My graph api uri:
https://graph.windows.net/he4g3ccc-dbc5-4625-8336-11e0e3ea8b7j/users/[email protected]?api-version=1.6
Received below error:
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}}
Solution 1
If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.
– Go to Azure Management Portal and click Active Directory.
– Select your custom AD directory.
– Click Applications and select your Application.
– Click CONFIGURE and scroll down to the section ‘Permissions to other applications‘.
– Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
– Finally save the changes.
Solution 2
If you are receiving this error when you call the API that includes delete or reset password operations, it requires the Admin role “Company Administrator”. Right now you can do this only through Windows Azure ActiveDirectory Powershell module. You can find the service principal using Get-MsolServicePrincipal –AppPrincipalId and then use Add-MsolRoleMember to add it to “Company Administrator” role.
#1. Get clientid of your web application – you can get it from azure web/configuration, or in PowerShell by running below command.
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
# 2. Put your web app guid and use it to get MsolServicePrincipal and use Add-MsolRoleMember to add it to “Company Administrator” role.
$clientIdApp = '1a27ce25-025a-46e8-b679-1f3e560cfad4' $webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
This was really helpful. Thank you!
Thanks! To get started using powershell this guide should help: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet#configure-delete-permissions-for-your-application
Solution One is for the old/classic portal. See https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet#configure-create-read-and-update-permissions-for-your-application for portal.azure.com, aka, the new portal
That link has nothing to do with solution #1 and provides no information on how to get to the configuration in question.