Problem with Azure Registered App API permissions for Graph

Gabriel Susin Dall'igna 1 Reputation point
2021-12-03T20:40:36.273+00:00

Hello, I am trying to create a group using the graph api, with an app registration. I've already given an consent all the privileges, but still got the message:

"One or more errors occurred. (Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation. "

Any ideas?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,014 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,718 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Vasil Michev 91,276 Reputation points MVP
    2021-12-04T10:02:11.84+00:00

    Make sure you've obtained a fresh access token after granting the permissions. You can check the corresponding claims by decrypting the token (jwt.ms site or similar).


  2. JamesTran-MSFT 36,056 Reputation points Microsoft Employee
    2021-12-06T21:09:51.55+00:00

    @Gabriel Susin Dall'igna
    Thank you for your post!

    When it comes to your error message, Insufficient privileges to complete the operation, can you try adding the Delegated permissions (Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All) to see if that resolves your issue? Additionally, you can try running the Create Group API via Graph Explorer to see if that helps too.

    155380-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


  3. JamesTran-MSFT 36,056 Reputation points Microsoft Employee
    2021-12-07T18:54:44.957+00:00

    @Gabriel Susin Dall'igna
    Thank you for following up with this!

    Based off your screenshot to @Vasil Michev , it looks like you have the correct permissions within your App Registration. However, when walking through this myself using Postman, and an App-only Access Token to create a group, I didn't run into any issues. Can you follow the below steps to see if it helps resolve your issue.

    Get App-Only Access Token:

    POST https://login.microsoftonline.com/{TenantID}}/oauth2/v2.0/token  
    

    155751-image.png

    Check your Access Token permissions:
    Using https://jwt.ms/ Copy & Paste your Access Token and check to see if you have the correct roles:

      "roles": [  
        "Directory.ReadWrite.All",  
        "Group.Create",  
        "Group.ReadWrite.All"  
      ],  
    

    155743-image.png

    Create a Group:
    Create a Header Key for your Access Token, as needed

    POST https://graph.microsoft.com/v1.0/groups  
    Content-type: application/json  
      
    {  
      "description": "Self help community for library",  
      "displayName": "Library Assist",  
      "groupTypes": [  
        "Unified"  
      ],  
      "mailEnabled": true,  
      "mailNickname": "library",  
      "securityEnabled": false  
    }  
    

    155657-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

  4. Gabriel Susin Dall'igna 1 Reputation point
    2021-12-07T20:30:02.507+00:00

    Hello, after trying all that you said, it was clear that the error wasn't in the permissions. I'm using the api on C#, and trying to create the group with a custom ProxyAddress, after some test and research, it appears not to be possible, even tho when using the graph explorer I can create with the proxyAddresses parameter.
    155734-graph-explorer.png

    If any of you know of a way to create a group with that value, or even change it after it's created, please let me know. Thank you for your help!