Share via

Problem with Azure Registered App API permissions for Graph

Gabriel Susin Dall'igna 1 Reputation point
2021-12-03T20:40:36.273+00:00

Hello, I am trying to create a group using the graph api, with an app registration. I've already given an consent all the privileges, but still got the message:

"One or more errors occurred. (Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation. "

Any ideas?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 123.6K Reputation points MVP Volunteer Moderator
    2021-12-04T10:02:11.84+00:00

    Make sure you've obtained a fresh access token after granting the permissions. You can check the corresponding claims by decrypting the token (jwt.ms site or similar).

  2. JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator
    2021-12-06T21:09:51.55+00:00

    @Gabriel Susin Dall'igna
    Thank you for your post!

    When it comes to your error message, Insufficient privileges to complete the operation, can you try adding the Delegated permissions (Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All) to see if that resolves your issue? Additionally, you can try running the Create Group API via Graph Explorer to see if that helps too.

    155380-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

  3. JamesTran-MSFT 37,226 Reputation points Microsoft Employee Moderator
    2021-12-07T18:54:44.957+00:00

    @Gabriel Susin Dall'igna
    Thank you for following up with this!

    Based off your screenshot to @Vasil Michev , it looks like you have the correct permissions within your App Registration. However, when walking through this myself using Postman, and an App-only Access Token to create a group, I didn't run into any issues. Can you follow the below steps to see if it helps resolve your issue.

    Get App-Only Access Token: 

    POST https://login.microsoftonline.com/{TenantID}}/oauth2/v2.0/token

    155751-image.png

    Check your Access Token permissions:
    Using https://jwt.ms/ Copy & Paste your Access Token and check to see if you have the correct roles: 

      "roles": [  
    "Directory.ReadWrite.All",  
    "Group.Create",  
    "Group.ReadWrite.All"  
  ],

    155743-image.png

    Create a Group:
    Create a Header Key for your Access Token, as needed 

    POST https://graph.microsoft.com/v1.0/groups  
Content-type: application/json  
  
{  
  "description": "Self help community for library",  
  "displayName": "Library Assist",  
  "groupTypes": [  
    "Unified"  
  ],  
  "mailEnabled": true,  
  "mailNickname": "library",  
  "securityEnabled": false  
}

    155657-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  4. Gabriel Susin Dall'igna 1 Reputation point
    2021-12-07T20:30:02.507+00:00

    Hello, after trying all that you said, it was clear that the error wasn't in the permissions. I'm using the api on C#, and trying to create the group with a custom ProxyAddress, after some test and research, it appears not to be possible, even tho when using the graph explorer I can create with the proxyAddresses parameter.
    155734-graph-explorer.png

    If any of you know of a way to create a group with that value, or even change it after it's created, please let me know. Thank you for your help!

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.