Share via

MS Graph Insufficient privileges to complete the operation

xi ouyang 46 Reputation points
2022-02-12T23:03:26.733+00:00

Repo Steps:

API URL is below:
https://graph.microsoft.com/v1.0/users

Screenshot of API Permission is below:
173729-image.png

Error Response is below
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-02-12T18:48:03",
"request-id": "74f4f18d-d18d-4065-b048-58664410297b",
"client-request-id": "74f4f18d-d18d-4065-b048-58664410297b"
}
}
}

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
42,821 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 45,761 Reputation points
    2022-02-14T02:37:27.05+00:00

    Hi @xi ouyang

    Please note the following:

    1. Make sure you are not using the client credential flow.
    2. Make sure you are using a work account and not a personal account.
    3. Important: This error may also be caused if you are using a guest account, because guest users cannot enumerate all users by default, you need to set the same access permissions as members for guest users, or grant user administrators for your guest users. Log in to the Azure portal as a global administrator, and then go to: User settings>Manage external collaboration settings>Guest user access:

    173962-image.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. xi ouyang 46 Reputation points
    2022-02-15T01:35:55.47+00:00

    Per discussion with Azure AD Support Team, the root cause is that I use delegate API instead of Application API. After adding the API permission type of delegation, it works as expected.

    2 people found this answer helpful.
  2. Marc Girod 26 Reputation points
    2022-09-06T10:29:12.917+00:00

    Are permissions the same thing as privileges?
    Maybe they are... Adding ('consenting') permissions helped.
    Weapon of mass-confusion?

    1 person found this answer helpful.
  3. Vasil Michev 115.7K Reputation points MVP
    2022-02-13T07:52:31.647+00:00

    Check your access token, make sure the permissions are reflected therein. You can use tools such as jtw.ms to decode it. If you don't see the permissions, request a new token.
    Also, how are you authenticating? If using client secret/certificate, the permissions above do not apply.

  4. Javier Morales 31 Reputation points
    2023-06-01T21:12:09.34+00:00

    Hi

    I have the same issue

    the service principal authenticates

    we added group.readAll and user.readAll privileges as an application but still receiving insufficient privileges when use az ad group list

    Any idea?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.