node.js azure-active-directory microsoft-graph-api openid-connect passport-azure-ad

Required Permisions to list users from Microsoft graph api

In my application I have implemented log in mode with Azure AD using OIDCStrategy strategy of passport-azure-ad. Now I am trying to make Graph's list users api call with the access token recieved after logging in on microsoft. But I am getting this error.

GraphError {
   statusCode: 403,
   code: 'Authorization_RequestDenied',
   message: 'Insufficient privileges to complete the operation.',
   request-id:"XXXX",
   date: 2020-11-24T09:24:05.000Z,
   body: '{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2020-11-24T14:54:05","request-id":"XXXX","client-request-id":"XXXXXXX"}}'
}

My app has these many permissions but still I get the above error. What am I doing wrong?

Here is the decoded access token object :

{"aud":"00000003-0000-0000-c000-000000000000","iss":"https://sts.windows.net/7adbf72e-a1bf-48dc-8646-f09a986d8cf5/","iat":1606229343,"nbf":1606229343,"exp":1606233243,"acct":1,"acr":"1","acrs":["urn:user:registersecurityinfo","urn:microsoft:req1","urn:microsoft:req2","urn:microsoft:req3","c1","c2","c3","c4","c5","c6","c7","c8","c9","c10","c11","c12","c13","c14","c15","c16","c17","c18","c19","c20","c21","c22","c23","c24","c25"],"aio":"AUQAu/8RAAAAOsguW0xieoa2CFuuDvL0jrUAtSMCWcD3IdbuCmn3lJuENH6iLn9d8hRFHUma9pcCBZX/wJfdyN6bA61m7ntpgg==","altsecid":"5::10032000C782425B","amr":["pwd"],"app_displayname":"ODP Local App","appid":"57ceab52-f7b8-4de4-a3ad-25dad057c497","appidacr":"1","email":"xxxx@xxxx.com","idp":"https://sts.windows.net/f6e57c1b-6cbc-42a4-8e89-39e1bef6c49f/","idtyp":"user","ipaddr":"49.207.220.153","name":"xxxx.xxxx","oid":"e4c3eda9-513d-4cb6-bfb7-d13a856226bc","platf":"5","puid":"10032000C7758CA0","rh":"0.AAAALvfber-h3EiGRvCamG2M9VKrzle49-RNo60l2tBXxJceAJc.","scp":"Directory.Read.All Mail.Read openid profile User.Read User.Read.All User.ReadBasic.All email","sub":"nFYoEl4fstYqfN3kFRucklSfbW6dOoYKBf4KkCDwrkk","tenant_region_scope":"NA","tid":"7adbf72e-a1bf-48dc-8646-f09a986d8cf5","unique_name":"xxxx@xxxx.com","uti":"IjWpoZpXkEex8C9Om31AAA","ver":"1.0","wids":["13bd1c72-6f4a-4dcf-985f-18d3b80f208a"],"xms_st":{"sub":"Hg0g_xypTWd5nXzHsNNOTQQwBlABxJ-NlyRDj8JqsuM"},"xms_tcdt":1540458072}

PS: API gets successfull when the logged in user is assigned Application administrator role. Does a user need separate role for /users api? Are app permissions not enough for the same?

Solution

Since you are logged in as a guest user, you cannot get the same access rights as member users, so you cannot list all users. When you grant guest users the administrator role, they have full read and write permissions, so they can list all users. You can view the difference between member and guest users:

Guest users have restricted directory permissions. They can manage their own profile, change their own password and retrieve some information about other users, groups and apps, however, they cannot read all directory information. For example, guest users cannot enumerate the list of all users, groups and other directory objects. Guests can be added to administrator roles, which grant them full read and write permissions contained in the role. Guests can also invite other guests.

Or you can also try to set: Guest users have the same access as members (most inclusive), grants all member user permissions to guest users by default. However, this feature is currently in preview state, which requires you to log in to Azure portal as an administrator, and then go to: Users>User settings>Manage external collaboration settings>Guest user access: