Graph API - Insufficient privileges to complete the operation

c# azure permissions azure-active-directory azure-ad-graph-api
j9070749 picture j9070749 · Jun 2, 2017 · Viewed 53.3k times · Source

When trying to access the Graph Service Client using I am receiving the error :

Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.

After researching this error the most common solution was to set the permissions for the API. This had already been done and has permissions to read basic/full profiles.

I've delete and re-added the APIs.

Below is the code in my AzureAuthenticationProvider class which inherits from IAuthenticationProvider: 

public class AzureAuthenticationProvider : IAuthenticationProvider
{
    private string _azureDomain = "myDevDom.onmicrosoft.com";

    public async Task AuthenticateRequestAsync(HttpRequestMessage request)
    {
        try
        {
            string clientId = "2b823c67-1b0d-4a10-a9e1-737142516f5q";
            string clientSecret = "xxxxxx";

            AuthenticationContext authContext = new AuthenticationContext("https://login.windows.net/" + _azureDomain + "/oauth2/token");

            ClientCredential credentials = new ClientCredential(clientId, clientSecret);

            AuthenticationResult authResult = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", credentials);

            request.Headers.Add("Authorization", "Bearer " + authResult.AccessToken);
        }
        catch (Exception ex)
        {
        }
    }
}

I've tried changing the client secret to an invalid Id and it threw an error, so the client key is correct. I've also tried to verify that the access token is valid by altering the access token, this also returns a error.

The above code seems to work fine.

Below is the code where I'm trying to access Azure AD:

public async Task<IGraphServiceUsersCollectionPage> GetUsersByLastName(string lastname)  
{
    GraphServiceClient graphClient = new GraphServiceClient(new AzureAuthenticationProvider());
    string filter = String.Format("startswith(surname, '{0}')", lastname);
    IGraphServiceUsersCollectionPage users = await graphClient.Users.Request().Filter(filter).GetAsync(); //Fails on this line
    return users;
}

Any help is much appreciated, and thanks in advance for any help. azureADpermissionProperties

Answer

Nan Yu picture Nan Yu · Jun 2, 2017

Please refer to below steps :

  1. From your screenshot , seems you grant Read and write directory data application permission for Windows Azure Active Directory(azure ad graph api) . Since you are using microsoft graph (https://graph.microsoft.com/) , you need to grant application permission for Microsoft Graph : enter image description here

  2. Since you are admin in your AAD, You could grant permission for users in organization by click Grant permission button shown in above screenshot .

  3. Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All permission in roles claim .

Related questions

Could not load file or assembly "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

I've copied my project to a clean Windows 10 machine with only Visual Studio 2015 Community and SQL Server 2016 Express installed. There are no other framework versions installed apart from those installed with Windows 10 and VS2015 or SQL Server. When I try …

Read More
Microsoft Azure: How to create sub directory in a blob container

How to create a sub directory in a blob container for example, in my blob container http://veda.blob.core.windows.net/document/ If I store some files it will be http://veda.blob.core.windows.net/document/1.txt http://…

Read More
Error when connect database continuously

When I am querying from database in continuous looping, after some time I get an error : An exception has been raised that is likely due to a transient failure. If you are connecting to a SQL Azure database consider using …

Read More