I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve#***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role.
https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2
On my side, it works. The following is my process:
Use the client credential to get bearer token:
To parse the bearer token:
2. Use this bearer token to call ms graph api:
Check the disabled user in the azure portal:
No Its mandatory to grant permission for accessing this API on azure portal.
Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.
If you are admin in your AAD, You could grant permission for
users in organization by click Grant permission button.
Then you could use your code (client credential flow to get the
token) and query users information . If you check the claims in
access token issued by azure ad , you could find Directory.Read.All
permission in roles claim
In given reference same thread answered there You could refer here .
Note For Client Credentials code example you could check here
If you still have any query feel free to ask in comment. Thank you.
Related
I am trying to add custom properties to User object using graph.microsoft.com. I chose schema extensions for that, but the POST request to https://graph.microsoft.com/v1.0/schemaExtensions returns Authorization_RequestDenied.
First, I checked the permissions via the Azure CLI (the id is my app id):
az ad app permission list-grants --id 229e9b3d-5a17-4a46-930a-60e8ca114027 --show-resource-name
For Microsoft Graph, there are many permissions, but as I understand it, I should need only User.ReadWrite.All and Directory.AccessAsUser.All which are there.
Then I used Insomnia (to check functionality without coding problems) and call POST https://graph.microsoft.com/v1.0/schemaExtensions with JSON body:
{
"id": "extTest",
"description": "test extension",
"targetTypes": [
"User"
],
"properties": [
{
"name" : "isAvailable",
"type" : "Boolean"
}
]
}
and the returned response is:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "d5c1e7b3-f1c5-44c0-917d-5e43d7483bdf",
"date": "2019-06-10T13:44:36"
}
}
}
Is there something I missed?
It seems that your access token didn't have Directory.AccessAsUser.All permission. You can decode it by using https://jwt.io/ and check if this permission exists in 'scp'.
I have tested it on my side and it works. Here are my main steps.
1.add Directory.AccessAsUser.All permission to your app and click grant admin consent button.
2.get access token by using auth code grant flow. You can not use client credential grant flow here since you must sign in with a user.
I am trying to create a Reset password page, that will take the new password of the logged in user to reset the password of the user in Azure AD. I have read the information given in the following page, for User Update API.
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I have
Directory.ReadWrite.All User.ReadWrite.All (delegated) and
User.ReadWrite.All (Application) permissions in Azure AD configuration page. I had asked another query in SO for creating users through MS Graph API, in which I learned how to create an Access token. I am following the same procedure to get access token for calling "User Update API". In Postman I am passing the below value.
PATCH https://graph.microsoft.com/v1.0/users/principalname#blah.in
Content-type: application/json
Authorization: bearer TOKEN
{
"passwordProfile":
{
"forceChangePasswordNextSignIn":false,
"password": "XXXXXXXXX"
}
}
When I execute this I get the following error
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "1ab4e11b-57e7-481f-9d93-296a3dece72c",
"date": "2019-05-10T05:13:19"
}
} }
I am unable to understand why I am getting this error because all permissions are given for the user.
I have gone through all the questions related to "Insufficient privileges to complete the operation" in SO before posting this question.
Because when updating the passwordProfile property, youn need the Directory.AccessAsUser.All permission.
See: https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=cs
I am trying to run 'change password' via Postman.
I get token using app id and secret
I can read data from the user profile no problem
I grant permissions to Graph API in Azure portal
I generate the token again, review it in jwt.io, sample
"Device.ReadWrite.All",
"Member.Read.Hidden",
"Directory.ReadWrite.All",
"Domain.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"
],
I send
"password": "Test123456",
"forceChangePasswordNextLogin": false
to https://graph.windows.net/[tenant]/users/[user]api-version=1.6.
I still get a fail with the following:
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
The change password permission isn't enabled in the same manner as the other permissions on the AD Graph API.
You need to set up a tenant admin local to the B2C tenant and then run the powershell commands as detailed here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet.
Is it possible to query the Graph API and find whether the directory administrator gave administrator consent for the application and when this was done?
If so, how would I go about this?
You would have to query the oauth2PermissionGrants. To get them you will have to know the object id of the application's service principal in the target directory. That one you can get if you know the app's client id.
For example if I query https://graph.windows.net/<tenant id>/servicePrincipals/6e56b47c-4c6e-40f5-aa95-16a0b1cb44fc/oauth2PermissionGrants from the Azure AD Graph API:
{
"odata.metadata": "https://graph.windows.net/<tenant id>/$metadata#oauth2PermissionGrants",
"value": [
{
"clientId": "6e56b47c-4c6e-40f5-aa95-16a0b1cb44fc",
"consentType": "AllPrincipals",
"expiryTime": "2017-12-19T09:25:32.3581755",
"objectId": "fLRWbm5M9UCqlRagsctE_M7PF6398j5LkfWqCoLpQBI",
"principalId": null,
"resourceId": "ad17cfce-f2fd-4b3e-91f5-aa0a82e94012",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00"
}
]
}
You can see this particular service principal has been granted the User.Read scope on the Azure AD Graph API for AllPrincipals, which means admin consent. If it was individual user consent, consentType would be Principal, with the principalId set to the id of the user who gave the consent.
Note you can't know when the consent was given.
The docs state:
One of the following scopes is required to execute this API: Directory.ReadWrite.All OR Directory.AccessAsUser.All
http://jwt.calebb.net/ confirms that Directory.ReadWrite.All is one of the roles for my token, however the following request:
POST https://graph.microsoft.com/v1.0/directoryRoles/{directoryRoleObjectId}/members/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{userObjectId}"
}
Returns:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "{id}",
"date": "2016-11-25T15:18:07"
}
}
}
Running a GET on the directoryRole returns data, so the Read permissions seem to be working. What am I missing?
Directory.AccessAsUser.All (using an Admin account) allows you to add/remove users from a directory role. NOTE: this is a delegated permission. As far as I can tell, no other permissions allows this operation, and we'll need to fix our docs. I will need to check back with some of our development team on this.
Question for you: Is there a reason why you need to use Application Permissions, and can't use Delegated Permissions?
Hope this helps,