Trying to create a tool to handle password resets (user forgot their password). We’ve applied permissions to the AAD app used for password resets per the documentation.
Getting the error:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
Should this be possible using the Client Credentials Grant flow?
You cannot reset user passwords using Application permission scopes (i.e. scopes use for the client_credentials grant). Per the documentation:
When updating the passwordProfile property, the following permission is required: Directory.AccessAsUser.All.
The Directory.AccessAsUser.All scope is only available as a Delegated permission scope.
Related
I am using a Logic App to automate creation of new users and update attributes in a Azure B2C Tenant. It works perfectly for everything except for password reset. When I try to reset a user password, I get the following error message:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
I tried granting all permissions to the logic apps, yet I am unable to get the logic apps to work.
API Permissions in B2C
I don't know what I am missing. Can someone help?
Have you granted the user administrator role?
I am following this documentation : https://learn.microsoft.com/fr-fr/graph/api/b2cauthenticationmethodspolicy-get?view=graph-rest-beta&tabs=http
but even when I give my service principal the policy.read.all graph api permission, I still get 403 permission denied errors as response to my request. I have the same issue with the PATCH request and the Policy.ReadWrite.AuthenticationMethod.
Note : the bearer is correct, I can use it to make other requests.
I also found a log of the request in the azure ad saying :
Access denied. The token is app only but does not have any valid permissions.
According to your error message, you may not be a logged-in user, you need a logged-in user to call the api. Please follow my process:
First you need to grant the Policy.Read.All permission to the application, and then make the admin consent to the permission.
Next, you need to use the auth code flow to obtain the access token, which requires you to log in to the user to obtain the authorization code, and then use the authorization code to redeem the access token.
3.Call ms graph api:
In addition, calling the api also requires the user to have an administrator role:
You must have one of the following user roles for access: External ID
User Flow Administrator, External ID User Flow Attribute
Administrator, External Identity Provider Administrator, Application
Administrator, Security Administrator, Security Reader, Global Reader,
Global Administrator.
I am trying to list the Outlook Task Folders using Microsoft Graph with POSTMan.
Following is the URL I am using:
https://graph.microsoft.com/beta/me/outlook/taskFolders
After adding the Bearer Token in the request header, I am getting the following response Graph:
"code": "NoPermissionsInAccessToken",
"message": "The token contains no permissions, or permissions can not be understood.",
I have already enabled the following permissions:Tasks.ReadWrite.
What am I missing here?
I can reproduce your issue while using client credentials flow to get access token. I decode the access token and do not see the permission I assigned. As the article said:
The permission is delegated from the user to the application, usually during the consent process. However, in the client credentials flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action and not the user.
So, I suggest that you could use OAuth 2.0 authorization code flow to get the access token. And add your Tasks.Read permission in scope.
https://login.microsoftonline.com/xxxxx/oauth2/v2.0/authorize?
client_id=xxxxx
&response_type=code
&redirect_uri=https://localhost:123
&response_mode=query
&scope=https://graph.microsoft.com/Tasks.Read
For more details to get access token with auth code flow you could refer to this article.
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.
I am trying to get the messages inside the mailbox of users in the enterprise via the admin account.
In my app I have the following permissions:
I used the https://login.microsoftonline.com/common/adminconsent?... to grant the application permissions to read mail in all mailboxes and after that, I used the OAuth2 authentication to get a Bearer token.
This is the response I got from the token endpoint:
{
"token_type": "Bearer",
"scope": "Mail.Read User.Read User.Read.All profile openid email",
"access_token": "<token>",
"expires_in": 3599,
"ext_expires_in": 3599
}
When I used this to access a mailbox via https://graph.microsoft.com/v1.0/users/USER-ID/messages, I got the following response
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again.",
"innerError": {
"request-id": "a31bcf73-4bd6-4fed-bfee-d70328e0703e",
"date": "2018-11-26T15:20:37"
}
}
}
However, when I use this endpoint with the User ID of the authenticated admin account, I am able to access the messages in that mailbox.
But I would like to access the mailboxes of all users in the organization via Microsoft Graph.
The Outlook endpoints operate a little differently than most of the Graph endpoints, rather than having a .all variation of their scopes (i.e. user.read vs user.read.all), it depends on which scope type (Delegated vs. Application) is being used.
When Delegated scopes are being used, Mail.Read only provides access to the authenticated user's mailbox (the only exception being those that have been explicitly shared with that user).
When Application scopes are being used, Mail.Read provides access to any user's mailbox.
Now, this is where things get a little wonky, the type of scope that gets applied is entirely dependant on the OAuth Grant used to obtain the token.
When using Implicit or Authorization Code grants, Delegated scopes are applied.
When using the Client Credentials grant, Application scopes are applied.
So in order for you to access any user's mailbox via /v1.0/users/{someUser}/messages, you first need to obtain your token using the Client Credentials OAuth grant. You can find a walkthrough on how this works in the documentation under "Get access without a user".