0

I followed Microsoft's instructions and created an enterprise application and registered it as a web application in my trial Azure instance.

I also added AAD "application" permissions ((i.e. User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All)) to this app following Microsft documentation. [https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http][1]

Then I created a small C# console application to access and list the test users that I created in this web application.

I can connect and authenticate against Azure Active Directory and receive a security token from it. Still, I cannot receive the list of test users from my application even though I gave the necessary rights to this Azure application.

After receiving bearer token, the program terminates with following error message:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"400231dd-cd3f-4789-99ee-ab9cc3ffb95e","date":"2020-01-22T21:00:00"}}

I believe that my code is working as intended since I'm getting the bearer token. However, the rights that I gave to the Azure application is not enough to list the users of this application.

I tried to search the internet to find a possible solution to resolve my problem. I found many instances of this problem, but the issues and their resolutions seem to be a little bit different at each time.

I'm hoping that someone can provide an answer and lead me in the proper direction to resolve this access issue.

Thanks in advance,

Planet-9
  • 37
  • 5
  • Check this out. https://stackoverflow.com/a/53660443/9936356 – LinkedListT Jan 22 '20 at 22:45
  • Thank you for your quick response. I'm the global administrator for my trial Azure instance and I granted "Admin consent" to all permissions that I mentioned but it still doesn't work. I even deleted all permissions from the application and recreated them without any success. – Planet-9 Jan 22 '20 at 23:03

1 Answers1

0

I was researching my problem, and I came across the following article on Stackoverflow that looked similar to my problem. [Graph API - Insufficient privileges to complete the operation

After reviewing it, I realized that I was missing "Directory.Read.All" and "Directory.ReadWrite.All" permissions from "Azure Active Directory Graph" API.

I added these permissions, gave "Admin consent" and tried one more time again.

It worked!

However, when I added these two permissions to my application, an informational message popped up.

It advised me to use the Microsoft Graph API instead even though I was using it and not being able to access to the AAD information.

Thanks,

Planet-9
  • 37
  • 5