getMemberGroups “Insufficient privileges to complete the operation”

1
votes

I wrote an application which should read the groups of a user. I am using Asp.net core. I created an application inside the azure portal and granted all application permissions for GraphAPI and clicked on the Grant permission button. Then I used some code similar to WebApp-GroupClaims-DotNet to retrieve the users groups:

public async Task<IEnumerable<string>> GetGroupIdsFromGraphApiAsync(string userId)
{
    var groupObjectIds = new List<string>();

    // Acquire the Access Token
    var credential = new ClientCredential(_configHelper.ClientId, _configHelper.AppKey);
    var authContext = new AuthenticationContext(_configHelper.Authority);
    var result = await authContext.AcquireTokenAsync(_configHelper.GraphResourceId, credential);
    var accessToken = result.AccessToken;

    var requestUrl =
        $"{_configHelper.GraphResourceId}/{_configHelper.Domain}/users/{userId}/getMemberGroups?api-version=1.6";

    // Prepare and Make the POST request
    var client = new HttpClient();
    var request = new HttpRequestMessage(HttpMethod.Post, requestUrl);
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
    var content = new StringContent("{\"securityEnabledOnly\":false}");
    content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
    request.Content = content;
    var response = await client.SendAsync(request);

    // Endpoint returns JSON with an array of Group ObjectIDs
    if (response.IsSuccessStatusCode)
    {
        var responseContent = await response.Content.ReadAsStringAsync();
        var groupsResult = (Json.Decode(responseContent)).value;

        foreach (string groupObjectId in groupsResult)
            groupObjectIds.Add(groupObjectId);
    }
    else
    {
        var responseContent = await response.Content.ReadAsStringAsync();
        throw new WebException(responseContent);
    }

    return groupObjectIds;
}

Unfortunately I do always get the following response:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

Is there no way for an application to query the AD for this information?

1
asp.netazureazure-active-directorymicrosoft-graph-api
What is the value of _configHelper.GraphResourceId . Seems you are using azure ad graph api , are you grant permission for Windows Azure Active Directory(azure ad graph api ) in azure portal ?Nan Yu
_configHelper.GraphResourceId is https://graph.windows.netdavid
So in azure portal which one you grant permission to ? Azure Active Directory or Microsoft Graph ? and which application permission ?Nan Yu
I added Microsoft Graph application permissions, but now after adding Azure Active Directory permissions it works ... Why is that? I thought using graph.windows.net would map to Microsoft Graph, not AAD ...david
Please see my answer .Nan Yu

1 Answers

3
votes

According to your code , you are making Azure ad graph api calls , Then you need to grant permission for Windows Azure Active Directory(azure ad graph api ) .

https://graph.windows.net is the endpoint for Azure AD Graph APi , in azure portal the name is Windows Azure Active Directory . https://graph.microsoft.com is the the endpoint for Microsoft Graph api , in azure portal the name is Microsoft Graph