Insufficient privileges to add Azure AD user

1
votes

I created a console application to create an Azure AD user as follows (doc referred: https://docs.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http):

static async Task Main(string[] args)
        {
            var credential = new ClientCredential("<clientt-id>", "<client-seceret>");
            var authProvider = new HttpRequestMessageAuthenticationProvider(
                                                        credential,
                                                        "https://login.windows.net/<tenant-id>",
                                                        "https://graph.microsoft.com/");

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "Test User",
                MailNickname = "testuser",
                UserPrincipalName = "[email protected] ",
                PasswordProfile = "xxxxxxxxxxxx"
                OnPremisesImmutableId = "id"
            };

            await graphClient.Users
                .Request()
                .AddAsync(user);
        }

API permissions added to app are Group.ReadWrite.All and User.ReadWrite.All.

On running this code, I see the following error:

Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

What am I missing?

1
c#azureazure-active-directory
Has admin consent been granted to the api permissions?Crowcoder
Yes granted permissionsuser989988
Hi, may I know if your problem was solved ? If still have problem, please let me know.Hury Shen

1 Answers

1
votes

For this problem, I summarize the points below which you need to check:

1. It seems your code use client_credentials as grant flow to do the job, so please check you have added the permissions of "Application" but not "Delegated". And don't forget grant admin consent.

enter image description here

2. If still show Authorization_RequestDenied message, please remove the permission Group.ReadWrite.All because this permission is unnecessary. And the Group permission may affect other permissions in my past tests.

3. It seems you develop the specific code in class HttpRequestMessageAuthenticationProvider, actually there is an off-the-shelf SDK avaiable for us to use. I provide my code below for your reference, the code works fine to create a user.

using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System;
using System.Threading.Tasks;

namespace ConsoleApp23
{
    class Program
    {
        static async Task Main(string[] args)
        {
            Console.WriteLine("Hello World!");

            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create("<client_id>")
                .WithTenantId("<tenant_id>")
                .WithClientSecret("<client_secret>")
                .Build();

            ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);

            var user = new User
            {
                AccountEnabled = true,
                DisplayName = "huryAdd",
                MailNickname = "huryAdd",
                UserPrincipalName = "[email protected]",
                PasswordProfile = new PasswordProfile
                {
                    ForceChangePasswordNextSignIn = true,
                    Password = "Password0123"
                },
                OnPremisesImmutableId = "testOnPre"
            };

            await graphClient.Users.Request().AddAsync(user);

            Console.WriteLine("====success====");
        }
    }
}

And also provide the packages installed in my project.

enter image description here

Install-Package Microsoft.Identity.Client -Version 4.16.1
Install-Package Microsoft.Graph
Install-Package Microsoft.Graph.Auth -IncludePrerelease

4. By the way, there is a blank space in the end of your UserPrincipalName. Please remove it, otherwise it will show invalid principal name.

Hope it helps~