The access token I get from the following curl request
curl "$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
does not have the permission to list or create user.
Request:
GET /v1.0/users HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJub......
Response
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2020-12-14T17:27:10",
"request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce",
"client-request-id": "c172e8b7-ccf5-4ace-8c76-609d826787ce"
Curl request I made was from App service. I have enabled managed identity, and also added it as contributor in access control from subscription.
What am I doing wrong?
My goal is to get an access token from an App-Service as shown above and use it to create a user in azure ad.
If there is any alternative way it will be good.
Hello, I have the same error : "
resulted in a
403 Forbidden
response: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.""
when I want to update a user with the request "PATCH
https://graph.microsoft.com/v1.0/users/{userId}"
.
Whereas I have this rights in my application "OAUTH_SCOPES='openid profile offline_access User.Read.All User.ReadWrite.All Directory.Read.All Directory.ReadWrite.All User.ManageIdentities.All'".
My others request like "GET
https://graph.microsoft.com/v1.0/me?$select=displayName,mail,mailboxSettings/userPrincipalName"
work correctly and I can connect to my app with this, so the error is not from the OAUTH_APP_ID or OAUTH_APP_SECRET in my .env.
Can you help me please ?
Hi
anonymous user
· Thank you for reaching out.
To add required permissions in the token, you need to first copy the Client ID (aka App ID) that you are using in your request to get the Access Token and then navigate to:
Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the ClientID/AppID copied earlier.
In that application Navigate to:
Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions
as shown below. Once the permissions are added, click on
Grant Admin Consent for your_tenant
button.
Note
: Delegated permissions are used when token is acquired under user context. If you are acquiring token under the context of Service Principal, you need to select Application permissions under Microsoft Graph while adding permissions.
After adding the permissions, you need to request for a new token and make sure the token includes the required permissions by decoding it at
https://jwt.ms
or
https://jwt.io
-----------------------------------------------------------------------------------------------------------
Please "
Accept the answer
" if the information helped you. This will help us and others in the community as well.
Hi
anonymous user
· To find the clientID, you need to check the request being sent to
https://login.microsoftonline.com
for authentication. Client ID is sent as a parameter in the request url as highlighted in below sample request:
https://login.microsoftonline.com/xxxxxx.onmicrosoft.com/oauth2/v2.0/authorize?**client_id=d736a5a0-xxxx-xxxx-xxxx-d192b45e4aa7**&response_type=code&redirect_uri=https://jwt.ms&state=1234&response_mode=query&scope=openid
This was very helpful.
But, I don't like the security concerns regarding the very last step.
After adding the permissions, you need to request for a new token and make sure the token includes the required permissions by decoding it at
https://jwt.ms
or
https://jwt.io
Posting your secret token to one of these URLs just seems like a bad idea. You are giving away your token to these sites. What assurance is there that these are associated with Microsoft? What assurance is there that these sites aren't used to collect app tokens for malicious reasons? I recommend avoiding the very last step above without further clarification and verification. Even with that, it's still a bad idea. Keep your secret token secret.
You don't have proper permission in your token like User.Read.All. Please put your token in
https://jwt.ms
and see if you have any permissions. Please make sure to add any permissions specified
here
.
(If the reply was helpful please don't forget to upvote or accept as answer, thank you)
I added all possible permissions but it didn't work for me. Is there a solution to this problem? ![238313-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180654.png][1]![238314-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180639.png][2]![238321-%D0%B7%D0%BD%D1%96%D0%BC%D0%BE%D0%BA-%D0%B5%D0%BA%D1%80%D0%B0%D0%BD%D0%B0-2022-09-06-%D0%BE-180757.png][3] [1]: /api/attachments/238313-знімок-екрана-2022-09-06-о-180654.png?platform=QnA [2]: /api/attachments/238314-знімок-екрана-2022-09-06-о-180639.png?platform=QnA [3]: /api/attachments/238321-знімок-екрана-2022-09-06-о-180757.png?platform=QnA
I'm getting this dreaded error too when calling Get-AzADGroup. What microsoft.graph permission is necessary? I am so frustrated.
I have had Application.Read.All, Directory.Read.All. What am I missing?
@AmanpreetSingh-MSFT
I have all the required permission in my app registeration but still it show me 403 when i try to create user through postman or java sdk.
The error message that i got is
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-04-30T14:37:36",
"request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb",
"client-request-id": "3d704d5d-4243-467c-9da8-a34aa0c85acb"
403 response status code.
