2
votes

I have a question about "Authorization Request Denied - Insufficient privileges to complete the operation" message that I keep getting back from my requests to Windows Graph API.

Specifically, I'm working in Azure cloud. I have an iOS mobile app that invokes an API. I have turned on "Authentication for Active Directory" in my Portal.

Then, on the client side (iOS):

[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"
                                controller:self
                                  animated:YES
                                completion:^(MSUser *user, NSError *error) {

                                    if(!error && user) {
                                        [self refresh];

                                    } 
                                }]; //loginWithProvider

So returns a valid MSUser object. I see the web login controller appear, I sign in with my un/pw, and then it lets me access my Easy Table's data...etc.

Now, I want to invoke an Easy API that I've created in Azure called getUserData. Hence, I simply insert the invokeAPI code like this (iOS):

[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"
                                controller:self
                                  animated:YES
                                completion:^(MSUser *user, NSError *error) {

                                    if(!error && user) {

                                        //NSMutableDictionary * dict = [NSMutableDictionary dictionary];
                                        //[dict setObject:@YES forKey:@"complete"];

                                        NSLog(@"%s - %@", __FUNCTION__, user);
                                        [self refresh];

                                        [self.todoService.client invokeAPI:@"getUserData"
                                                                      body:nil
                                                                HTTPMethod:@"POST"
                                                                parameters:nil
                                                                   headers:nil
                                                                completion:^(id  _Nullable result, NSHTTPURLResponse * _Nullable response, NSError * _Nullable error) {
                                                                    NSLog(@"%s - API returned response! ", __FUNCTION__);
                                                                    NSLog(@"%@", result); //TODO: user info here!! :D

                                                                }]; //invokAPI

                                    } //if user returned from AAD login is valid

                                }]; //loginWithProvider

Everything is fine as the API is called and I can see the response data.

On the server side (Node JS), I basically do 3 things:

1st is to get the user object id from the request object:

req.azureMobile.user.getIdentity().then((data) => {
   //get user object ID
}

2nd, make a request to https://login.windows.net to get an Access Token with a username/password.

var options = {
    url: "https://login.windows.net/" + tenant_domain + "/oauth2/token?api-version=1.0",
    method: 'POST',
    form: {
        grant_type: "client_credentials",
        resource: "https://graph.windows.net",
        client_id: clientID,
        client_secret: key
    }
};

req(options, function (err, resp, body) {
    //get the result back
}

I get a whole bunch of data back including the Access Token.

3rd, make a request to https://graph.windows.net/, and provide this Access Token along with my User Object ID:

var options = {
    url: "https://graph.windows.net/" + tenant_domain + "/users/" + objectId + "?api-version=1.0",
    method: 'GET',
    headers: {
        "Authorization": "Bearer " + access_token
    }
};

This is so that I can User data. Now, in a separate test Subscription, I set up all the basic read permissions for AAD and Graph in my AAD management. I successfully get the user's full data back like so:

user =     {
    accountEnabled = 1;
    assignedLicenses =         (
    );
    assignedPlans =         (
    );
    city = xxxxxxxxx;
    country = xxxxxxxxxx;
    department = Dev;
    dirSyncEnabled = "<null>";
    displayName = xxxxxx;
    facsimileTelephoneNumber = "<null>";
    givenName = hehe;
    jobTitle = "iOS dev";
    lastDirSyncTime = "<null>";
    mail = "<null>";
    mailNickname = "xxxxxxxxxx.com#EXT#";
    mobile = "+xx xxx xxxx 3852";
    objectId = "xxxxxxx-2c70-4aab-b261-3b2b97dc5c50";
    objectType = User;
    "odata.metadata" = "https://graph.windows.net/xxxxxxxxxx.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element";
    "odata.type" = "Microsoft.WindowsAzure.ActiveDirectory.User";
    otherMails =         (
        "[email protected]"
    );
...etc
}

However, in another subscription, I did the exact same steps. Even going as far as checking all the permissions like so:

enter image description here

I keep getting an "Authorization Request Denied, Insufficient privileges" message. The error is null so I know everything else went through correctly.

I can't figure out why because everything processes through and I checked all of my AAD and Graph permissions.

log result:

-----body------

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}'

Thanks for any help, and appreciate everyone's time

1
Normally I have seen this error when the user account gets added as a Guest instead of a Member. Can you check if that's the case here with this particular Azure AD? You would need to use Azure AD PowerShell Cmdlets for that.Gaurav Mantri
ok, I'll check if the un/pw I used to sign in for this particular Azure AD is a Guest or Member when Monday rolls around and update you.rtsao
hi Gaurav, in order to get the permissions working for the apps, you must be a global admin. I tried it with 3 different types: billing admin, service admin, User. None of which works.rtsao

1 Answers

2
votes

You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:

Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId