Edit

Share via

Troubleshoot Authorization_RequestDenied error with Microsoft Graph

When you use Microsoft Graph API to manage users, you might receive the following error message:

Authorization_RequestDenied. Insufficient privileges to complete the operation.

This article demonstrates how to troubleshoot the Authorization_RequestDenied error in Microsoft Graph API by using Postman, through a "disable user" scenario.

Cause of the Authorization_RequestDenied error

This error typically occurs because the user or app doesn't have sufficient permissions. To call Graph APIs, your app registration must have the following permissions:

  • The appropriate Microsoft Entra RBAC role for the required access level. For more information, see Microsoft Entra built-in roles.
  • The necessary API permissions to access Microsoft Graph.

Troubleshooting Microsoft Graph API by using Postman

Step 1: Assign Microsoft Entra RBAC role to the app registration (Service Principal)

  1. Log in to the Azure portal, and go to Microsoft Entra ID.
  2. In the Manage section, select Roles and administrators.
  3. Select the appropriate role based on the required level of access. In this article, the app will manage the users. Therefore, User Administrator is selected.
  4. Select Add assignments, select your app registration, and then select Add.

Step 2: Locate the application ID, client secret, and token endpoints of your app

  1. In the Azure portal, go to App registrations, and then select your app registration.

  2. On the Overview page, record the Application (client) ID.

  3. Select Endpoints. This selection provides information, such as token endpoints, that will be used in the Postman configuration. This article uses OAuth 2.0 and token-based authentication together with Entra ID. In this case, you should record the OAuth 2.0 token endpoint (v2).

    Screenshot that shows checking the endpoints of the app registration.

  4. In the Manage section, select Certificates & secrets. Create a client secret or use an existing client secret for testing.

    In the Postman configuration, ensure you use the Client secret value, not the Secret ID. The client secret value cannot be viewed, except immediately after it's created.

Step 3: Configure Postman

  1. In Postman, select a request or collection, and then select Authorization.

  2. Set Auth type to OAuth 2.0.

  3. In the Configure New Token section, specify the following configuration:

    • Grant type: Client Credentials
    • Access Token URL: <OAuth 2.0 token endpoint>.
    • Client ID: <Application (client) ID>
    • Client secret: <Client secret value>
    • Scope: https://graph.microsoft.com/.default
    • Client Authentication: Send as Basic Auth header

    Screenshot of Postman configurations.

  4. Select Get New Access Token. If the configuration is correct, you should receive a token that will be used to run the Microsoft Graph API call.

  5. Select Proceed, and then select Use token.

Step 4: Test and troubleshoot the Microsoft Graph API

  1. Send the following PATCH request to disable a user. 1f953789-0000-0000-0000-6f21508fd4e2 is the object ID of a user in the Entra ID.

    Patch https://graph.microsoft.com/v1.0/users/1f953789-0000-0000-0000-6f21508fd4e2

    {
"accountEnabled": false
}

  2. The Authorization_RequestDenied error message is received in the response:

    {
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2024-12-24T03:25:32",
            "request-id": "096361b2-75be-479b-b421-078610030949",
            "client-request-id": "096361b2-75be-479b-b421-078610030949"
        }
    }
}

  3. Check the Update user scenario in Microsoft Graph REST API v1.0 endpoint reference. The following permission is required to enable and disable a user, as described in the Microsoft Graph REST API v1.0 endpoint reference.

    Property Type Description
    accountEnabled Boolean true if the account is enabled; otherwise, false. This property is required when a user is created.
    - User.EnableDisableAccount.All + User.Read.All is the least privileged combination of permissions required to update this property.
    - In delegated scenarios, Privileged Authentication Administrator is the least privileged role that's allowed to update this property for all administrators in the tenant.

  4. Check whether the app registration has the required permissions:

    1. Locate your app registration in the Azure portal.

    2. In the Manage section, select API permissions

    3. Check the configured API permissions. In this case, the app registration doesn't have the User.EnableDisableAccount.All permission that is the root cause of the issue.

      Screenshot that shows checking API permissions.

  5. Select Add a permission to add User.EnableDisableAccount.All to the app registration.

  6. You must also select Grant admin consent for default directory for the permissions. Select Yes to confirm that you want to grant admin consent.

  7. Send the PATCH request to disable a user. If the request is successful, you should receive a 204 No Content response.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.