Insufficient privileges to complete the operation while importing data from Microsoft Graph API using Python

Question

I am trying to import the data using Microsoft graph APIs in Python. I am not a Python developer so I am unable to do so. I don't really have an idea how to use Secret_Key_Name and Secret_ID but I am guessing they act as username and password. I particulary need help with this. When I just use rest of the 3 keys, I am getting this error.

API Request Error: 403-{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2023-08-14T13:31:49","request-id":"[Request ID]","client-request-id":"[Client Request ID]"}}}

Python Code:

import requests
import msal

client_id = "[Client ID API Key]"
client_secret = "[Client Secret API key]"
tenant_id = "[Tenant ID API Key]"
secret_key_name = "[Secret key Name]"
Secret_ID = "[Secret ID]"

authority = f'https://login.microsoftonline.com/{tenant_id}'

app = msal.ConfidentialClientApplication(
    client_id = client_id,
    client_credential = client_secret,
    authority = authority  
)

accounts = app.get_accounts()
if accounts:
    result = app.acquire_token_silent(scopes = ['https://graph.microsoft.com/.default'])
else:
    result = None 

if not result:
    result = app.acquire_token_for_client(scopes = ['https://graph.microsoft.com/.default']) 

if 'access_token' in result:
    access_token = result['access_token']

    headers = {
        'Authorization' : f'Bearer {access_token}',
        'Content-Type' : 'application/json'
    }
   
    api_url = 'https://graph.microsoft.com/v1.0/users'
    response = requests.get(api_url, headers = headers)   

    if response.status_code == 200:
        user_data = response.json()
        print(user_data)
    else:
        print(f"API Request Error: {response.status_code}-{response.content.decode('utf-8')}")       

else:
    print(f"Token Acquisition Error : {result.get('error')}-{result.get('error_description')}")

Answer 1

The error usually occurs if you missed adding required API permissions or granting admin consent to them. There is no need to add secret ID and secret name to generate token.

I registered one Azure AD application and added API permission without granting consent:

When I ran your code in my environment, I too got same error like below:

To resolve the error, make sure to grant admin consent to the added permission:

When I ran the same code again after granting admin consent, I got response successfully with user's data like below:

import requests
import msal

client_id = "appId"
client_secret = "secret"
tenant_id = "tenantId"
#secret_key_name = "[Secret key Name]"
#Secret_ID = "[Secret ID]"

authority = f'https://login.microsoftonline.com/{tenant_id}'

app = msal.ConfidentialClientApplication(
    client_id = client_id,
    client_credential = client_secret,
    authority = authority  
)

accounts = app.get_accounts()
if accounts:
    result = app.acquire_token_silent(scopes = ['https://graph.microsoft.com/.default'])
else:
    result = None 

if not result:
    result = app.acquire_token_for_client(scopes = ['https://graph.microsoft.com/.default']) 

if 'access_token' in result:
    access_token = result['access_token']

    headers = {
        'Authorization' : f'Bearer {access_token}',
        'Content-Type' : 'application/json'
    }
   
    api_url = 'https://graph.microsoft.com/v1.0/users'
    response = requests.get(api_url, headers = headers)   

    if response.status_code == 200:
        user_data = response.json()
        print(user_data)
    else:
        print(f"API Request Error: {response.status_code}-{response.content.decode('utf-8')}")       

else:
    print(f"Token Acquisition Error : {result.get('error')}-{result.get('error_description')}")

Response: