Getting 403: "Insufficient privileges to complete the operation." when attempting to query Graph API

1
votes

We've migrated to a new tenant where I work. As such we are trying to re-add our applications into Azure AD. We have a documented process that has worked in the past in order to add applications for our MVC and WebAPI projects. However, we've been getting errors when attempting to query the Graph API. In the example application we've used the code from here to create a custom authorize attribute that allows us to group based authentication. After debugging the /Utilities/GraphHelper.cs we've determined that the application is getting a Status Error of 403 with a message that states: "Insufficient privileges to complete the operation."

After doing a bit of research I was able to replicate the Authentication process in Fiddler.

Action Method: POST

URL: https://login.windows.net/[tennantName]/oauth2/token?api-version=1.0

Header Block: 

Content-Type: application/x-www-form-urlencoded 
Host: login.windows.net
Content-Length: 180
Expect: 100-continue 
Connection: Keep-Alive

RequestBody:

grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=[clientId]&client_secret=[urlencoded client secret]

I get back a token from this request and then attempt to query the federated directory from the graphapi again with fiddler:

Action Method: GET

URL: https://graph.windows.net/[federated domain]/directoryObjects/{group-guid}

Header Block:

Content-Type: application/json
Host: graph.windows.net
Authorization: Bearer [token from login response]

I receive and 403 response with the body:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

In Azure Active Directory, Under App Registrations for this application the manifest has been modified by a user with Company Admin Role for:

"groupMembershipClaims": "SecurityGroup", ...
"oauth2AllowImplicitFlow": true,

An Application Key was generated that is used for fetching a token to access the graph API. Under Required Permissions for Application Permissions Read directory data, and Read all hidden memberships were checked by a user with Company Admin Role.

I'm out of ideas everything should be working.

2
azureazure-active-directory
Have you verified that the privilege is added to the token by parsing the jwt token ( jwt.io )? If it isn't there you might have to reconsent for the user.Tom Glover
The graph api call is happening at the application level, a user consent should not be needed.Jd Geier
What's the roles claim in the token?Fei Xue - MSFT
How do I find that. I decoded the Token but I don't see a roles claim in the payload.Jd Geier
The access token you receive should contain the permissions that have been granted to your app for accessing the Graph API. Something like Directory.Read.All.juunas

2 Answers

2
votes

I called MSFT support for Azure, apparently there is an issue with portal.azure.com assigning permissions. I was able to resolve this by going to the classic portal and getting the permissions reassigned.

1
votes

Access that a client app has to the AAD Graph API is dependent on the permissions you have registered on your application.

Note that there is a section in the app registration process called "permissions to other applications" where you will need to specify the Graph API as a resource you want to call, and you must specify with what level of permissions you need to call that API.

Read more here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/

On your web client application’s configuration page in the Azure classic portal, set the permissions your application requires by using the drop-down menus in the Permissions to other applications control.

You can read more about the various scopes/permissions that the Graph API exposes here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes

Selecting these permissions are the first step, but it is not quite enough to actually get your app the right access it needs. The step you are missing is consent. Every application needs some level of user consent in order to access their tenant's data via the Graph API. Even if your application is doing App Only Flows (acting as a Daemon Service using the Client Credential Flow), you will still need the initial permissions to be consented to by the admin of the tenant where you want to get access to the data. This means the first time you want to use the application, you will have to trigger an interactive login experience. This process may happen 'automagically' when you use the "management.windowsazure.com" portal if you are an Admin configuring the app, since they automatically consent to the app on your behalf, however in all other scenarios you will have to follow the normal process of obtaining user consent yourself.

Once you have correctly configured your app with the right permission scopes, and have obtained consent, you should see in your access tokens 'scopes' or 'role' claims which represent the permissions your application is authorized for.

Using this knowledge, I hope you will be able to resolve the issue you are facing.