Microsoft Graph Api User.Read.All Not granted for my domain - azure

I am getting the following error or status Not granted for my domain. see the attached document
Is this because my role is User?
I tried to find who is Azure AD Global Administrator?
I followed the following steps:
Log into the Azure Portal (https://portal.azure.com).
Click on Azure Active Directory
Click on Roles and administrators
Click on Global administrator
Under Global administrator it says Microsoft Office 365 Portal
what does it mean?
How can I or someone else in organization become Global administrator?
I want API permissions->User.Read.All Not granted for mydomain
PS: My email is work email.
Update 1
My role is user
Update 2
Global administrator - Assignments say's Microsoft Office 365 Portal is my Admin. How to get these credentials?

I was similiarly frustrated here: it's very hard to spot, however you'll notice that the 'grant admin consent for -' is reset on every update to permissions.
Therefore: simply re-tick this and wait a few seconds for the warnings to disappear.
I too thought I was missing a step elsewhere, very misleading!

For User.Read.All permission you should have Admin Consent which a User cannot avail.
You should have either Global Admin or Application administrator credentials.
Permission Required:
Please refer to this official document Permission details
Admin Credentials:
For Admin credentials details refer to this document
Office 365 Admin Role Assignment:
Hope this will help. Let me know if you have any more concern.

Make sure that if you're the only one or just opened the account that you are an admin on Microsoft 365.
You will need to add a TXT record in your DNS settings (F.e. Route53 - AWS) https://learn.microsoft.com/en-us/microsoft-365/admin/misc/become-the-admin?view=o365-worldwide
Once that is verified you will automatically be a global administrator and then you will have access to all admin features.
Go back to Azure and then just click on the small hard to see in grey here:

Related

Global Admin - cannot see Billing - Unauthorized

I'm global admin and subcription owner
But when click on Billing-Cost analysis getting
Customer does not have the privilege to see the cost
Am i missing something ?
Seems like there is a missing permission on the subscription. The impacted user should have one of the following roles:
Service Administrator
Co-administrator
Owner
Contributor
Reader
Billing reader
Kindly assign one of the above roles to the user on the targeted subscription (I am using service administrator) by following Assign a user as an administrator of an Azure subscription
For current admins kindly see classic admins tab:
Tenant is managed by CSP, didn't know it until i tried to create support case to MS and got following error:
After that got access to Partner center and performed below steps:
http://www.mistercloudtech.com/2022/04/25/how-to-enable-a-csp-customer-to-view-azure-usage-charges/

API Permission Status not granted warning in Azure AD Application API Permission

In the below image as you could see I'm getting the warning,
"Not granted for SKCET Corporation Private Limited",
what should I do to remove it ?
A Global Administrator would need to go to that page and click Grant admin consent button.
You can see the documentation on admin consent here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Make sure that if you're the only one or just opened the account that you are an admin on Microsoft 365.
You will need to add a TXT record in your DNS settings (F.e. Route53 - AWS)
https://learn.microsoft.com/en-us/microsoft-365/admin/misc/become-the-admin?view=o365-worldwide
Once that is verified you will automatically be a global administrator and then you will have access to all admin features.
Then just click on the small hard to see in grey here:

AzureAD invited guest source "Microsoft Account" cant login

i've got one AzureAD and want to invite some guest users.
Guest user with O365-Account or without O365 can login to my AzureAD-Application after accepting my invitation link and I see these users as "Guest" - Source: "External active directory". Everything is ok.
Now I have some users i.e. with email adress like this: example#outlook.com
When I send the invitation to these users and when they accept it, I see these users in AD as "Guest" - Source "Microsoft Account" and then this users can't login to my AzureAD-Application.
Is it not supported that this users with personal Microsoft Account? cant invitited as guest user?
Thanks
As you may know azure active directory has two version V1 and V2
If you have a look on V1 you would know it has no privilege for personal account which is example#outlook.com. See here
But in V2 you can do it. It has included some more feature as well.
New version both support
Organizational account (Work account)
School account
Guest account
Personal account (example#outlook.com)
see the screen shot below:
Note: So if your invited guest belongs to #outlook.com for V1 it would not work. You could check V2 configuration and app registration here
Update:
You could check your application version in following screen shot:
If you still have any query please feel free to share here in comment. Thanks and happy coding!
Update for ROPC:
Though resource owner password credential ROPC is not recommended as its not secure and does not support MFA and personal account. for example example#outlook.com for details take a look here
See the screen shot below:
My Recommendation
Use grant_type:client_credentials as following format. See the
screen shot:

