Share via

Using ManagedIdentityCredential for Microsoft.Graph AzureIdentityProvider tokens

Alex Haigh 0 Reputation points
2025-04-14T14:22:54.6966667+00:00

Hello, I am trying to make requests to Microsoft Graph using the Microsoft.Graph 5.76.0 package.

This works if I use a ClientSecretCredential, but I want to use a ManagedIdentityCredential so I do not have to routinely renew secrets.

When I attempt to use a ManagedIdentityCredential, I get an "insufficient privileges" error.

Please note, my Application Registration has the required Graph API permissions granted which is why I am able to make requests successfully with the ClientSecretCredential.

// Same issue occurs using ManagedIdentityCredential class
// This works if I use a ClientSecretCredential  
var tokenCredential = new DefaultAzureCredential(
	new DefaultAzureCredentialOptions { ManagedIdentityClientId = config.Value.ClientId}
);

var authProvider = new AzureIdentityAuthenticationProvider(tokenCredential,
                    scopes: ["https://graph.microsoft.com/.default"], isCaeEnabled: true);

return new GraphServiceClient(authProvider);

I believe this should work with a ManagedIdentityCredential as well when configured correctly. Any idea why I get insufficient privileges when making the request?

Is there a role that the service principal needs to make Graph API calls - similar to how I would use a ManagedIdentityCredential without a secret to make CosmosDB requests?

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 5,485 Reputation points Microsoft External Staff Moderator
    2025-04-15T19:02:20.17+00:00

    Hi @Alex Haigh,

    Based on your query, here is my understanding: you have tried performing Mangedidentitycredential login and received insufficient privileges error.

    I see that you have provided the application with relevant permissions to retrieve a token but still you have received an error. The permissions of an application will work the Oauth flows and will be able retrieve the token as per your requirement. But when you are trying to use Managed identities, you need ensure the application has right permissions on the resources. Only then you will be retrieving the token and will be able to access the resources.

    Here is the Microsoft document which you can use as reference in order to work with Managed identities:

    1. For user assigned Managed identity: Authenticate Azure-hosted .NET apps to Azure resources using a user-assigned managed identity
    2. For System assigned Managed identity: Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity

    Here is the code implementation in order to retrieve the token using managed identities: Implement the code.

    Additional information: Using Managed identity credential Class.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.