Receiving error ‘Neither tenant is B2C or tenant doesn’t have premium license’ from Microsoft Graph

You may receive the following error

'error': {
     'code': 'Authentication_RequestFromNonPremiumTenantOrB2CTenant',
     'message': 'Neither tenant is B2C or tenant doesn't have premium license',
     'innerError': {
       'date': '2021-03-04T07:53:51',
       'request-id': 'a0a074e6-xxx-c511669fa420',
       'client-request-id': 'a0a074e6-xxx-c511669fa420'
     }

when making any Microsoft Graph call querying users’ sign in activities, for example the following GET requests

https://graph.microsoft.com/v1.0/auditLogs/signIns or https://graph.microsoft.com/beta/users?$select=displayName,userPrincipalName,signInActivity

So what’s the resolution?

The following criteria are required for the call to succeed:

The queried tenant or directory will need to have either Azure AD Premium P1 or P2 license per https://docs.microsoft.com/en-us/graph/api/resources/signin?view=graph-rest-1.0
the MS Graph Access Token needs to have both of these permissions: AuditLog.Read.All and Directory.Read.All per https://docs.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http

More Information

Customers configuring applications with only AuditLog.Read.All permission may see this error intermittently and this is expected depending on whether the licensing information is available in cache at that time. Directory.Read.All permission is required to read the tenant licensing information when it’s not already available in cache.

In a different scenario the above error can also be observed when making the following MS Graph call to get the credential user registration details:

GET https://graph.microsoft.com/beta/reports/credentialUserRegistrationDetails

In order for the above call to succeed, the following criteria are required:

The queried tenant or directory will need to have either Azure AD Premium P1 or P2 license per Working with the authentication methods usage report API – Microsoft Graph beta | Microsoft Docs
the MS Graph Access Token needs to have the permission: Reports.Read.All per List credentialUserRegistrationDetails – Microsoft Graph beta | Microsoft Docs
The authenticating user needs to be in one of these Administrative roles: Reports reader, Security reader, Security admin, Global reader, and Global admin per Working with the authentication methods usage report API – Microsoft Graph beta | Microsoft Docs

Leave a Comment Cancel reply

Recent Posts

Archives

Categories