Authorization_RequestDenied error when using Microsoft Graph API to add user(s) to a group

One may receive the following 403 error when using Microsoft Graph API to add a user to a group: MS Graph Request:POST https://graph.microsoft.com/v1.0/groups/<Group Object ID>/members/$refRequest body:{ “@odata.id”: “https://graph.microsoft.com/v1.0/directoryObjects/<User Object ID>”}Response:{ “error”: { “code”: “Authorization_RequestDenied”, “message”: “Insufficient privileges to complete the operation.”, “innerError”: { “date”: “2024-05-07T15:39:39”, “request-id”: “aa324f0f-b4a3-4af6-9c4f-996e195xxxx”, “client-request-id”: “aa324f0f-b4a3-4af6-9c4f-996e1959074e” } }} Below are some guidelines for resolving the error Check group type: There are different types of groups and not…

Read More

How to find the underlying MS Graph URL from a Microsoft Graph PowerShell commandlet

There are times one needs to know the underlying Microsoft Graph URL for a given Microsoft Graph PowerShell commandlet. Knowing the underlying URL can be helpful for debugging Microsoft Graph related issues. There can be multiple ways to find out. Below are a couple of techniques one can use. Use the Debug switch This switch is documented here. This technique requires Using Connect-MgGraph to authenticate and execute the commandlet. The…

Read More

Tutorial: How to call a protected web API with an application permission token in Azure AD B2C

Introduction This post covers an end to end scenario where a front end console application authenticates to Azure AD B2C using client credentials OAuth2 grant flow and calls a .Net backend web API. The samples in this post are built on .Net 6 framework. App Registrations There are 2 App Registrations required in this tutorial: a front-end console app and a back-end web API. The samples also require either a…

Read More

Using MSAL for Python to perform interactive sign in from a local script

This blog shows how to use MSAL for Python to perform an interactive sign in to Azure AD from running a local python script. The sample also demonstrates how to enable MSAL logging along with how to capture Python SSL web traffic using Fiddler Classic App Registration: You will need to have an Azure AD App Registration with “http://localhost” reply URL configured in the ‘Mobile and desktop applications’ platform The…

Read More

Use logging to troubleshoot Azure AD protected Web API Authentication or Authorization errors

The sample web API application in this blog uses .Net 6 Framework and Microsoft.Identity.Web nuget package to Azure AD protect the Web API. I use Serilog framework for logging the debug output both to the console window and to the local file. This sample assumes you already have a web API application registered in Azure AD. If you are not familiar with how to do that refer to my previous…

Read More

Using Microsoft Graph PowerShell SDK to manage user consented permissions

The oAuth2PermissionGrant object keeps a record of user consented permissions (Delegated Permissions) in a tenant. There is one OAuth2PermissionGrant object (identified by Consent ID) for each combination of client application, resource application, and user. The sample PowerShell script in this post will perform the following tasks: Remove all MS Graph Delegated permissions (if any) for the user Perform user consent for an initial set of MS Graph permission Update the…

Read More

Receiving error “CompactToken parsing failed” when calling Microsoft Graph

You may receive the following 401 error calling MS Graph endpoint (https://graph.microsoft.com) { “error”: { “code”: “InvalidAuthenticationToken”, “message”: “CompactToken parsing failed with error code: 80049217”, “innerError”: { “date”: “2022-08-16T19:00:22”, “request-id”: “xxx”, “client-request-id”: “yyy” } } } What’s the cause of the error? The error typically happens due to the following reasons: There is no Bearer Access Token in the Request’s Authorization Header The value of the Authorization Header is in…

Read More

Using MS Graph to get both Interactive and non Interactive sign in events log

Microsoft Graph API can be used to get different types of Sign-In event similar to what’s available in the Azure AD portal As of this writing, this functionality is only available in the beta endpoint. By default the following MS Graph request only gets a list of interactive user sign-ins GET https://graph.microsoft.com/beta/auditLogs/signIns To pull the other types of Sign-In logw you will have to use signInEventTypes filter query as followed:…

Read More

Update your Azure AD-integrated applications to use TLS 1.2

Recently our support team has seen quite a few cases where customer applications have been working for years and recently started failing with one of the following error messages:. These errors are often seen in applications targeting an old version of .Net Framework. AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which are deprecated to improve the security posture of Azure ADIDX20804: Unable to retrieve document from:…

Read More

Troubleshooting 403 Authorization error when calling Microsoft Graph Security API

You may get the following 403 error when using Microsoft Graph Security API to call various end points (https://graph.microsoft.com/v1.0/security/alert, https://graph.microsoft.com/beta/security/secoreScores, etc…) “Auth token does not contain valid permissions or user does not have valid roles” Root Cause The above error can occur if the access token is missing the following requirement: The token does not have the required Microsoft Graph permission for the https://graph.microsoft.com/v1.0 (or beta)/security/xxx entity endpoint being used…

Read More