Microsoft Graph API: 403 Forbidden error when trying to retrieve policies on tenant
I'm trying to retrieve the policies created for my tenant on the Azure AD portal using the Microsoft Graph API. As I understand from the graph API documentation, all the policy CRUD operations require a scope of Directory.AccessAsUser.All.
This scope translates to the permission Access directory as the signed-in user as mentioned here - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes
I have been trying to configure my application on the both the new Azure portal and the old one with different failure points.
On the new portal:
I have created a Web Application in my tenant following instructions on https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal.
When configuring access control, the only subscription for my tenant is Access to Azure Active Directory and I'm not able configure access control on this in the new portal. From the browser, when I select Access Control (IAM), I see the error - "Call to ARM failed with httpCode=BadRequest, errorCode=DisallowedOperation, message=The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription., reason=Bad Request." The "Add" roles button is disabled as well.
Can I not configure Access control on the subscription Access to Azure Active Directory? If so, is there no other way to retrieve the policies for my tenant using the API?
On the old portal:
For my app, I configured permissions for:
Microsoft Graph
Windows Azure Active Directory
I verified on the portal that both the APIs are configured with the permission Access directory as the signed-in user. Even in this case, I keep getting a 403 Forbidden when I try to access the https://graph.microsoft.com/beta/policies endpoint to list the policies on my tenant.
Here is the payload on my access token I obtained (https://login.microsoftonline.com/{my tenant name}/oauth2/token)
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"iat": 1491256764,
"nbf": 1491256764,
"exp": 1491260664,
"aio": "Y2ZgYAi68q2XUTk0ykH7/TZzrhYbAA==",
"app_displayname": "test-app",
"appid": "951bb92d-5b68-45ae-bb8b-d768b2696ccc",
"appidacr": "1",
"idp": "https://sts.windows.net/8b49696d-462a-4a71-9c5c-f570b2222727/",
"oid": "7ccea836-d389-4328-a155-67092e2805e9",
"roles": [
"Device.ReadWrite.All",
"User.ReadWrite.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"IdentityRiskEvent.Read.All"
],
"sub": "7ccea836-d389-4328-a155-67092e2805e9",
"tid": "8b49696d-462a-4a71-9c5c-f570b2222727",
"uti": "4fmUDNWWHkSoTn2-7gtTAA",
"ver": "1.0"
}
Obviously the Directory.AccessAsUser.All role is missing on this token which is causing the 403 error. So either I'm missing something here or there is a bug in the API that is preventing all the permissions from being correctly configured. Greatly appreciate any help/pointers on this!
Please note:
- I'm only using the beta APIs because I didn't find the corresponding endpoint for policies on the v1.0 APIs and the Azure Graph API documentation recommends using the Microsoft Graph API.
- With the same configuration, using the Azure Graph API endpoints also returns a 403 Forbidden error for the policies endpoint(https://msdn.microsoft.com/zh-cn/library/azure/ad/graph/api/policy-operations#list-policies)
Answer
Based on the claims in the access token, you were acquire the access token using the client credentials flow which the token used to delegate the app. There is no such delegate permission for user in this kind of token.
To get the access token for the delegate permission for users, you need to using the other flows like Authorization code grant flow. You can refer this link for the detail.