I am getting Insufficient Privileges error when trying to access Azure Graph APIs

0 votes

I have set up an Azure AD application as a web app. I have obtained an oAuth token using the following steps:

1. Request authorization code:

https://login.windows.net/common/oauth2/authorize?redirect_uri={REDIRECT_URI}&client_id={CLIENT_ID}&response_type=code&state=o365&prompt=admin_consent

2. Get the oAuth Token using this endpoint https://login.windows.net/common/oauth2/token with this payload using C#:

{"code": {AUTH_CODE}},
{"state", {STATE}},
{"grant_type", "authorization_code"},
{"redirect_uri", "{REDIRECT_URI}"},
{"client_id", "1ff78c4b-414f-44c7-834b-09bdae96f440"},
{"client_secret", "{CLIENT_SECRET}"},
{"resource", "https://graph.windows.net"}

Everything comes back just fine and I get my oAuth Token. However when I try to curl the Graph API using the token I get this error

curl https://graph.windows.net/{tenant}/users?api-version=1.5 -H "Authorization: Bearer [AUTH_TOKEN]"

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

Kindly help me with the problem here.

Jul 1, 2019 in Azure by sabby
• 4,370 points
13,394 views

2 answers to this question.

0 votes

This error is occurring because privileges are missing for your app which is not allowing Azure AD to read the details of users in your custom AD. This is what you can do:

1. Go to your custom AD on Azure Portal -> Click applications tab -> Click on the name of your AD application to go to its details view. On the details view go to configure tab.

2. Scroll down to the bottom of the page to reach "permissions to other applications" section. There you will see all permissions currently assigned to Azure AD application in delegated permissions multi-select list box.

3. Check the box against "Access your organization's directory" and "Read directory data". Click save in bottom tool bar to save the changes.

Now try again accessing your AD user details using graph API. It should not give the "Insufficient privileges" error any more.

Hope this helps!!

To know more about Azure, enroll today with our Azure certification course.

Thanks!!

answered Jul 1, 2019 by Perry
• 17,100 points
0 votes

I had the same issue before, and I resolved it by:

1. Create new app registration, with type: "Accounts in this organizational directory only." Since I was selected "Accounts in any organizational directory  (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
2. Select API permission, according to API function you're calling at. 
For example: to get user information, it need below permission setting on Azure Portal

Permission type Permissions (from least to most privileged)
Delegated (work or school account) User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) User.Read, User.ReadWrite
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http

answered Sep 17, 2019 by Ju Cheh

Related Questions In Azure

0 votes
1 answer

Getting an error when trying to authenticate using REST API Dynamics CRM with Azure AD.

Dynamics 365 has started to support Server-to-Server ...READ MORE

answered Apr 25, 2019 in Azure by prerna
• 1,960 points
1,494 views
0 votes
1 answer
0 votes
1 answer

I am getting a network related error saying "cannot connect to a server". need help here.

Actually i got the same error, it ...READ MORE

answered Apr 27, 2018 in Azure by null_void
• 3,220 points
326 views
0 votes
1 answer

How to add a body to a HttpWebRequest that is being used with the Azure Service management API?

The following code should help: byte[] buf = ...READ MORE

answered Apr 3, 2019 in Azure by prerna
• 1,960 points
603 views
0 votes
1 answer

Quering all the rows in Azure table Storage.

Refer the following code: var acc = new ...READ MORE

answered Apr 12, 2019 in Azure by prerna
• 1,960 points
1,526 views
0 votes
1 answer
0 votes
1 answer

Can I use .NET's HttpClient to hit an Azure Mobile service?

Yes, you can do this by adding ...READ MORE

answered Apr 15, 2019 in Azure by prerna
• 1,960 points
572 views
0 votes
1 answer

How do I upload a picture to Windows Azure Website?

Check out this example: @model List<string> ...READ MORE

answered Jun 28, 2019 in Azure by Perry
• 17,100 points
711 views
0 votes
1 answer

I want to queue time-based tasks in Azure

You need to use a scheduled task. ...READ MORE

answered Jul 2, 2019 in Azure by Perry
• 17,100 points
227 views