Microsoft Graph API 5.x Upgrade Results in Insufficient Access Privilege Error
I've been using Microsoft Graph v3 and recently decided to upgrade to the latest version, v5.x. Previously, I used the ConfidentialClientApplicationBuilder to create an IConfidentialClientApplication instance, which I passed into the ClientCredentialProvider to initialize the GraphServiceClient for querying the Graph API.
Graph V3 Code
var applicationOptions = new ConfidentialClientApplicationOptions()
{
AadAuthorityAudience = AadAuthorityAudience.AzureAdMyOrg,
AzureCloudInstance = AzureCloudInstance.AzurePublic,
TenantId = Config.TenantId,
ClientId = Config.ClientId,
ClientSecret = Config.ClientSecret
};
var _app = ConfidentialClientApplicationBuilder.CreateWithApplicationOptions(applicationOptions).Build();
ClientCredentialProvider authProvider = new ClientCredentialProvider(_app);GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var user = await graphClient.Users.Request().Select(o => new {o.Id,o.Mail}).GetAsync();
After upgrading to v5, I noticed there are several new ways to authenticate. I opted to use the ClientSecretCredential, as it seemed similar and allowed me to reuse the same credentials.
var scopes = new[] { "https://graph.microsoft.com/.default" };
var clientId = "ClientID";
var tenantId = "TenantID";
var clientSecret = "ClientSecret";
var options = new ClientSecretCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};
var clientSecretCredential = new ClientSecretCredential(
tenantId, clientId, clientSecret, options);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var requestBody = new User
{
BusinessPhones = new List<string>
{
"12342232132",
}
};
var result = await graphClient.Users["UserID"].PatchAsync(requestBody);
However, I'm now encountering an Insufficient privileges to complete the operation error. I'm unsure if this is due to missing scope permissions or some other issue. but I tried to add the necessary permissions, but the error persists.
Note: I am using the admin account
Thanks
Note that: As you are making use of client credential flow, you need to grant application type API permissions to the Microsoft Entra ID application.
- Client credential flow is a non-user interactive flow.
To update the user properties, you need to grant User.ReadWrite.All application type API permission:
And assign administrator role to the Microsoft Entra ID application as mentioned in this MsDoc
I assigned User administrator active role to the Microsoft Entra ID application:
I am able to successfully update the business phone of the user:
using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Graph.Models;
using Microsoft.Graph.Models.ODataErrors;
namespace GraphApiExample
{
class Program
{
private static async Task Main(string[] args)
{
var scopes = new[] { "https://graph.microsoft.com/.default" };
var clientId = "ClientID";
var tenantId = "TenantID";
var clientSecret = "Secret";
var options = new ClientSecretCredentialOptions
{
AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};
var clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
var graphClient = new GraphServiceClient(clientSecretCredential, scopes);
var requestBody = new User
{
BusinessPhones = new List<string>
{
"12342232132",
}
};
try
{
var userId = "UserID";
var result = await graphClient.Users[userId].PatchAsync(requestBody);
Console.WriteLine($"Updated user's phone number");
}
catch (ODataError odataError)
{
Console.WriteLine(odataError.Error?.Code);
Console.WriteLine(odataError.Error?.Message);
throw;
}
}
}
}
- The Microsoft Entra ID application must be having higher privileged role than the user.
- For sample, if you are trying to update Global Admin user property then the application must be assigned Global Admin role.
Reference:
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?