Azure AD Graph call for User creation failing with some obscure error

Question

I have been told to raise a question about Azure AD Graph Api here instead of raising it as an issue for the corresponding GitHub sample repository, I hope Azure Graph API team monitors SO and can help us with this github sample issue

Some extra context for the problem:

We are using Microsoft.Azure.ActiveDirectory.GraphClient nuget to create and manage users in our Azure AD test tenant. Following this sample application we can create and update users in Azure AD via Graph API. That was fine until some moment which happened about 2-3 days ago (not sure about the exact moment, we discovered the problem on Tuesday morning AU time. Last successful run was on Friday last week). It was 100% working code and to confirm that it's not our code - I ran through sample application again - it's broken now too. I've tested it with the latest GraphClient v2.1.0 and original one from sample app which is - v2.0.6

To simplify testing of the problem I've made a LINQ based sample with some secrets redacted ( you need to follow console app sample guide to put in your values if you want to run it, instead of original sample app) Also here is the Fiddle captures (redacted) of

• Authentication request-response (client-request-id: 88b2bbbd-94cd-498d-a147-caad05e16eb7)
• User Creation failing Attempt

Few things to note in the fiddler captures - Azure AD Graph API doesn't return refresh token along with access token:

{"expires_in":"3599","token_type":"Bearer","scope":"UserProfile.Read",
"expires_on":"1441183928","not_before":"1441180028","resource":"https://graph.windows.net",
"access_token":"TOKEN WAS HERE"}

I can see the issue with the scope string here, but we are not setting any explict scope in GraphClient when calling for token as per Sample app ( and this code was fine before, as I mentioned early)

User creation response is clear in terms of what happens and why it happens

{"odata.error":
    {"code":"Authorization_RequestDenied","message":
        {"lang":"en","value":"Insufficient privileges to complete the operation."}
    }
}

But it's not clear how to ask for extra permission scopes through any of these AuthenticationContext.AcquireToken Method overloads Also it's strange that the very same code was fully functional before and is broken now, after some mysterious change?

So I have few questions:

1. How to add extra scope permissions in GraphClient library to get Graph API token with User Modification enabled. This is probably a band aid fix of the problem.

2. It looks like Azure AD tries to manage permissions for client apps in the portal. But there is no extra permissions for Native Client type of application. How can I explicitly update app permissions so the existing code can work again. Is it possible at all ?

3. Can anyone recommend other libraries to interact with GraphAPI, which allow the consumer to explicitly specify scope for the requested token ?

================Update================

Yes, I saw that consent flow documentation. Chasing the issue I've created new Azure AD tenant, added brand new application and added all possible rights, including all available application and delegation ones: now it looks like this. I also

I can get a token with long list of scopes, e.g.

Directory.AccessAsUser.All Directory.Read Directory.Write User.Read User.ReadWrite User.Read.All User.ReadBasic.All User.ReadWrite.All user_impersonation UserProfile.Read

--cut unrelated scopes--

But it still gives me 403 :

{"odata.error":
    {"code":"Authorization_RequestDenied","message":        
        {"lang":"en","value":"Insufficient privileges to complete the operation."}
    }
}

One thing worth to note - in the scope list there is no Directory.ReadWrite.All

But here docs says : Directory.ReadWrite.All : Read and write directory data

================Update================

PS: Some technical request info for Azure AD engineers:

• Authentication request-response has client-request-id: 88b2bbbd-94cd-498d-a147-caad05e16eb7.
• Failed Graph call has client-request-id: 882f3918-0ddd-40fe-a558-866997e32b46 in response only

Answer 1

The issue here is that you have not properly configured your application to request the correct permissions to the Graph API. To do this, you must go into the Azure Management Portal and configure your 'permissions to other applications' to include the scopes your app needs to be able to read/write to the directory.

We have some documentation here which should help you: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx (Describes the consent flow) https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/graph-api-permission-scopes (describes the specific permissions that the graph API exposes that your application will need to request)

I hope this helps!