I am getting "Insufficient Privileges" error when trying to access Azure Graph APIs.

0 votes

I have set up an Azure AD application as a web app. I have obtained an oAuth token using the following steps:

1. Request authorization code:


2. Get the oAuth Token using this endpoint https://login.windows.net/common/oauth2/token with this payload using C#:

{"code": {AUTH_CODE}},
{"state", {STATE}},
{"grant_type", "authorization_code"},
{"redirect_uri", "{REDIRECT_URI}"},
{"client_id", "1ff78c4b-414f-44c7-834b-09bdae96f440"},
{"client_secret", "{CLIENT_SECRET}"},
{"resource", "https://graph.windows.net"}

Everything comes back just fine and I get my oAuth Token. However when I try to curl the Graph API using the token I get this error

curl https://graph.windows.net/{tenant}/users?api-version=1.5 -H "Authorization: Bearer [AUTH_TOKEN]"

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

Kindly help me with the problem here.

Jul 1 in Azure by sabby
• 4,350 points

2 answers to this question.

0 votes
This error is occurring because privileges are missing for your app which is not allowing Azure AD to read the details of users in your custom AD. This is what you can do:

1. Go to your custom AD on Azure Portal -> Click applications tab -> Click on the name of your AD application to go to its details view. On the details view go to configure tab.

2. Scroll down to the bottom of the page to reach "permissions to other applications" section. There you will see all permissions currently assigned to Azure AD application in delegated permissions multi-select list box.

3. Check the box against "Access your organization's directory" and "Read directory data". Click save in bottom tool bar to save the changes.

Now try again accessing your AD user details using graph API. It should not give the "Insufficient privileges" error any more.

Hope this helps!
answered Jul 1 by Perry
• 17,020 points
0 votes

I had the same issue before, and I resolved it by:

1. Create new app registration, with type: "Accounts in this organizational directory only." Since I was selected "Accounts in any organizational directory  (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
2. Select API permission, according to API function you're calling at. 
For example: to get user information, it need below permission setting on Azure Portal

Permission type Permissions (from least to most privileged)
Delegated (work or school account) User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account) User.Read, User.ReadWrite
Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All


answered Sep 17 by Ju Cheh

Related Questions In Azure

0 votes
1 answer

Getting an error when trying to authenticate using REST API Dynamics CRM with Azure AD.

Dynamics 365 has started to support Server-to-Server ...READ MORE

answered Apr 25 in Azure by Prerna
• 1,940 points
0 votes
1 answer

I am getting a network related error saying "cannot connect to a server". need help here.

Actually i got the same error, it ...READ MORE

answered Apr 26, 2018 in Azure by null_void
• 3,220 points
0 votes
1 answer

How can i upload to Azure Blob storage with Shared Access key?

For GetBlobReferenceFromServer to work, the blob must be present ...READ MORE

answered Jun 12, 2018 in Azure by club_seesharp
• 3,450 points
0 votes
1 answer

How do disconnect to Azure SQL database if I can't access it?

Based on info  from Microsoft, I think ...READ MORE

answered Apr 26 in Azure by Prerna
• 1,940 points
0 votes
1 answer
0 votes
1 answer

Quering all the rows in Azure table Storage.

Refer the following code: var acc = new ...READ MORE

answered Apr 12 in Azure by Prerna
• 1,940 points
0 votes
1 answer
0 votes
1 answer

Can I use .NET's HttpClient to hit an Azure Mobile service?

Yes, you can do this by adding ...READ MORE

answered Apr 15 in Azure by Prerna
• 1,940 points
0 votes
1 answer

How do I upload a picture to Windows Azure Website?

Check out this example: @model List<string> ...READ MORE

answered Jun 27 in Azure by Perry
• 17,020 points
0 votes
1 answer

I want to queue time-based tasks in Azure

You need to use a scheduled task. ...READ MORE

answered Jul 2 in Azure by Perry
• 17,020 points