Insufficient privileges when trying to add schema extension to User - azure

I am trying to add custom properties to User object using graph.microsoft.com. I chose schema extensions for that, but the POST request to https://graph.microsoft.com/v1.0/schemaExtensions returns Authorization_RequestDenied.
First, I checked the permissions via the Azure CLI (the id is my app id):
az ad app permission list-grants --id 229e9b3d-5a17-4a46-930a-60e8ca114027 --show-resource-name
For Microsoft Graph, there are many permissions, but as I understand it, I should need only User.ReadWrite.All and Directory.AccessAsUser.All which are there.
Then I used Insomnia (to check functionality without coding problems) and call POST https://graph.microsoft.com/v1.0/schemaExtensions with JSON body:
{
"id": "extTest",
"description": "test extension",
"targetTypes": [
"User"
],
"properties": [
{
"name" : "isAvailable",
"type" : "Boolean"
}
]
}
and the returned response is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d5c1e7b3-f1c5-44c0-917d-5e43d7483bdf",
"date": "2019-06-10T13:44:36"
}
}
}
Is there something I missed?

It seems that your access token didn't have Directory.AccessAsUser.All permission. You can decode it by using https://jwt.io/ and check if this permission exists in 'scp'.
I have tested it on my side and it works. Here are my main steps.
1.add Directory.AccessAsUser.All permission to your app and click grant admin consent button.
2.get access token by using auth code grant flow. You can not use client credential grant flow here since you must sign in with a user.

Related

"Update User" operation giving "Insufficient privileges to complete the operation.' error in Microsoft Graph API

I am trying to create a Reset password page, that will take the new password of the logged in user to reset the password of the user in Azure AD. I have read the information given in the following page, for User Update API.
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I have
Directory.ReadWrite.All User.ReadWrite.All (delegated) and
User.ReadWrite.All (Application) permissions in Azure AD configuration page. I had asked another query in SO for creating users through MS Graph API, in which I learned how to create an Access token. I am following the same procedure to get access token for calling "User Update API". In Postman I am passing the below value.
PATCH https://graph.microsoft.com/v1.0/users/principalname#blah.in
Content-type: application/json
Authorization: bearer TOKEN
{
"passwordProfile":
{
"forceChangePasswordNextSignIn":false,
"password": "XXXXXXXXX"
}
}
When I execute this I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "1ab4e11b-57e7-481f-9d93-296a3dece72c",
"date": "2019-05-10T05:13:19"
}
} }
I am unable to understand why I am getting this error because all permissions are given for the user.
I have gone through all the questions related to "Insufficient privileges to complete the operation" in SO before posting this question.
Because when updating the passwordProfile property, youn need the Directory.AccessAsUser.All permission.
See: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs

token from microsoft graph is sometimes "corrupted"

Weird issue.
I have a microsft saas app who asks for different permissions (directory.readWrite, file.readWrite Mail... etc) at the admin consent page.
After an admin gave his consent, my app acquires token and start doing what is should.
The thing is that sometimes I get token without "roles" section (I decoded the access token with jwt decoder and saw it was missing..)
and when it is missing then if I try to get users details (for instance) then I get 401 status code:
{
"error": {
"code": "Authorization_RequestDenied",
"innerError": {
"date": "2019-04-10T16:50:28",
"request-id": "fa93e103-6c0e-48cd-af06-008a52762aaa"
},
"message": "Insufficient privileges to complete the operation."
}
}
And that make sense...
How come that the token sometimes contains the "roles" section with all my app permissions and sometimes not? is it Microsoft issue? is there a workaround?
It isn't a specific tenant problem as if I try again after failure with the same tenant then it might work just fine..
Any thoughts?

Changing accountEnabled throws 403 Authorization_RequestDenied

I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve#***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role.
https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2
On my side, it works. The following is my process:
Use the client credential to get bearer token:
To parse the bearer token:
2. Use this bearer token to call ms graph api:
Check the disabled user in the azure portal:
No Its mandatory to grant permission for accessing this API on azure portal.
Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.
If you are admin in your AAD, You could grant permission for
users in organization by click Grant permission button.
Then you could use your code (client credential flow to get the
token) and query users information . If you check the claims in
access token issued by azure ad , you could find Directory.Read.All
permission in roles claim
In given reference same thread answered there You could refer here .
Note For Client Credentials code example you could check here
If you still have any query feel free to ask in comment. Thank you.

B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled

I am trying to run 'change password' via Postman.
I get token using app id and secret
I can read data from the user profile no problem
I grant permissions to Graph API in Azure portal
I generate the token again, review it in jwt.io, sample
"Device.ReadWrite.All",
"Member.Read.Hidden",
"Directory.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"
],
I send
"password": "Test123456",
"forceChangePasswordNextLogin": false
to https://graph.windows.net/[tenant]/users/[user]api-version=1.6.
I still get a fail with the following:
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
The change password permission isn't enabled in the same manner as the other permissions on the AD Graph API.
You need to set up a tenant admin local to the B2C tenant and then run the powershell commands as detailed here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.

Add Member to Directory Role in Microsoft Graph API - Insufficient Privileges

The docs state:
One of the following scopes is required to execute this API: Directory.ReadWrite.All OR Directory.AccessAsUser.All
http://jwt.calebb.net/ confirms that Directory.ReadWrite.All is one of the roles for my token, however the following request:
POST https://graph.microsoft.com/v1.0/directoryRoles/{directoryRoleObjectId}/members/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{userObjectId}"
}
Returns:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "{id}",
"date": "2016-11-25T15:18:07"
}
}
}
Running a GET on the directoryRole returns data, so the Read permissions seem to be working. What am I missing?
Directory.AccessAsUser.All (using an Admin account) allows you to add/remove users from a directory role. NOTE: this is a delegated permission. As far as I can tell, no other permissions allows this operation, and we'll need to fix our docs. I will need to check back with some of our development team on this.
Question for you: Is there a reason why you need to use Application Permissions, and can't use Delegated Permissions?
Hope this helps,

Resources