Share via

Azure AD :Graph API Call is Failing intermittently

Subramanyam k 251 Reputation points
2020-07-27T05:12:36.787+00:00

Hi,

When we are try to call the Graph API ("https://graph.microsoft.com/v1.0/applications/{id}" with PATCH method and Body (
{

"info": {
"termsOfServiceUrl": "https://www.locahost:8080.com",
"supportUrl": null,
"privacyStatementUrl": "https://www.www.locahost:8080.com"

},
"signInUrl":"https://xxxxxx"
}
)to set some addition parameters immediately after the application creation. We observe that sometimes its failing returning an error message:

"
Invoke-RestMethod : {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-07-25T10:12:31",
"request-id": "b849d526-09be-4d91-xxxxx-xxxxxxxxx"
}
}
}
"

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,331 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,486 Reputation points
    2020-07-27T06:32:15.947+00:00

    Hello @Subramanyamk-9132

    The error message Insufficient privileges to complete the operation. should be consistent for a given identity because if the identity (User/Application) has required permissions it should always work and if required permissions are not assigned, it should always fail. Could you please confirm if you are using multiple identities for this purpose or its a single account that you are using? Based on the authenticating entity, there can be different permissions required:

    • If you are using User context to make above call, you would need to assign Delegated permissions - Application.ReadWrite.All, Directory.AccessAsUser.All
    • If you are using Application context to make above call, you would need to assign Application permissions - Application.ReadWrite.OwnedBy, Application.ReadWrite.All

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    0 comments
  2. Subramanyam k 251 Reputation points
    2020-07-27T09:24:07.077+00:00

    Hi @amanpreetsingh-msft ,

    We have a script that creates the Azure AD Application, sets the "Company Permission" to this application, gets the access token using Client credential flow and then call the graph API to set the Branding Parameters.

    Out of 10 run on average 1 or 2 times we are getting that exception

    Sample Code:

    AzureADApp = New-AzureADApplication -DisplayName
    svcPrincipal = New-AzureADServicePrincipal -AppId AzureADApp.AppId)
    role = Get-AzureADDirectoryRole | Where-Object { .displayName -eq 'Company Administrator' }
    svcprincipal = Get-AzureADServicePrincipal -All true | ? {     .AppId -match "(applicationId)" }
    Add-AzureADDirectoryRoleMember -ObjectId role.ObjectId -RefObjectId svcprincipal.ObjectId
    //Getting the access token and calling above Graph API using invoke-restmethod