11
votes

I have set up an Azure AD application that I want to use with my web application. I have obtained an oAuth token using the following steps:

First I requested my authorization code:

https://login.windows.net/common/oauth2/authorize?redirect_uri={REDIRECT_URI}&client_id={CLIENT_ID}&response_type=code&state=o365&prompt=admin_consent

This takes the user to the login.windows.net page where they must accept permissions that my application is going to use on their AD.

After that I get the oAuth Token using this endpoint https://login.windows.net/common/oauth2/token with this payload using C#:

{"code": {AUTH_CODE}},
{"state", {STATE}},
{"grant_type", "authorization_code"},
{"redirect_uri", "{REDIRECT_URI}"},
{"client_id", "1ff78c4b-414f-44c7-834b-09bdae96f440"},
{"client_secret", "{CLIENT_SECRET}"},
{"resource", "https://graph.windows.net"}

Everything comes back just fine and I get my oAuth Token. However when I try to curl the Graph API using the token I get this error

curl https://graph.windows.net/{tenant}/users?api-version=1.5 -H "Authorization: Bearer [AUTH_TOKEN]"

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

I have tried the actual domain for the {tenant}, the "me" alias and the "myorganization" alias and they all don't work. The "me" alias returns an error saying the 'users' resource doesn't exist. I am confused on what the problem is here

2
Hi Matt. What permissions does your application request? The default "sign me in and read my profile" does not allow an app to read other user's profile info, for example.Dan Kershaw - MSFT

2 Answers

11
votes

Privileges are missing for your application which is barring the azure AD to read the details of users present in your custom AD. Here is what you need to do:

Go to your custom AD on windows azure management portal -> Click applications tab -> Click on the name of your AD application to go to its details view. On the details view go to configure tab.

Now scroll down to the bottom of the page to reach "permissions to other applications" section. There you will see all permissions currently assigned to "Windows Azure Active Directory" application in delegated permissions multi-select list box as shown below:

Application access rights for Azure AD

Check the box against "Access your organization's directory" and "Read directory data". Click save in bottom tool bar to save the changes. Save button appears automatically as soon as you make any changes on the page. Save button is not visible in the screenshot above as I had already saved the changes when I took the screenshot.

Now try again accessing your AD user details using graph API. It should not give the "Insufficient privileges" error any more. Hope this helps!

2
votes

In my case, I had to delete the Azure AD App Registrations that I created in the New Portal and re-create them in the Classic Portal. After doing this, the "insufficient privileges" error went away and everything worked fine.

As a prerequisite, make sure you are added as a co-admin to your subscription from the classic portal as well, otherwise Azure won't even let you into the Classic Portal anymore.

Seems like Microsoft still has some issues to hammer out with the New Portal...