Permission Denied: "" is unauthorized: Azure AD

0
votes

I am trying to implement oauth2 proxy with Azure Active Directory. It seems the oauth2 proxy is able to communicate with Azure AD App, and even it authenticates most of the users from organization, but for few Users we are not able to authenticate users.

Oauth2_proxy logs say the following: (internally after authentication the requests goes on this endpoint to get the user's details: https://graph.windows.net/me?api-version=1.6, but for few users the response looks like this:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"{reqID}","date":"2020-08-18T15:18:33"}}

Errors:

  • Permission Denied: "" is unauthorized
  • ErrorPage 403 Permission Denied Invalid Account

Any inputs would be helpful!

PS. Tried to select all the permissions in azure active directory app, but didn't work.

1
oauth-2.0azure-active-directorymicrosoft-graph-api
Please provide correction id with a full error messageSruthi J
What permissions did you grant? Is it convenient to provide screenshots? Go to Azure portal>App registrations>API permissions and take a screenshot.Carl Zhao
@CarlZhao, The issue we are facing only for few users from organization, i really found it strange because others are able to login. If it is really the issue with permissions then other users should also not be authenticated. Well permissions available:[ Azure Active Directory Graph -> User.Read.All, Group.Read.All, Directory.Read.All, Application.ReadWrite.All,] [Microsoft Graph -> User.Read.All, Group.Read.All, Directory.Read.All, Application.ReadWrite.All] (for both application and delegated type). [most of the users are able to login with only this permission:Microsoft Graph->User.Read]Balram Rajput
Have you tried using Microsoft Graph to get information about logged in users? https://graph.microsoft.com/v1.0/meCarl Zhao
Have you granted AAD Graph permission administrator consent?Carl Zhao

1 Answers

0
votes

You need to log in to the Azure portal as an administrator, then find App registrations> select your application> API permissions, and grant administrator consent to the Graph permissions you added.

enter image description here

By the way, starting on June 30, 2020, Microsoft will officially no longer add any new features to the Azure AD Graph API. It is recommended that you upgrade your application to use Microsoft Graph API instead of Azure AD Graph API to access Azure Active Directory resources.