Microsoft Graph API REQUESTS with Python: "Insufficient privileges to complete the operation" error when making simple call

1
votes

Receiving the following error response when doing a basic Graph API POST using REQUESTS in Python:

    {
      "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
          "request-id": "36c01b2f-5c5c-438a-bd10-b3ebbc1a17c9",
          "date": "2019-04-05T22:39:37"
        }
      }
    }

Here is my token request and Graph request using REQUESTS in Python:

redirect_uri = "https://smartusys.sharepoint.com"
client_id = 'd259015e-****-4e99-****-aaad67057124'
client_secret = '********'
tennant_id = '15792366-ddf0-****-97cb-****'
scope = 'https://graph.microsoft.com/.default'


####GET A TOKEN
payload = "client_id="+client_id+"&scope="+scope+"&client_secret="+client_secret+"&grant_type=client_credentials"
headers = {'content-type':'application/x-www-form-urlencoded'}

tokenResponse = requests.post('https://login.microsoftonline.com/'+tennant_id+'/oauth2/v2.0/token',headers=headers, data=payload)

json_tokenObject = json.loads(tokenResponse.text)
authToken = json_tokenObject['access_token']


#### Make a call to the graph API
graphResponse = requests.get('https://graph.microsoft.com/v1.0/me/',headers={'Authorization':'Bearer '+authToken})
if tokenResponse.status_code != 200:
  print('Error code: ' +graphResponse.status_code)
  print(graphResponse.text)
  exit()

print('Request successfull: Response: ')
print(graphResponse.text)
print('Press any key to continue...')
x=input()

According to the documentation ( https://docs.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0 ) for this /me call, I need just one of the following permissions:

  • User.ReadBasic.All
  • User.Read
  • User.ReadWrite
  • User.Read.All
  • User.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • Directory.AccessAsUser.All

and I have all of these on both application and delegated permissions in the azure application manager.

What am I doing wrong here? I feel like it's something small but I just can't figure this out.

I decoded my token using: http://calebb.net/ and I do not see a spot for "AUD" or "role" or "scope" so maybe that is where I am doing it wrong?

I looked everywhere and can't find a resolution, any help would be VERY much appreciated.

Thank you.

2
pythonpython-3.xoauth-2.0requestmicrosoft-graph-api
I like the way how you documented your own research! - Stephan

2 Answers

1
votes

This sounds like you forgot to "Grant Permissions" to your application.

See this answer.

0
votes

I finally figured this out, it had to do with Admin rights that needed to be granted by the Admin for our Office 365.

it was as simple as giving my Office admin the following link and having him approve it:

https://login.microsoftonline.com/{TENNANT ID HERE}/adminconsent?client_id={CLIENT ID HERE}

Instantly worked.