I am trying to create a Reset password page, that will take the new password of the logged in user to reset the password of the user in Azure AD. I have read the information given in the following page, for User Update API.
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I have
Directory.ReadWrite.All User.ReadWrite.All (delegated) and
User.ReadWrite.All (Application) permissions in Azure AD configuration page. I had asked another query in SO for creating users through MS Graph API, in which I learned how to create an Access token. I am following the same procedure to get access token for calling "User Update API". In Postman I am passing the below value.
PATCH https://graph.microsoft.com/v1.0/users/principalname#blah.in
Content-type: application/json
Authorization: bearer TOKEN
{
"passwordProfile":
{
"forceChangePasswordNextSignIn":false,
"password": "XXXXXXXXX"
}
}
When I execute this I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "1ab4e11b-57e7-481f-9d93-296a3dece72c",
"date": "2019-05-10T05:13:19"
}
} }
I am unable to understand why I am getting this error because all permissions are given for the user.
I have gone through all the questions related to "Insufficient privileges to complete the operation" in SO before posting this question.
Because when updating the passwordProfile property, youn need the Directory.AccessAsUser.All permission.
See: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
Related
I'm using graph rest api for writing a draft mail.
First, I called the authorize method with the https://graph.microsoft.com/.default scope:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=MY_CLIENT_ID&response_type=code&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient&response_mode=query&scope=https://graph.microsoft.com/.default
With the obtained code, I called the token method with the same scope:
https://login.microsoftonline.com/common/oauth2/v2.0/token
With this token, I am able to get messages without any issues, but when I try to create a draft by calling: https://graph.microsoft.com/v1.0/me/messages/ I get the following error:
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "7fafbb5a-ab6d-4dbc-bb73-69d58b00f7ac",
"date": "2019-11-26T20:48:24"
}
}
}
As stated in the documentation (https://learn.microsoft.com/en-us/graph/api/user-post-messages?view=graph-rest-1.0&tabs=http) I have set the Mail.ReadWrite permission in my registered Azure app and granted admin consent. Am I missing something?
I checked Graph logs and that call to Microsoft Graph did not have the Mail.ReadWrite permission. Can you try adding that permission to the scope query param in your implicit auth flow call instead of .default? (If you need multiple permissions you can list them all in the scope param separated by spaces)
I am trying to add custom properties to User object using graph.microsoft.com. I chose schema extensions for that, but the POST request to https://graph.microsoft.com/v1.0/schemaExtensions returns Authorization_RequestDenied.
First, I checked the permissions via the Azure CLI (the id is my app id):
az ad app permission list-grants --id 229e9b3d-5a17-4a46-930a-60e8ca114027 --show-resource-name
For Microsoft Graph, there are many permissions, but as I understand it, I should need only User.ReadWrite.All and Directory.AccessAsUser.All which are there.
Then I used Insomnia (to check functionality without coding problems) and call POST https://graph.microsoft.com/v1.0/schemaExtensions with JSON body:
{
"id": "extTest",
"description": "test extension",
"targetTypes": [
"User"
],
"properties": [
{
"name" : "isAvailable",
"type" : "Boolean"
}
]
}
and the returned response is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d5c1e7b3-f1c5-44c0-917d-5e43d7483bdf",
"date": "2019-06-10T13:44:36"
}
}
}
Is there something I missed?
It seems that your access token didn't have Directory.AccessAsUser.All permission. You can decode it by using https://jwt.io/ and check if this permission exists in 'scp'.
I have tested it on my side and it works. Here are my main steps.
1.add Directory.AccessAsUser.All permission to your app and click grant admin consent button.
2.get access token by using auth code grant flow. You can not use client credential grant flow here since you must sign in with a user.
Weird issue.
I have a microsft saas app who asks for different permissions (directory.readWrite, file.readWrite Mail... etc) at the admin consent page.
After an admin gave his consent, my app acquires token and start doing what is should.
The thing is that sometimes I get token without "roles" section (I decoded the access token with jwt decoder and saw it was missing..)
and when it is missing then if I try to get users details (for instance) then I get 401 status code:
{
"error": {
"code": "Authorization_RequestDenied",
"innerError": {
"date": "2019-04-10T16:50:28",
"request-id": "fa93e103-6c0e-48cd-af06-008a52762aaa"
},
"message": "Insufficient privileges to complete the operation."
}
}
And that make sense...
How come that the token sometimes contains the "roles" section with all my app permissions and sometimes not? is it Microsoft issue? is there a workaround?
It isn't a specific tenant problem as if I try again after failure with the same tenant then it might work just fine..
Any thoughts?
I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve#***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role.
https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2
On my side, it works. The following is my process:
Use the client credential to get bearer token:
To parse the bearer token:
2. Use this bearer token to call ms graph api:
Check the disabled user in the azure portal:
No Its mandatory to grant permission for accessing this API on azure portal.
Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.
If you are admin in your AAD, You could grant permission for
users in organization by click Grant permission button.
Then you could use your code (client credential flow to get the
token) and query users information . If you check the claims in
access token issued by azure ad , you could find Directory.Read.All
permission in roles claim
In given reference same thread answered there You could refer here .
Note For Client Credentials code example you could check here
If you still have any query feel free to ask in comment. Thank you.
The docs state:
One of the following scopes is required to execute this API: Directory.ReadWrite.All OR Directory.AccessAsUser.All
http://jwt.calebb.net/ confirms that Directory.ReadWrite.All is one of the roles for my token, however the following request:
POST https://graph.microsoft.com/v1.0/directoryRoles/{directoryRoleObjectId}/members/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{userObjectId}"
}
Returns:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "{id}",
"date": "2016-11-25T15:18:07"
}
}
}
Running a GET on the directoryRole returns data, so the Read permissions seem to be working. What am I missing?
Directory.AccessAsUser.All (using an Admin account) allows you to add/remove users from a directory role. NOTE: this is a delegated permission. As far as I can tell, no other permissions allows this operation, and we'll need to fix our docs. I will need to check back with some of our development team on this.
Question for you: Is there a reason why you need to use Application Permissions, and can't use Delegated Permissions?
Hope this helps,