Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Microsoft Graph Api : Insufficient privileges to complete the operation

I'm trying to download files from OneDrive using the Microsoft Graph. I'm currently in the testing phase and have not yet written any code.

Here is what I did so far:

  1. Created and registered an app through https://apps.dev.microsoft.com
  2. Generated a secret, enabled implicit flow
  3. Provided it with the following list of Microsoft Graph Permissions:

    Delegated: Files.ReadWrite.All, offline_access, Group.ReadWrite.All, Directory.ReadWriteAll, User.ReadWriteAll

    Application: Directory.ReadWrite.All, Files.ReadWrite.All, Group.ReadWrite.All, User.ReadWrite.All

    1. Used the code flow with a scope of offline_access and Files.ReadWrite.All, got a code and then a token.

    2. Using this token to download a file via /me drive works well (/v1.0/me/drive/items/itemid/content), but when I try to download or just query other users I get back the error of insufficient privileges.

Calling https://graph.microsoft.com/v1.0/users gets the response:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "cee06586-12af-4768-9135-b9709d7ecb5d",
      "date": "2018-05-29T14:45:48"
    }
  }
}

The same happens when I add a user Id. When I ask to get the user's device I get a "not found" response.

I saw some answers to similar questions saying that I should add permissions to my app to Azure Active Directory via the Azure portal, but my app is listed only in the "Enterprise application" section and I don't see it on the "app registrations" section where I can add permissions, in the Enterprise applications section I'm unable to add any permissions, only search.

Note: my user id is the global admin in the Azure portal. This user also is the user that created and owns the application.

Any idea what I may be missing here?

Thanks

Edit:

I was able to make some progress, I tried to create the app via the Azure portal and not the applications portal. Now it shows in the app registration page so I was able to add permissions to it.

So now I'm able to view all the users, but still, when I try to view their drive I get the "not found" response:

Calling https://graph.microsoft.com/v1.0/users/userid/drive returns the response:

{
  "error": {
    "code": "itemNotFound",
    "message": "The resource could not be found.",
    "innerError": {
      "request-id": "ec6ed197-15ea-498a-80d0-e2a9f832a0b9",
      "date": "2018-05-29T15:49:18"
    }
  }
}
like image 562
Shira Ben-Dor Avatar asked Nov 08 '22 06:11

Shira Ben-Dor


1 Answers

Calling /users requires you have at least User.ReadBasic.All or User.Read.All permissions. Since you've only requested Files.ReadWrite.All, you do not have sufficient access to via other user's profiles.

Try against using the scope:

User.Read.All+Files.ReadWrite.All+offline_access
like image 105
Marc LaFleur Avatar answered Nov 15 '22 06:11

Marc LaFleur