Insufficent privileges when accessing azure graph api users list

0
votes

I'm trying to fetch users from azure active directory using graph api. I've tried many ways, none of them worked, but let's stick to simplest one - using this instruction and some app to make http requests (I'm using postman) I'm able to obtain autherization token with no problem. After that I want to get users list using https://graph.microsoft.com/v1.0/users, passing token in header. Instead of the users list I get "Insufficient privileges to complete the operation." This error message is very confusing to me because app registration has now all possible permissions and service account that owns this app is in role of Global Administrator, so I believe there aren't any more privileges that this app could get.

Task of the application I'm developing is to merge users data from few companies and display users list on web page hosted on azure account of one of them. What's even weirder for me in all of this, is that for one these domains accesing users data using graph api actually works, so logically configuration isn't set correctly everywhere, but I don't really know what can be difference that makes one them work and others fail on "Insufficent privileges error".

1
azureoauth-2.0azure-active-directoryazure-ad-graph-api
First you could take the access token jwt.io and see what is in there. It should have an audience specifying the resource URI of Microsoft Graph. Scopes should define the necessary permissions. If it is missing a scope, admin consent may not have been given yet properly.juunas
Audience points to Microsoft Graph - "aud": "graph.microsoft.com" What is the best way to check if scopes are defined correctly?Twelve
The scp claim should contain the scopes given to your app.juunas
Do you mean that token should contain scp data? Because I don't see it there. In the token that works and in the token that doesn't work.Twelve
Maybe that is the problem here - based on linked instruction token response should contain scope - but it doesn't in my case?Twelve

1 Answers

1
votes

As you are integrating AAD in app only applications, as the description at https://graph.microsoft.io/en-us/docs/authorization/app_only:

After you register the application, configure the application permissions that your service or daemon app requires.

So, firstly, you may check out whether you have configured the correct permission on Azure portal: enter image description here

According to your error message:

Insufficient privileges to complete the operation

And the application permissions require that your application has admin privileges. You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:

Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId