Microsoft Graph API -Insufficient privileges, Request_ResourceNotFound - Azure Permissions Issues

1
votes

I'm trying to do something that I think should be fairly simple using the Microsoft Graph API.

To start with all I want to do is get a list of all the users in my orgainisation.

To install the Microsoft Graph SDK I followed the example here:

https://docs.microsoft.com/en-us/graph/sdks/sdk-installation

I'm using the Client credentials provider to connect to MS Graph as detailed here:

https://docs.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=CS

Then to list the users I am using the C# example from the docs as shown here:

https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=csharp

So my code looks like this:

       IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
       .Create(clientId)
       .WithTenantId(tenantID)
       .WithClientSecret(clientSecret)
       .Build();

        ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

        GraphServiceClient graphClient = new GraphServiceClient(authProvider);


        var me = await graphClient.Me
              .Request()
              .GetAsync();

        var org = await graphClient.Organization
          .Request()
          .GetAsync();



        var users = await graphClient.Users
            .Request()
            .GetAsync();

ERROR MESSAGES

ME:

Server Error in '/' Application.

Code: Request_ResourceNotFound

Message: Resource '10028d9z-115c-45f9-a12b-722a4aa42c8k' does not exist or one of its queried reference-property objects are not present. Inner error: AdditionalData: request-id: aedf34aa-f548-474e-82g6-956bae321088 ClientRequestId: aklf34aa-f5r9-474e-82c4-956bae325288

ORG:

Server Error in '/' Application.

Code: Authorization_RequestDenied

Message: Insufficient privileges to complete the operation. Inner error: AdditionalData: request-id: 9xd043m9-9b58-46dc-93d8-a183b4880fz2 ClientRequestId: 9cd043c8-9b58-46hj-93d8-a183b4880fe2

USERS:

Server Error in '/' Application.

Code:Authorization_RequestDenied

Message: Insufficient privileges to complete the operation. Inner error: AdditionalData: request-id: 2a88fd01-34aa-4841-947c-c196ce885d75 ClientRequestId: 2a88fd01-34aa-4841-947c-c189ce625d75

I'm very new to Azure so I need some help understanding if I need to change my approach in my code, or configure something in Azure.

UPDATE: This is what the permissions look like, do I need to set some other permissions on some other screen in Azure? enter image description here

1
c#azureazure-active-directorymicrosoft-graph-apiazure-web-app-service
Did you add Application User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All permission on azure tenant? - Md Farid Uddin Kiron
I have set some permissions but I'm not sure if they have been set correctly in the right place or are correct I will post an update with a screen shot of permissions - Ayo Adesina
So you have to permit your consent on the API you have added for that you should have global admin credential. - Md Farid Uddin Kiron

1 Answers

3
votes

The reason /me does not work is simple. You are calling the API as an app, not on behalf of the user. So /me does not mean anything. You have to use the /users/{id} endpoint.

The other issues are caused due to lack of consent. You have required the permissions but as can be seen from the screenshot, they have not been granted. You can remove the Delegated permissions by the way, they do not apply when calling as an app without a user.

It also seems you do not have the privileges to grant those permissions. Ask an administrator (Global admin) to consent your permissions.