AADSTS90093: Calling principal cannot consent due to lack of permissions

I'm getting the following error when non-global admin users are trying to access graph explorer 2 within our tenant:
Additional technical information:
Correlation ID: 2346b0f5-bb5f-4138-8f9d-07fa96dcf02f
Timestamp: 2015-05-29 17:18:48Z
AADSTS90093: Calling principal cannot consent due to lack of permissions.
From within Azure we have "users may give applications permission to access their data" set to use. We also have "users may add integrated applications" to yes.
Just wanted to check which URL you are going to. We have 2 "graph explorers" - one is for exploring Azure AD Graph API, while the other (called API explorer) is for exploring the Office 365 unified API.
If you are going to https://graphexplorer2.cloudapp.net - this is (AAD) graph explorer, and should not require admin permissions. Please let us know if this is what you are using and if this is causing issues.
If on the other hand you are going to https://graphexplorer2.azurewebsites.net - this is the API explorer, and due to the number of APIs it requires access to, it currently requires admin consent. We'll look into a way to reduce the number of scopes that this requires access to, to get to a place where users can consent (but that's not the case currently).
Hope this helps,
I ran into this issue today and here what I did:
Login to your AD application in classic portal
(https://manage.windowsazure.com/)
Under "Configure" section, there
is "permissions to other applications", look at the "delegated
permissions" for "Window Azure Active Directory".
Make sure you pick
the correct permissions for your app. Normally, "Sign in and read
user profile" is enough for user to login.
For more information you
can take a look at this link
https://graph.microsoft.io/en-us/docs/authorization/permission_scopes
I worked for Skype for business online use case (WEB API). I faced this issue for users not global admins. The users who added by global admin.
I managed to resolve the issue by passing extra parameter prompt=admin_consent.
var href = 'https://login.microsoftonline.com/common/oauth2/authorize?response_type=token&client_id=';
href += client_id + '&resource=https://webdir.online.lync.com&redirect_uri=' + window.location.href+'&prompt=admin_consent';
For more details visit link https://blogs.msdn.microsoft.com/exchangedev/2014/03/25/using-oauth2-to-access-calendar-contact-and-mail-api-in-office-365-exchange-online/

Why as a co-administrator of a subscription am I unable to edit the Active Directory?

A customer made me a co-administrator of his Azure subscription. However, I am unable to edit his Active Directory, ie add/edit users, create applications, etc.
Why can't I access that? I'm thinking perhaps the Subscription is owned by the AD and not the other way around.
What do each of the role levels in AD allow? There's
Global Admin
Billing Admin
Service Admin
User Admin
Password Admin
I believe the primary reason for this error is because when a co-admin with Microsoft account is added to a subscription, it gets added into the subscription AD as Guest user type. In order for you to get access to that AD so that you can perform the operations on the AD, you user type needs to be changed to Member from Guest. I had exact same issue with one of the users of our product and the steps described below solved the problem.
To change the user type, one would need to use AD PowerShell Cmdlets. The process is rather convoluted and needs to be done by your customer.
First, check with your customer if they themselves are using Microsoft Account for signing in into the portal. If they are, then they would need to create a user in their Azure AD. Please see this thread for why this is needed: PowerShell - Connecting to Azure Active Directory using Microsoft Account.
Next, they would need to sign in using this user account because one would need to change user password on the 1st login.
Install AD Modules. You may find these links useful for that purpose: https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx#bkmk_installmodule, http://www.microsoft.com/en-us/download/details.aspx?id=41950 (Please choose 64 bit version) and http://go.microsoft.com/fwlink/p/?linkid=236297.
Launch PowerShell and execute the following commands:
.
$cred = Get-Credential #In the window that shows up, please specify the local AD user credentials.
connect-msolservice -Credential $cred
(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should output "Guest". If it doesn’t, please stop and do not proceed further as there might be some other issue.
(Get-MsolUser -SearchString "your microsoft account email address") | Set-MsolUser -UserType Member
(Get-MsolUser -SearchString "your microsoft account email address").UserType #This should now output "Member"
If somehow the problem still persists, ask your customer to login into the portal, delete your user record from AD users list and add it again. That should also take care of this problem.
The answer was that I needed to be set up as a Global Administrator in the Azure AD domain.
Both answers above seem to be correct in it's own way.
As a starter subscription administrator does not automatically make you an Azure AD administrator. You'd need explicit role grant on the target Azure AD.
Second aspect is the type of the account used. If it's in current Azure AD or Microsoft Live account all is well.
In case that account is part of an external Azure AD, by default user type is "Guest"(can login, but cannot control event if assigned "Global admin"). Therefore PowerShell commands highlighted above should be executed to change user type to "Member".
Some more helpful info can be found here (it is mentioned as a Visual Studio Team Services issue, but actually applies to most Azure related services).

Resources