I am trying to assign license to user using graph API but receiving "insufficient privileges to complete the operation. graph api" error even I have "Directory.ReadWrite.All" permission in Azure AD app.Azure App permission screen
struggling to get over it.
If you're assigning licenses using Graph API calls from your API, that means a logged in user isn't present and that requires that you add a permission to your API app registration in Azure Portal for Application Permissions for the scope "Directory.ReadWrite.All", here's how you do that.
Go to your app registration for the API making the Graph API calls, select "API Permissions" > "Add a Permission" > "Microsoft APIs" > "Microsoft Graph" > "Application Permissions" > search Directory - Check Directory.ReadWrite.All > Add Permissions, now request an access token with that scope and use it.
Related
I am new to the Microsoft Graph PowerShell SDK.
The commands below all launch a browser tab where I am prompted to login.
I login with my Microsoft account which has these roles:
SharePoint Administrator
Global Reader
Power Platform Administrator
The account is also specified as an Admin of the global term store taxonomy.
In order to list all sites in a tenant (List sites), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Sites.Read.All", "Sites.ReadWrite.All"
In order to export term store taxonomy (Get store), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "TermStore.Read.All", "TermStore.ReadWrite.All"
In both these instance, after logging in with my admin account, I am getting the error shown below in the browser:
Need admin approval
unverified
needs permission to access resources in your organization that only an admin can grant.
Please ask an admin to grant permission to this app before you can use it
I do not get this error when connecting with the following:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
Troubleshooting
Perhaps the research below can shed some light on an answer as to why this is happening and how to resolve it?
If I look at the docs for the Graph API endpoints I am wanting to query, I can see the Permissions are as follows:
List sites
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
Delegated (personal Microsoft account)
Not supported.
Application
Sites.Read.All, Sites.ReadWrite.All
Get store
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
TermStore.Read.All, TermStore.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Not supported.
How do these permissions relate to using the Graph PowerShell SDK?
Per the quote below from the official docs, I believe using the SDK as I have above is considered delegated access?
The PowerShell SDK supports two types of authentication: delegated
access, and app-only access. In this guide, you'll use delegated
access to sign in as a user, grant consent to the SDK to act on your
behalf, and call the Microsoft Graph.
So I guess my scenario is Delegated (work or school account)?
Questions
01) If so, does that mean I cannot make any request where the API docs define the Permissions as:
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
02) If that is the case, does that mean that the Microsoft Graph PowerShell SDK is not a good tool for administering SharePoint Online (because, according to the API reference docs, many of the endpoints are 'not supported' by a Delegated (work or school account))?
Thanks for reaching out to us , this looks like you are not using your admin account, please cross check the account you are logging in PowerShell. please follow below steps .
Try to disconnect your previous account from PowerShell (use command Disconnect-MgGraph)
Then try connect with your account ,use Connect-MgGraph
You will get a pop up , select the account in which you are the admin.
Then run the command and try again
Edited :
Agree with scottwtang comments ,If you are using the correct account make sure admin consent requests are Enabled in your tenant , you can check by following the below steps and ask your Global Administrator to grant admin consent
To check the admin consent workflow and choose reviewers:
Sign in to the Azure portal with one of the roles listed in the
prerequisites.
Search for and select Azure Active Directory.
Select Enterprise applications.
Under Manage, select User settings. Under Admin consent requests,
select Yes for Users can request admin consent to apps they are
unable to consent to . Configure admin consent workflow settings
ref doc - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Hope this help ,
Thanks
I have an office 365 account from work and it is not admin. When I try the Graph API for Planner to get all the plans, It responds with Insufficient privileges to complete the operation. I know that it requires the permission of "Group.ReadWrite.All". If I ask my boss for this permission, Is it going to be limited to my account only or is it going to make my account an admin which i will not likely get it.
If you are using Application Registration Portal to get the token:
In Application Registration Portal set the permission that you need, for example
Group.ReadWrite.All and Directory.AccessAsUser.All. Always you must use Directory.AccessAsUser.All because users need login and get the token.
When save Application Registration Portal go to Azure Portal, in Azure Active Directory --> Enterprise applications --> click in you application --> "click in consent permission for username..." --> login --> accept.
Use librarys as hellojs and get a token.
I've scripted the creation of my Azure Active Directory Application using Azure Active Directory PowerShell V2 and am trying to use Delegated Permissions in my Single Page Application (SPA) using implicit flow to call an API with Application Roles defined.
What PowerShell command do I need to use to replicate the 'Grant Permissions' button in the Azure Portal under the Applications Settings:
According to the Docs:
Granting explicit consent using the Grant Permissions button is currently required for single page applications (SPA) using ADAL.js, as the access token is requested without a consent prompt, which will fail if consent is not already granted.
Also, how do you tell if permissions have been granted or not? The button is always clickable? Terrible UX if you ask me.
This button is effectively doing admin consent. This will consent for all users in the tenant. For your case, you can force consent in the SPA rather than in PowerShell if you want to avoid the Azure Portal.
To do this, your SPA should append on the auth request either &prompt=consent or &prompt=admin_consent. The former should be applied each time a new user signs in for the first time, whereas the latter you could do one time (sign in w/ an admin account) and it would consent for all users.
Checkout understanding Admin and User Consent.
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
I am facing the following problem:
I have configured an application for single sign on in Azure AD but I get the following error code:
"{"error":"invalid_grant","error_description":"AADSTS65001: The user
or administrator has not consented to use the application with I.....
Send an interactive authorization request for this user and
resource.\r\nTrace ID: .....e"}'"
The permissions are as following:
Permission to other applications:
Windows Azure Active Directory:
Application Permissions: 0
Delegated Permissions: 1 = "Sign in and read user profile"
I have tried by clicking the tile in my apps in portal.office.com and by hitting the sign-on url directly. In the latter case I would expect to be redirected to an office365 page to authenticate myself and continue but instead I get the code above.
Any thoughts?