Authorization_RequestDenied error when using Microsoft Graph API to add user(s) to a group

One may receive the following 403 error when using Microsoft Graph API to add a user to a group: MS Graph Request:POST https://graph.microsoft.com/v1.0/groups/<Group Object ID>/members/$refRequest body:{ “@odata.id”: “https://graph.microsoft.com/v1.0/directoryObjects/<User Object ID>”}Response:{ “error”: { “code”: “Authorization_RequestDenied”, “message”: “Insufficient privileges to complete the operation.”, “innerError”: { “date”: “2024-05-07T15:39:39”, “request-id”: “aa324f0f-b4a3-4af6-9c4f-996e195xxxx”, “client-request-id”: “aa324f0f-b4a3-4af6-9c4f-996e1959074e” } }} Below are some guidelines for resolving the error Check group type: There are different types of groups and not…

Read More

How to find the underlying MS Graph URL from a Microsoft Graph PowerShell commandlet

There are times one needs to know the underlying Microsoft Graph URL for a given Microsoft Graph PowerShell commandlet. Knowing the underlying URL can be helpful for debugging Microsoft Graph related issues. There can be multiple ways to find out. Below are a couple of techniques one can use. Use the Debug switch This switch is documented here. This technique requires Using Connect-MgGraph to authenticate and execute the commandlet. The…

Read More

How to unconsent / remove consented permissions in Graph Explorer tool

While using Microsoft Graph explorer, you accidentally consented to permission(s) that you did not mean to. This blog post will explain how to unconsent or remove that permission(s). Log in to graph explorer (Graph Explorer | Try Microsoft Graph APIs – Microsoft Graph) with your credentials. Note: In order to perform the following unconsent steps, make sure these permissions: Directory.Read.All and DelegatedPermissionGrant.ReadWrite.All are already consented. Perform the following steps to…

Read More

Receiving error “CompactToken parsing failed” when calling Microsoft Graph

You may receive the following 401 error calling MS Graph endpoint (https://graph.microsoft.com) { “error”: { “code”: “InvalidAuthenticationToken”, “message”: “CompactToken parsing failed with error code: 80049217”, “innerError”: { “date”: “2022-08-16T19:00:22”, “request-id”: “xxx”, “client-request-id”: “yyy” } } } What’s the cause of the error? The error typically happens due to the following reasons: There is no Bearer Access Token in the Request’s Authorization Header The value of the Authorization Header is in…

Read More

Retrieve Schema Extension Values for Devices from PowerShell

You can create complex schema extension properties for devices and then retrieve those specific properties from PowerShell. This blog post will walk you through how to do this. I created an app registration in my tenant to be the owner of my device schema extension following these instructions but for devices: Add custom data to groups using schema extensions – Microsoft Graph | Microsoft Docs One thing to point out…

Read More

Users unable to lookup other users in the MS Graph Users endpoint

The Microsoft Graph endpoint is how you can interact programmatically with your tenant data. One of the most common scenarios is a MS Graph request to look up a user or users in the tenant. If you’re using delegated permissions in your access token, for a user to look up another user, the access token will need the delegated permission of User.Read.All However, there are ways to prevent users from…

Read More

Why do I sometimes get a 404 when trying to update an Azure Directory object after I just created it?

Azure AD is a distributed computing system which means, all of the data must be duplicated to the various data centers. You can read about the architecture of Azure here. We occasionally see a case where a customer is using Microsoft Graph to programmatically create a user, group, application, etc. and getting the object id back from that request and then using that id to do some kind of management…

Read More

Microsoft Graph: Why you cannot call the “me” endpoint with a token acquired via the client credentials grant flow

Introduction Microsoft Graph has a couple of primary ways you can get information about a user in Azure AD. This not only includes things like the user attributes but also groups the user is a member of, access to mail, and etc. Each endpoint does require specific permissions but generally speaking, a user can get the basic information about him/herself via the “me” endpoint. The “me” endpoint From our docs…

Read More

How to avoid the MS Graph error “Authorization_RequestDenied” while managing users

Problem: You may see the error “Authorizaion_RequestDenied” below ‘error’: { ‘code’: ‘Authorization_RequestDenied’, ‘message’: ‘Insufficient privileges to complete the operation.’, ‘innerError’: { ‘date’: ‘2020-11-09T20:28:42’, ‘request-id’: ‘604e410b-4af8-4b79-9f48-fe0cf905a759’, ‘client-request-id’: ‘d6350bb5-3660-1f44-01a8-8a3b86a4c12a’ } } when using Microsoft Graph to manage users. The error happens most likely because the user does not have sufficient permissions. In summary the call requires both of the following: 1) The user or application needs to be in an Administrative role2)…

Read More

Using PowerShell to configure a signing certificate for a SAML-based SSO Enterprise Application

In my last blog post I talked about how to use PowerShell to instantiate an MSAL Confidential Client Application to acquire an access token using Client Credentials Grant flow. In this post we will use PowerShell to instantiate an MSAL Public Client Application to perform an Authorization Code Grant flow to obtain a delegated permission Access Token for Microsoft Graph. We will then use that access token to call Microsoft…

Read More