Insufficient Permission when performing query
Closed this issue · 2 comments
AzureCP (AzureCP 18.0.20201120.1245) is not returning results to people picker because the query to the Government Tenant fails with "Insufficient privileges to complete the operation" (See log entry at the bottom)
At the AzureAD App Registration I have assigned "Delegated Permissions" / "Directory.Read.All" and Admin consent.
When I test the App Registration with PowerShell
$response = Invoke-RestMethod "https://login.microsoftonline.us/$tenantName/oauth2/token" -Method "POST" -Headers
$headers -Body $body
The $response contains the expected data:
token_type : Bearer
expires_in : 3599
ext_expires_in : 3599
expires_on : 1626290933
not_before : 1626287033
resource : https://graph.microsoft.us/
access_token : eyJ0eXAiOiJKV1QiLCJub25jZSI6I...
What other permissions are needed?
Thanks,
[AzureCP] Unexpected error occurred in QueryAzureADTenantsAsync while querying tenant 'tenant.onmicrosoft.us':
Microsoft.Graph.ServiceException:
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
Inner error:
AdditionalData:
date: 2021-07-14T18:43:33
request-id: bd28c358-e101-4c21-9a75-1cdce15d2015
client-request-id: bd28c358-e101-4c21-9a75-1cdce15d2015 ,
Callstack: at Microsoft.Graph.BatchResponseContent.d__9`1.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at azurecp.AzureCP.<>c__DisplayClas... 1988db9f-58b2-906f-39a9-825f77f677c5
@vargasfe AzureCP application should not have any delegated permission, only application permissions as documented in https://azurecp.yvand.net/docs/usage/register-application/#permissions-required.
Can you remove those delegated permissions?
Thank you.
I set the permission as indicated and it worked once I removed the default permission.
Fernando