Question

I have set up an Azure AD application as a web app. I have obtained an oAuth token using the following steps:

1. Request authorization code:

https://login.windows.net/common/oauth2/authorize?redirect_uri={REDIRECT_URI}&client_id={CLIENT_ID}&response_type=code&state=o365&prompt=admin_consent

2. Get the oAuth Token using this endpoint https://login.windows.net/common/oauth2/token with this payload using C#:

{"code": {AUTH_CODE}},
{"state", {STATE}},
{"grant_type", "authorization_code"},
{"redirect_uri", "{REDIRECT_URI}"},
{"client_id", "1ff78c4b-414f-44c7-834b-09bdae96f440"},
{"client_secret", "{CLIENT_SECRET}"},
{"resource", "https://graph.windows.net"}

Everything comes back just fine and I get my oAuth Token. However when I try to curl the Graph API using the token I get this error

curl https://graph.windows.net/{tenant}/users?api-version=1.5 -H "Authorization: Bearer [AUTH_TOKEN]"

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

Kindly help me with the problem here.

Answer 1

This error is occurring because privileges are missing for your app which is not allowing Azure AD to read the details of users in your custom AD. This is what you can do:

1. Go to your custom AD on Azure Portal -> Click applications tab -> Click on the name of your AD application to go to its details view. On the details view go to configure tab.

2. Scroll down to the bottom of the page to reach "permissions to other applications" section. There you will see all permissions currently assigned to Azure AD application in delegated permissions multi-select list box.

3. Check the box against "Access your organization's directory" and "Read directory data". Click save in bottom tool bar to save the changes.

Now try again accessing your AD user details using graph API. It should not give the "Insufficient privileges" error any more.

Hope this helps!!

To know more about Azure, enroll today with our Azure certification course.

Thanks!!

Answer 2

I had the same issue before, and I resolved it by:

1. Create new app registration, with type: "Accounts in this organizational directory only." Since I was selected "Accounts in any organizational directory  (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)".
2. Select API permission, according to API function you're calling at. 
For example: to get user information, it need below permission setting on Azure Portal

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Delegated (personal Microsoft account)	User.Read, User.ReadWrite
Application	User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http