Got 'Insufficient privileges to complete the operation.'. MS Graph Api

2
votes

I have an issue with the Microsoft Graph API.

  1. I have registered a new app in the Azure portal
  2. Added Application.ReadWrite.All and Application.ReadWrite.OwnedBy application permissions
  3. Click on the admin consent button

empty

After that, I'm trying to get an access token by 

POST https://login.microsoftonline.com/12fb9222-8b6e-4006-a483-a87fa44621c3/oauth2/v2.0/token
client_id=dc07d452-9ce1-4b0f-a1a6-4fb5b230a4bb
scope=https://graph.microsoft.com/.default
grant_type=client_credentials
client_secret={client_secret}

And I'm getting the token. Token looks like that:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/12fb9222-8b6e-4006-a483-a87fa44621c3/",
  "iat": 1570007742,
  "nbf": 1570007742,
  "exp": 1570011642,
  "aio": "42VgYHi/n737QYBx8DrOTW5Ft0skAQ==",
  "app_displayname": "testapp",
  "appid": "dc07d452-9ce1-4b0f-a1a6-4fb5b230a4bb",
  "appidacr": "1",
  "idp": "https://sts.windows.net/12fb9222-8b6e-4006-a483-a87fa44621c3/",
  "oid": "24d9cd08-efaf-497b-b023-920cc208400a",
  "roles": [
    "Application.ReadWrite.OwnedBy",
    "Application.ReadWrite.All",
  ],
  "sub": "24d9cd08-efaf-497b-b023-920cc208400a",
  "tid": "12fb9222-8b6e-4006-a483-a87fa44621c3",
  "uti": "f38JDx5iw0Kkp16mnZIqAA",
  "ver": "1.0",
  "xms_tcdt": 1569224302
}

After that, I'm executing 

GET https://graph.microsoft.com/beta/applications/bb4c22ea-632e-45d8-ad0f-2ba39cf399c1

And I'm getting app properties.

And finally I want to update my app properties and I'm trying execute

PATCH https://graph.microsoft.com/beta/applications/bb4c22ea-632e-45d8-ad0f-2ba39cf399c1
{
    "displayName": "displayName"
}

And I'm getting:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "1565bb72-8392-4ca7-bb20-02b40f5603bd",
      "date": "2019-10-02T09:23:57"
    }
  }
}

I'm confused. I have permissions for the API update application, but I got the error, please help.

1
azure-active-directorymicrosoft-graph-api
Okay that's definitely weird. I can't spot any mistakes in your process, the token looks like it should work. - juunas
I just have created a new application with that token, but I'm still can't update the app. - user3770960

1 Answers

0
votes

This seems like a bug, I tried with client credentials and granted Application.ReadWrite.All and Application.ReadWrite.OwnedBy permissions. I encountered the same error as yours.

Then I tried with Delegated permission with a user login, it worked. You can follow this article or just call the api with Microsoft Graph explorer.

enter image description here

Note:

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.