Permission denied

Meirzhan Askerbekov 1 Reputation point
2021-03-01T09:06:53.987+00:00

Hello, I have created App on Azure and added to my app one user. I added required permissions. For me all api requests work well, but for other user don't work. I log in with that user and make request. Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub...... { "error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError": { "date": "2021-03-01T09:04:03", "request-id": "d062cc41-7e91-4e50-a71b-c206f4346fb6", "client-request-id": "d062cc41-7e91-4e50-a71b-c206f4346fb6" } } }

This is decoded token: "scp": "Calendars.ReadWrite Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All OnlineMeetings.Read OnlineMeetings.ReadWrite User.Read User.Read.All User.ReadBasic.All User.ReadWrite.All profile openid email"

POST https://graph.microsoft.com/v1.0/me/events

{"error":{"code":"NoPermissionsInAccessToken","message":"The token contains no permissions, or permissions can not be
understood.","innerError":{"oAuthEventOperationId":"9f590106-a3c2-47d0-8e70-d79196213d4a","oAuthEventcV":"HKqZWfjNykC7JrgpoVj3iw.1.1.1","errorUrl":"https://aka.ms/autherrors#error-InvalidGrant","requestId":"4081c9ec-9d4e-492b-9034-f408dcaf908f","date":"2021-03-01T09:26:29"}}}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,068 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 98,201 Reputation points MVP
    2021-03-01T09:41:06.743+00:00

    Which endpoint are you calling and did you consent to said permissions as admin (most of them require admin consent). You also seem to be using the EWS impersonate permissions, is your app based on the Graph API or EWS?


  2. Meirzhan Askerbekov 1 Reputation point
    2021-03-01T12:11:34.423+00:00

    I added user using POST https://graph.microsoft.com/v1.0/invitations
    It seems that there are constraints for guest user. So then I have created user via POST https://graph.microsoft.com/v1.0/users, for this user works fine.
    So how to give guest user all required permissions?