Authorization_RequestDenied error when using Microsoft Graph API to add user(s) to a group

One may receive the following 403 error when using Microsoft Graph API to add a user to a group: MS Graph Request:POST https://graph.microsoft.com/v1.0/groups/<Group Object ID>/members/$refRequest body:{ “@odata.id”: “https://graph.microsoft.com/v1.0/directoryObjects/<User Object ID>”}Response:{ “error”: { “code”: “Authorization_RequestDenied”, “message”: “Insufficient privileges to complete the operation.”, “innerError”: { “date”: “2024-05-07T15:39:39”, “request-id”: “aa324f0f-b4a3-4af6-9c4f-996e195xxxx”, “client-request-id”: “aa324f0f-b4a3-4af6-9c4f-996e1959074e” } }} Below are some guidelines for resolving the error Check group type: There are different types of groups and not…

Read More

How to find the underlying MS Graph URL from a Microsoft Graph PowerShell commandlet

There are times one needs to know the underlying Microsoft Graph URL for a given Microsoft Graph PowerShell commandlet. Knowing the underlying URL can be helpful for debugging Microsoft Graph related issues. There can be multiple ways to find out. Below are a couple of techniques one can use. Use the Debug switch This switch is documented here. This technique requires Using Connect-MgGraph to authenticate and execute the commandlet. The…

Read More

The identity of the calling application could not be established

You are getting the following error from Microsoft Graph or downstream services that uses Microsoft Graph… The identity of the calling application could not be established This error is thrown because the “oid” and “sub” claim is missing from the access token. This is because the servicePrincipal does not exist in the tenant or the tenant is not aware of the application. Partner Scenario If this is a Partner application,…

Read More

Managing Microsoft Graph requests in Microsoft Graph PowerShell

Basics of using Microsoft (MS) Graph PowerShell to update objects using Hashtables and JSON. These are just some examples that could be used. By no means would I consider these the “best” way to handle each scenario, however, this should get you started in the right direction. In general, a good thing to keep in mind, a Microsoft Graph type could be resembled as a PowerShell Hashtable or Array. To…

Read More

Making MS Graph Requests using Managed Identities

This blog post is an extension to my previous post about how to get secrets and access tokens using Managed Identities with VB.Net and C#. You can read that post here. There is a c# sample for this particular blog here. The scenario here is that you already have the code to use the managed identities and now you want to get an access token for a resource that requires…

Read More

Using Microsoft Graph PowerShell SDK to manage user consented permissions

The oAuth2PermissionGrant object keeps a record of user consented permissions (Delegated Permissions) in a tenant. There is one OAuth2PermissionGrant object (identified by Consent ID) for each combination of client application, resource application, and user. The sample PowerShell script in this post will perform the following tasks: Remove all MS Graph Delegated permissions (if any) for the user Perform user consent for an initial set of MS Graph permission Update the…

Read More

Receiving error “CompactToken parsing failed” when calling Microsoft Graph

You may receive the following 401 error calling MS Graph endpoint (https://graph.microsoft.com) { “error”: { “code”: “InvalidAuthenticationToken”, “message”: “CompactToken parsing failed with error code: 80049217”, “innerError”: { “date”: “2022-08-16T19:00:22”, “request-id”: “xxx”, “client-request-id”: “yyy” } } } What’s the cause of the error? The error typically happens due to the following reasons: There is no Bearer Access Token in the Request’s Authorization Header The value of the Authorization Header is in…

Read More

Using MS Graph to get both Interactive and non Interactive sign in events log

Microsoft Graph API can be used to get different types of Sign-In event similar to what’s available in the Azure AD portal As of this writing, this functionality is only available in the beta endpoint. By default the following MS Graph request only gets a list of interactive user sign-ins GET https://graph.microsoft.com/beta/auditLogs/signIns To pull the other types of Sign-In logw you will have to use signInEventTypes filter query as followed:…

Read More

How to sign in as a guest user in Graph Explorer

Besides tenant members, it is also possible to use Graph Explorer signed in as a tenant’s guest user. In Graph Explorer, add “?tenant=”{tenantname.onmicrosoft.com}” to the URL in the address bar (eg https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=contoso.onmicrosoft.com), and press enter. This will explicitly make Graph Explorer to consider only that tenant when signing in. Now sign into Graph Explorer as usual, with a guest user’s credentials. Afterwards, try making this GET request: “https://graph.microsoft.com/v1.0/me”. In the…

Read More

Revoke Admin Consent for a delegated permission on a Service Principal with the MS Graph PowerShell SDK

Scenario: You use the Microsoft Graph Explorer tool to test a query. It requires you to consent to a permission so you use your admin account to do this. However, you click the check box to consent for the entire organization… woops! You did not mean to give everyone permissions for “AuditLog.Read.All” so now you need to revoke this permission. The easiest way to revoke consent is to just delete…

Read More