @Durjan Hussain
Checking the token roles claim, you can see that the token is missing the permissions for the /getMemberGroups endpoint. Like I said in my answer, permissions for Azure AD Graph API cannot be applied to MS Graph API, you need to grant corresponding permissions under MS Graph API.
Hi @CarlZhao-MSFT,
I do understand, but how is it possible that this JWT token works when it was generated using a different tenant?
The multi-tenant app may have corresponding permissions in other tenants. Go to the target tenant and see if it has the corresponding permissions under MS Graph API.
Hi @CarlZhao-MSFT,
All same permissions as you can see from the screenshots.
Thanks
Hi @CarlZhao-MSFT,
It was "wids" value which you can see above in both JTW tokens are different.
Assigning a "Directory Reader" role to the app resolve the issue.
It's all been sorted now.
Thank you very much for you help.
Hi @CarlZhao-MSFT,
It was "wids" value which you can see above in both JTW tokens are different.
Assigning a "Directory Reader" role to the app resolve the issue.
It's all been sorted now.
Thank you very much for you help.
Hi @Durjan Hussain
Glad to know your issue has been resolved. It looks like the "Directory Reader" role is the key to fixing the error :)