Microsoft Graph API - error 403 "Insufficient privileges to complete the operation"

1
votes

I'm trying to use the AzureR family of R packages to interact with Outlook through the Graph API. Using Microsoft365R I have the following code:

outl <- get_business_outlook(
  tenant = tenant_id,
  app = client_id,
  password = client_secret
)

But this results in a 403 error:

Error in process_response(res, match.arg(http_status_handler), simplify) : Forbidden (HTTP 403). Failed to complete operation. Message: Insufficient privileges to complete the operation.

The app in question has the API permissions Mail.ReadWrite, Mail.ReadWriteShared, Mail.Send, Mail.Send.Shared, offline_access, openid, User.Read.

I also tried using the AzureGraph package directly like:

login <- create_graph_login(
  tenant = tenant_id,
  app = client_id,
  password = client_secret
)

This works and I get a token. I then try to extract user information with me <- login$get_user(), but this throws the same 403 error as above. I suspect there is something I need to do to actually authenticate the user, but I can't really figure out what.

I am entirely new to the Graph API so it's very possible that I have missed something obvious. Any help appreciated!

1
rmicrosoft-graph-api
Check your access token by putting it in the jwt.ms and see if you have the 'scp' claim with all the above permissions that you have mentioned.Shiva Keshav Varma
@ShivaKeshavVarma Hi, there is no such information in the access token.Wiktor Gustafsson
There should be permissions in the accessToken, using the 'scp' claim only it will understand whether you are authorized or not and its required to call Graph API. See docs.microsoft.com/en-us/graph/auth/auth-conceptsShiva Keshav Varma
I clearly have access the app since I have the secret and got a token back, but I guess what I don't understand is how I authorize myself. When creating the login I try to specify scopes but then I just get an error that says "scope is not valid".Wiktor Gustafsson
Yes thats what @ShivaKeshavVarma is telling above. If you want to access the protected resource(say, Microsoft Graph), then you need to get the token with required permissions/scopes. Just to isolate the issue, you can use Microsoft Graph Explorer, login as the same user, call the same Graph API call and it will work for you. You can copy the token, validate the same with jwt.ms (or you may want to compare the same against yours)...!!Dev

1 Answers

2
votes

Microsoft365R/AzureGraph author here. In the code you show, both with get_business_onedrive() and create_graph_login(), you are authenticating as the app, not as the user. This means that there is no user account involved, hence you're unable to view user details or send email.

To authenticate as the user, run

# Microsoft365R
get_business_outlook("tenant_id", app="client_id")

# AzureGraph
create_graph_login("tenant_id", app="client_id")

ie, without the password argument. You should know it's working if R opens up a browser window for you to login to Azure (or to show it's successfully logged in).

The latest revision of the AzureAuth package has a vignette that explains a bit more on the various authentication scenarios. AzureAuth::get_azure_token is the underlying function used to obtain an OAuth token by Microsoft365R and AzureGraph, and you can pass down the arguments mentioned in the vignette from get_business_outlook and create_graph_login.