What are the permission needed for a ServicePrincipal to call getObjectsByObjectIds?

Question

What are the permission needed for an Service Principal to call AD graph API: Get Objects By Object Ids:

POST https://graph.windows.net/{tenantID}/getObjectsByObjectIds?api-version=1.6

I set up an App with

Application Permission: Read directory data.

Delegated Permission:

Read Directory data Read and write directory data Read all users full profile Sign in and read user profile.

But I am receiving Forbidden ( status code 403) while making the API call:

Also i got access token through this code:

string authority = "https://login.microsoftonline.com/" + "microsoft.com";

        AuthenticationContext ac = new AuthenticationContext(authority);

        ClientCredential cr = new ClientCredential("Appid", "Cred");
        string OfficeUrl = "https://graph.windows.net";
        AuthenticationResult authenticationResult = ac.AcquireTokenAsync(OfficeUrl, cr).Result;
        string token = authenticationResult.AccessToken;
        // string token = this.SetAuthorizationToken();           
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

SaurabhSharma SaurabhSharma · Accepted Answer · 2018-09-21T00:18:37

Yes, this is correct permissions of Read directory data (Directory.Read.All) is required for this API. Please make sure to press the "Grant Permissions" button after adding the required permissions for the Graph API because this permission requires admin consent.

What are the permission needed for a ServicePrincipal to call getObjectsByObjectIds?

1 Answers