Insufficient privileges error when trying to add role using graph API

0
votes

I am trying to add a role to the user as shown below 

/**
passing values to addUserToGroup method
**/                                                                                 
addUserToGroup("e5911e4e-3d44-448c-bb42-dd6d51855cd4", "d405c6df-0af8-4e3b-95e4-4d06e542189e", "role");

 private static String addUserToGroup(
        String userId, 
        String groupId, 
        String objectName) throws OfficeException {

    String newKey = null;               

        /**
         * Setup the  JSON Body
         */         
        JSONObject jsonObj=new JSONObject();

        String objectLink = String.format("https://%s/%s/directoryObjects/%s", 
                     AppParameter.getProtectedResourceHostName(),
                     AppParameter.getTenantContextId(),
                     userId);

        try{
        jsonObj.put("url", objectLink);

        /**
         * Convert the JSON object into a string.
         */
        String data = jsonObj.toString();


        if(objectName.equals("roledelete"))
        {

        }
        else if(objectName.equals("role"))
        {
            newKey = handlRequestPostJSON(
                    String.format("/%ss/%s/$links/members", objectName, groupId), 
                    null, 
                    data,
                    "addUserToGroup");

        }

          return newKey;

     }catch(Exception e){
       throw new OfficeException(AppParameter.ErrorCreatingJSON,e.getMessage(), e, null);
       }
}

/** handlRequestPostJSON method **/

    public static String handlRequestPostJSON(String path, String queryOption, String data, String opName){

        URL url = null;
        HttpURLConnection conn = null;
        String queryOptionAdd = "";
        String apiVersion = AppParameter.getDataContractVersion();

        try {
            /**
             * Form the request uri by specifying the individual components of the
             * URI.
             */
            if (queryOption == null)
            {
                queryOptionAdd = apiVersion;                
            }
            else 
            {
                queryOptionAdd = queryOption + "&" + apiVersion;                
            }

            URI uri = new URI(
                    AppParameter.PROTOCOL_NAME, 
                    AppParameter.getRestServiceHost(), 
                    "/" + AppParameter.getTenantContextId() + path,
                    queryOptionAdd, 
                    null);



            /**
             * Open an URL Connection.
             */
            url = uri.toURL();
            conn = (HttpURLConnection) url.openConnection();

            /**
             * Set method to POST.
             */
            conn.setRequestMethod("POST");

            if( opName.equalsIgnoreCase("roledelete"))
            {
                conn.setRequestMethod("DELETE");
            }

            /**
             * Set the appropriate request header fields.
             */
            conn.setRequestProperty(AppParameter.AUTHORIZATION_HEADER, AppParameter.getAccessToken());
            conn.setRequestProperty("Accept", "application/json");

            /**
             * If the request for create an user or update an user, the appropriate content type would
             * be application/json.
             */
            if( opName.equalsIgnoreCase("createUser") || opName.equalsIgnoreCase("updateUser")  ){
            conn.setRequestProperty("Content-Type", "application/json");
            }

            /**
             * If the operation is to add an user to a group/role,
             * the content type should be set to "application/json".
             */
            else if(opName.equalsIgnoreCase("addUserToGroup")){
                conn.setRequestProperty("Content-Type", "application/json");
            }


            /**
             * If the operation is for update user, then we need to send a 
             * PATCH request, not a POST request. Therefore, we use the X-HTTP-METHOD
             * header field to specify that this request is intended to be used as a
             * PATCH request.
             */
            if(opName.equalsIgnoreCase("updateUser")){
                conn.setRequestProperty("X-HTTP-Method", "PATCH");          
            }



            /**
             * Send the http message payload to the server.
             */
            conn.setDoOutput(true);         
            OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
            wr.write(data);
            wr.flush();


            /**
             * Get the message response from the server.
             */
            BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));           
            String line, response = "";         
            while((line=rd.readLine()) != null){
                response += line;
            }

            /**
             * Close the streams.
             */
            wr.close();
            rd.close();

            int responseCode = conn.getResponseCode();
            System.out.println("Response Code: " + responseCode);       


            return (Integer.toString(responseCode));


        } catch (Exception e2) {

            try {
                int responseCode = conn.getResponseCode();
                System.out.println("Response Code: " + responseCode);
            } catch (IOException e1) {
                // TODO Auto-generated catch block
                e1.printStackTrace();
            }

            /**
             * Get the error stream.
             */
            BufferedReader reader = new BufferedReader(new InputStreamReader(conn.getErrorStream()));
            StringBuffer stringBuf = new StringBuffer();
            String inputLine;
            try {
                while ((inputLine = reader.readLine()) != null) {
                    stringBuf.append(inputLine);
                }
            } catch (IOException e) {
                // TODO HANDLE THE EXCEPTION

            }
            String response = stringBuf.toString();
            System.out.println(response);
            return response;

        }

    }

It showing error as follows

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"05318157-1c3b-4410-9be5-ce6c6246514c","date":"2016-11-23T04:27:53"}}

Please help me. Thanks in advance.

2
javaazure-ad-graph-api

2 Answers

0
votes

Your application needs to be configured with the necessary permissions in AAD.

Probably the best bet is to let it access AAD with the same permissions as the signed in user, and then log on to the application as an Azure AD admin.

Check out the "permissions to other applications" tab on the application configuration in the classic Azure portal (https://manage.windowsazure.com).

0
votes

To call the Azure AD graph REST successfully use the delegate-token, there are two condition should be met. First is that the token contains the sufficient permission to operate the resource. The second is that the sign-in users have the sufficient permission to operate the resource.

For example, to add the group members to the group, the token needs to contains the permission Directory.ReadWrite.All, Directory.AccessAsUser.All. And the sign-user also need have permission to operate the groups like Global admin.

More detail about permission and scopes, you can refer here.