Make sure you've obtained a fresh access token after granting the permissions. You can check the corresponding claims by decrypting the token (jwt.ms site or similar).
Problem with Azure Registered App API permissions for Graph
Hello, I am trying to create a group using the graph api, with an app registration. I've already given an consent all the privileges, but still got the message:
"One or more errors occurred. (Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation. "
Any ideas?
4 answers
Sort by: Most helpful
-
-
JamesTran-MSFT 36,541 Reputation points Microsoft Employee
2021-12-06T21:09:51.55+00:00 @Gabriel Susin Dall'igna
Thank you for your post!When it comes to your error message,
Insufficient privileges to complete the operation
, can you try adding the Delegated permissions (Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All) to see if that resolves your issue? Additionally, you can try running the Create Group API via Graph Explorer to see if that helps too.If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
-
JamesTran-MSFT 36,541 Reputation points Microsoft Employee
2021-12-07T18:54:44.957+00:00 @Gabriel Susin Dall'igna
Thank you for following up with this!Based off your screenshot to @Vasil Michev , it looks like you have the correct permissions within your App Registration. However, when walking through this myself using Postman, and an App-only Access Token to create a group, I didn't run into any issues. Can you follow the below steps to see if it helps resolve your issue.
Get App-Only Access Token:
POST https://login.microsoftonline.com/{TenantID}}/oauth2/v2.0/token
Check your Access Token permissions:
Usinghttps://jwt.ms/
Copy & Paste your Access Token and check to see if you have the correct roles:"roles": [ "Directory.ReadWrite.All", "Group.Create", "Group.ReadWrite.All" ],
Create a Group:
Create a Header Key for your Access Token, as neededPOST https://graph.microsoft.com/v1.0/groups Content-type: application/json { "description": "Self help community for library", "displayName": "Library Assist", "groupTypes": [ "Unified" ], "mailEnabled": true, "mailNickname": "library", "securityEnabled": false }
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
-
Gabriel Susin Dall'igna 1 Reputation point
2021-12-07T20:30:02.507+00:00 Hello, after trying all that you said, it was clear that the error wasn't in the permissions. I'm using the api on C#, and trying to create the group with a custom ProxyAddress, after some test and research, it appears not to be possible, even tho when using the graph explorer I can create with the proxyAddresses parameter.
If any of you know of a way to create a group with that value, or even change it after it's created, please let me know. Thank you for your help!