One may receive the following 403 error when using Microsoft Graph API to add a user to a group: MS Graph Request:POST https://graph.microsoft.com/v1.0/groups/<Group Object ID>/members/$refRequest body:{ “@odata.id”: “https://graph.microsoft.com/v1.0/directoryObjects/<User Object ID>”}Response:{ “error”: { “code”: “Authorization_RequestDenied”, “message”: “Insufficient privileges to complete the operation.”, “innerError”: { “date”: “2024-05-07T15:39:39”, “request-id”: “aa324f0f-b4a3-4af6-9c4f-996e195xxxx”, “client-request-id”: “aa324f0f-b4a3-4af6-9c4f-996e1959074e” } }} Below are some guidelines for resolving the error Check group type: There are different types of groups and not…
Read MoreHow to unconsent / remove consented permissions in Graph Explorer tool
While using Microsoft Graph explorer, you accidentally consented to permission(s) that you did not mean to. This blog post will explain how to unconsent or remove that permission(s). Log in to graph explorer (Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph) with your credentials. Note: In order to perform the following unconsent steps, make sure these permissions: Directory.Read.All and DelegatedPermissionGrant.ReadWrite.All are already consented. Perform the following steps to…
Read MoreMaking MS Graph Requests using Managed Identities
This blog post is an extension to my previous post about how to get secrets and access tokens using Managed Identities with VB.Net and C#. You can read that post here. There is a c# sample for this particular blog here. The scenario here is that you already have the code to use the managed identities and now you want to get an access token for a resource that requires…
Read MoreUsing MS Graph to get both Interactive and non Interactive sign in events log
Microsoft Graph API can be used to get different types of Sign-In event similar to what’s available in the Azure AD portal As of this writing, this functionality is only available in the beta endpoint. By default the following MS Graph request only gets a list of interactive user sign-ins GET https://graph.microsoft.com/beta/auditLogs/signIns To pull the other types of Sign-In logw you will have to use signInEventTypes filter query as followed:…
Read MoreTroubleshooting 403 Authorization error when calling Microsoft Graph Security API
You may get the following 403 error when using Microsoft Graph Security API to call various end points (https://graph.microsoft.com/v1.0/security/alert, https://graph.microsoft.com/beta/security/secoreScores, etc…) “Auth token does not contain valid permissions or user does not have valid roles” Root Cause The above error can occur if the access token is missing the following requirement: The token does not have the required Microsoft Graph permission for the https://graph.microsoft.com/v1.0 (or beta)/security/xxx entity endpoint being used…
Read MoreUsers unable to lookup other users in the MS Graph Users endpoint
The Microsoft Graph endpoint is how you can interact programmatically with your tenant data. One of the most common scenarios is a MS Graph request to look up a user or users in the tenant. If you’re using delegated permissions in your access token, for a user to look up another user, the access token will need the delegated permission of User.Read.All However, there are ways to prevent users from…
Read MoreHow to avoid the MS Graph error “Authorization_RequestDenied” while managing users
Problem: You may see the error “Authorizaion_RequestDenied” below ‘error’: { ‘code’: ‘Authorization_RequestDenied’, ‘message’: ‘Insufficient privileges to complete the operation.’, ‘innerError’: { ‘date’: ‘2020-11-09T20:28:42’, ‘request-id’: ‘604e410b-4af8-4b79-9f48-fe0cf905a759’, ‘client-request-id’: ‘d6350bb5-3660-1f44-01a8-8a3b86a4c12a’ } } when using Microsoft Graph to manage users. The error happens most likely because the user does not have sufficient permissions. In summary the call requires both of the following: 1) The user or application needs to be in an Administrative role2)…
Read MoreReceiving error ‘Neither tenant is B2C or tenant doesn’t have premium license’ from Microsoft Graph
You may receive the following error ‘error’: { ‘code’: ‘Authentication_RequestFromNonPremiumTenantOrB2CTenant’, ‘message’: ‘Neither tenant is B2C or tenant doesn’t have premium license’, ‘innerError’: { ‘date’: ‘2021-03-04T07:53:51’, ‘request-id’: ‘a0a074e6-xxx-c511669fa420’, ‘client-request-id’: ‘a0a074e6-xxx-c511669fa420′ } when making any Microsoft Graph call querying users’ sign in activities, for example the following GET requests https://graph.microsoft.com/v1.0/auditLogs/signIns or https://graph.microsoft.com/beta/users?$select=displayName,userPrincipalName,signInActivity So what’s the resolution? The following criteria are required for the call to succeed: The queried tenant or directory will…
Read MoreWhy /memberOf Microsoft Graph API returning null fields for some attributes.
What do below API calls do? https://graph.microsoft.com/v1.0/me/memberOf https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf These API calls gives us the list of groups and directory roles that the user is a direct member of. API Call: GET JSON response: { “@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#directoryObjects”, “value”: [ { “@odata.type”: “#microsoft.graph.group”, “id”: “b0a133d4-3f3d-4990-be22-879151155f19”, “deletedDateTime”: null, “classification”: null, “createdDateTime”: null, “creationOptions”: [], “description”: null, “displayName”: null, “expirationDateTime”: null, “groupTypes”: [], “isAssignableToRole”: null, “mail”: null, “mailEnabled”: null, “mailNickname”: null, “membershipRule”: null, “membershipRuleProcessingState”: null, } } What is the reason behind seeing null values? When we make a call…
Read MoreTroubleshooting consent in Azure AD
This is a general guide for troubleshooting consent in Azure AD. It will help resolve majority of the consent related scenarios (Not all of them). In general, the application is trying to sign-in or get an access token for a resource which has not been consented by the user or admin. In general, you want to make sure all of the permissions needed by the application have been consented to.…
Read More