0

We are creating a flow to add a guest user to Azure AD.

Reference Article https://www.timlinenterprises.com/how-to-invite-external-users-using-microsoft-flow-and-microsoft-graph-api/

Followed the steps in the article and got the error as shown below while executing the flow

Insufficient privileges to perform requested operation by the application '00000003-0000-0000-c000-000000000000'. ControllerName=MSGraphInviteAPI, ActionName=CreateInvite, URL absolute path=/api/a65449db-d753-4811-b4e1-846b9be25a50/invites

Below is the screenshot of the HTTP Request from Flow

HTTP Request in Flow

HTTP Request in Flow 2

Below is the screenshot of the API Permissions on Azure

Azure API Permissions

As soon as I replace .onmicrosoft.com with the Tenant ID ,the flow executes without any issues and the guest user receives the invitation. The user gets added to Azure AD however their profiles do not show up on office 365 Guest users nor under SharePoint User Profile even after waiting for 24 hours.

Whenever I invite a guest user using graph explorer , the guest is added successfully to Azure , Office 365 and SharePoint

Graph Invitations Execution

Response to Post Request

This is a Global Admin account with all the privileges and E3 license assigned.

All the articles online show you how to add guests on Azure AD , However there is no info if the user would show up on Office 365 Guest List.

Please let me know if anyone is aware of this and can help me the steps to get this resolved , also let me know if any other details are needed from my end.

EDIT

  1. There was a small confusion , I confused Tenant ID with Client ID , after entering the Tenant ID the flow works without any issues as show below

enter image description here

  1. As soon as I enter .onmicrosoft.com under the tenant section , the flow fails
  2. We have just 1 tenant where Azure Application is created

Please let me know if anything else needs to be checked

Thanks in advance.

Vivek
  • 61
  • 4
  • 16

1 Answers1

0

As soon as I replace .onmicrosoft.com with the client ID ,the flow executes without any issues

It's impossible. You can only put tenant ID or domain name here. "client id" doesn't work.

In your case, a65449db-d753-4811-b4e1-846b9be25a50 should be the tenant id which you are trying to invite guest into.

Since the application permissions User.Invite.All and Directory.ReadWrite.All are correct, the reason why you get this issue is probably that you put a wrong tenant name here. The Azure AD app you registered is not in this tenant a65449db-d753-4811-b4e1-846b9be25a50. Please have a check.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • thank you for the response , I confused Tenant ID with Client ID . I have edited my post with the steps you asked to check[Please check Edit section]. Please suggest if there is anything else that needs to be checked – Vivek Oct 15 '20 at 08:13
  • @Vivek Although the permissions look good, based on the error message it means the access token doesn't have enough permission. Could you use postman to generate an access token with client credentials flow and decode it in https://jwt.io to see what permission it has? – Allen Wu Oct 15 '20 at 08:35
  • @Vivek And make sure that `User.Invite.All` application permission is in the correct Azure AD app. Check the client id pls. – Allen Wu Oct 15 '20 at 08:56
  • ,Thanks for the reply. I am new to this actually hence not sure if I fully understand the instructions , would you mind sharing an article or mentioning the steps in detail here so that I follow all the steps without missing anything – Vivek Oct 15 '20 at 08:58
  • I have added User.Invite.All application permission to the correct Azure AD application(Screenshot in the post) – Vivek Oct 15 '20 at 09:01
  • @Vivek See the **Get Access Token using Postman** part in this link: https://developer.microsoft.com/en-us/graph/blogs/30daysmsgraph-day-13-postman-to-make-microsoft-graph-calls/. And after you get the access token, you should be able to see what permissions it has. – Allen Wu Oct 15 '20 at 09:01
  • thanks, would try and post here , Being a newbie I don't have enough reputation to move this conversation to chat , Can you please do that for me so that coordination becomes easier? :) – Vivek Oct 15 '20 at 09:18
  • @Vivek I'll be OOF soon. So if you don't mind, you could try my suggestion first and keep posted in the comment. I'll create a chat room if the issue still exists tomorrow. – Allen Wu Oct 15 '20 at 09:25
  • Sure ill try the steps and post here – Vivek Oct 15 '20 at 10:11
  • thank you so much Allen for saving hours of work for me. I realized that the Azure App was hosted on a different tenant which was causing the issue , I created a new app on the required tenant and everything seems fine now :) Would you be active here if I come across any challenges? – Vivek Oct 15 '20 at 11:23
  • @Vivek Glad to know this issue is resolved. If you have any new question, it's recommended to add a new post so that more people will help you. You can also link me to your new post here. – Allen Wu Oct 16 '20 at 01:18
  • Can you please help me out with this? https://stackoverflow.com/questions/64555386/jwplayer-with-spfx – Vivek Oct 28 '20 at 09:37
  • @Vivek Sorry but I mainly focus on Azure AD. I'm not familiar with the tech mentioned in that post:( – Allen Wu Oct 29 '20 at 02:52
  • No problem , I've come across a new challenge in Azure , would appreciate if you could help me out with this :-) https://stackoverflow.com/questions/64758494/deploy-stripe-payment-gateway-on-azure – Vivek Nov 09 '20 at 20:04