Wednesday, 20 January 2016

Graph API: Insufficient privileges to complete the operation

I have created an Azure AD application and used in my own application to connect Azure AD Graph API. When I call update graph api to reset password of a cloud AD user, I am receiving the error 'Insufficient privileges to complete the operation'.

My graph api uri:

https://graph.windows.net/he4g3ccc-dbc5-4625-8336-11e0e3ea8b7j/users/myuser@mts.onmicrosoft.com?api-version=1.6

Received below error:

  "odata.error": {  
   "code": "Authorization_RequestDenied",
    "message": {      
    "lang": "en",
    "value": "Insufficient privileges to complete the operation."  
  }}

Solution 1:

If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.

- Go to Azure Management Portal and click Active Directory.
- Select your custom AD directory.
- Click Applications and select your Application.
- Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
- Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
- Finally save the changes.

Solution 2:

If you are receiving this error when you call the API that includes delete or reset password operations, it requires the Admin role "Company Administrator". Right now you can do this only through Windows Azure ActiveDirectory Powershell module. You can find the service principal using Get-MsolServicePrincipal –AppPrincipalId and then use Add-MsolRoleMember to add it to “Company Administrator” role.

#1. Get clientid of your web application - you can get it from azure web/configuration, or in PowerShell by running below command.
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
# 2. Put your web app guid and use it to get MsolServicePrincipal and use Add-MsolRoleMember to add it to “Company Administrator” role.
$clientIdApp = '1a27ce25-025a-46e8-b679-1f3e560cfad4'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId

Advertisements
Advertisements

1 comment: