"Insufficient privileges to complete the operation" while using Graph API

Anonymous

The access token I get from the following curl request
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
does not have the permission to list or create user.

Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub......

Response
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-14T17:27:10",
"request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce",
"client-request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce"
}
}
}

Curl request I made was from App service. I have enabled managed identity, and also added it as contributor in access control from subscription.
What am I doing wrong?

My goal is to get an access token from an App-Service as shown above and use it to create a user in azure ad.
If there is any alternative way it will be good.

Shiva Keshav Varma 401 Reputation points

2020-12-14T17:51:47.807+00:00

You don't have proper permission in your token like User.Read.All. Please put your token in https://jwt.ms and see if you have any permissions.
Anonymous

2020-12-15T06:50:47.313+00:00

Yes, my token doesn't have the permission so what can I do to add scope or permissions while granting a access_token.
Ram Fattah 1 Reputation point

2022-12-20T04:36:19.067+00:00

Thanks for this tip @Shiva Keshav Varma
Hugo BERNERON 20 Reputation points

2023-06-22T09:20:30.6666667+00:00

Hello, I have the same error : "resulted in a 403 Forbidden response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."" when I want to update a user with the request "PATCH https://graph.microsoft.com/v1.0/users/{userId}".

Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".

My others request like "GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName" work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.

Can you help me please ?
Harris K 31 Reputation points

2023-10-22T10:56:22.79+00:00

I've managed to fix this issue by adding a "User administrator" assignment to my app.

Head over to Microsoft Entra ID> Roles and administrators > Click on 'User administrator' > click on '+ Add assignment' to add your app registration (searching by either name or ID).
Ger Groot 0 Reputation points

2024-03-27T12:58:22.9333333+00:00

Thanks Harris, this seems to be the solution

7 answers

Mieszko Bugajski 0 Reputation points

2023-01-20T12:14:01.8533333+00:00
In the beginning thanks for previous posts it gave a lot of inspiration according topic. Problem occurred in our case at automated bicep mechanism that is supposed to add API permissions for Microsoft Graph.

Error: Authorization_RequestDenied

Solution:

We needed to give Enterprise Application running mechanism Microsoft Graph (not Azure Active Directory Graph it will be deprecated) Application permissions:

Application.ReadWrite.All

AppRoleAssignment.ReadWrite.All

Directory.ReadWrite.All
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Sagar Ambesange 0 Reputation points

2023-06-08T07:25:53.0333333+00:00

I have gone through the various queries related to this topic, and may be mine is a duplicate.

But I am kind of stuck with this now, kindly advice the solution to this.

I have been using the Application authorisation to get users [https://graph.microsoft.com/v1.0/me] via graph API in postman.
For this I have followed the comments and decoded the access token from https://jwt.ms

I am seeing roles as in attached image in the decoded token:

Kindly suggest, what needs to be done to fix this.
Please sign in to rate this answer.
Hugo BERNERON 20 Reputation points

2023-06-22T09:19:12.14+00:00

Hello, I have the same error : "resulted in a 403 Forbidden response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."" when I want to update a user with the request "PATCH https://graph.microsoft.com/v1.0/users/{userId}".

Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".

My others request like "GET https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName" work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.

Can you help me please ?
Sign in to comment