0

I used Graph explorer->Logged in with Global administrator -> Modify Permissions-> chose User.ReadWriteAll,Group.ReadWriteAll,Directory.AccessAsUser.All and then select "access to your entire organization" and logged in again with global administrator I get below error.

Selected user account does not exist in tenant 'Microsoft' and cannot access the application 'de8bc8b5-d9f9-48b1-a8ad-b748da725064' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account.

How can I add permissions to global administrator user?

Ashwinee Vaishampayan
  • 81
  • 11
  • Your account is a global admin in tenant `Microsoft` or another tenant? – Joy Wang Dec 18 '18 at 05:40
  • domain name is infy3842outlook.onmicrosoft.com of default directory .The user is Global administrator .Could you please let me know what do you mean by Microsoft or other tenant? – Ashwinee Vaishampayan Dec 18 '18 at 05:44
  • Your account is a global admin of `infy3842outlook` tenant? Were you accessing the application in `infy3842outlook`? If so, I think you do not need to grant permissions. – Joy Wang Dec 18 '18 at 05:49
  • I am trying to add extension attribute using link https://learn.microsoft.com/en-us/graph/extensibility-schema-groups . However when I use graph exploerer ,I get error saying { "error": { "code": "MethodNotAllowed", "message": "Method not allowed.", "innerError": { "request-id": "38bd2d5a-2116-4e21-b184-3ef329134e45", "date": "2018-12-18T05:52:45" } } } – Ashwinee Vaishampayan Dec 18 '18 at 05:53
  • Yes account is global admin of the tenant. – Ashwinee Vaishampayan Dec 18 '18 at 05:55
  • It just needs `Directory.AccessAsUser.All` permission, if you are the global admin, you can access all the features in your tenant, so the error is not related to permissions. – Joy Wang Dec 18 '18 at 06:00
  • 1
    global admin user is infy_3842@outlook.com and not user of domain infy3842outlook.onmicrosoft.com. Is this giving issues? – Ashwinee Vaishampayan Dec 18 '18 at 06:08
  • There is great possibility, you cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. You can check this [post](https://stackoverflow.com/questions/53341544/how-can-i-change-default-tenant-in-microsoft-graph-explorer), notice the answerer's comment. – Joy Wang Dec 18 '18 at 06:12

1 Answers1

0

Since your account is a guest in the tenant, you could not use the account to query the tenant, even if you are a global admin.

For more details, refer to this post.

Credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of "common". This isn't supported by Explorer. You'd have to download the source an reengineer the auth process

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Now I have created a user in same domain as the default directory and I have given global administrator privileges to the user. I tried to create extension attribute as mentioned in the link https://learn.microsoft.com/en-us/graph/extensibility-schema-groups. Getting error { "error": { "code": "BadRequest", "message": "Your organization must own the namespace graphlearn as a part of one of the verified domains.", "innerError": { "request-id": "d23f6ff4-95ef-4c76-9ad6-40ed0db88614", "date": "2018-12-18T08:50:39" } } } – Ashwinee Vaishampayan Dec 18 '18 at 08:52
  • @ashwinee This [post](https://stackoverflow.com/questions/42686025/how-to-create-schema-extension-without-custom-verified-domain) may be helpful. – Joy Wang Dec 18 '18 at 08:54
  • Thanks for the clarification. – Ashwinee Vaishampayan Dec 18 '18 at 09:04