I have a question about "Authorization Request Denied - Insufficient privileges to complete the operation" message that I keep getting back from my requests to Windows Graph API.

Specifically, I'm working in Azure cloud. I have an iOS mobile app that invokes an API. I have turned on "Authentication for Active Directory" in my Portal.

Then, on the client side (iOS):

[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"
                                controller:self
                                  animated:YES
                                completion:^(MSUser *user, NSError *error) {

                                    if(!error && user) {
                                        [self refresh];

                                    } 
                                }]; //loginWithProvider

So returns a valid MSUser object. I see the web login controller appear, I sign in with my un/pw, and then it lets me access my Easy Table's data...etc.

Now, I want to invoke an Easy API that I've created in Azure called getUserData. Hence, I simply insert the invokeAPI code like this (iOS):

[self.todoService.client loginWithProvider:@"windowsazureactivedirectory"
                                controller:self
                                  animated:YES
                                completion:^(MSUser *user, NSError *error) {

                                    if(!error && user) {

                                        //NSMutableDictionary * dict = [NSMutableDictionary dictionary];
                                        //[dict setObject:@YES forKey:@"complete"];

                                        NSLog(@"%s - %@", __FUNCTION__, user);
                                        [self refresh];

                                        [self.todoService.client invokeAPI:@"getUserData"
                                                                      body:nil
                                                                HTTPMethod:@"POST"
                                                                parameters:nil
                                                                   headers:nil
                                                                completion:^(id  _Nullable result, NSHTTPURLResponse * _Nullable response, NSError * _Nullable error) {
                                                                    NSLog(@"%s - API returned response! ", __FUNCTION__);
                                                                    NSLog(@"%@", result); //TODO: user info here!! :D

                                                                }]; //invokAPI

                                    } //if user returned from AAD login is valid

                                }]; //loginWithProvider

Everything is fine as the API is called and I can see the response data.

On the server side (Node JS), I basically do 3 things:

1st is to get the user object id from the request object:

req.azureMobile.user.getIdentity().then((data) => {
   //get user object ID
}

2nd, make a request to https://login.windows.net to get an Access Token with a username/password.

var options = {
    url: "https://login.windows.net/" + tenant_domain + "/oauth2/token?api-version=1.0",
    method: 'POST',
    form: {
        grant_type: "client_credentials",
        resource: "https://graph.windows.net",
        client_id: clientID,
        client_secret: key
    }
};

req(options, function (err, resp, body) {
    //get the result back
}

I get a whole bunch of data back including the Access Token.

3rd, make a request to https://graph.windows.net/, and provide this Access Token along with my User Object ID:

var options = {
    url: "https://graph.windows.net/" + tenant_domain + "/users/" + objectId + "?api-version=1.0",
    method: 'GET',
    headers: {
        "Authorization": "Bearer " + access_token
    }
};

This is so that I can User data. Now, in a separate test Subscription, I set up all the basic read permissions for AAD and Graph in my AAD management. I successfully get the user's full data back like so:

user =     {
    accountEnabled = 1;
    assignedLicenses =         (
    );
    assignedPlans =         (
    );
    city = xxxxxxxxx;
    country = xxxxxxxxxx;
    department = Dev;
    dirSyncEnabled = "<null>";
    displayName = xxxxxx;
    facsimileTelephoneNumber = "<null>";
    givenName = hehe;
    jobTitle = "iOS dev";
    lastDirSyncTime = "<null>";
    mail = "<null>";
    mailNickname = "xxxxxxxxxx.com#EXT#";
    mobile = "+xx xxx xxxx 3852";
    objectId = "xxxxxxx-2c70-4aab-b261-3b2b97dc5c50";
    objectType = User;
    "odata.metadata" = "https://graph.windows.net/xxxxxxxxxx.onmicrosoft.com/$metadata#directoryObjects/Microsoft.WindowsAzure.ActiveDirectory.User/@Element";
    "odata.type" = "Microsoft.WindowsAzure.ActiveDirectory.User";
    otherMails =         (
        "xxxxxxxxxxxx@gmail.com"
    );
...etc
}

However, in another subscription, I did the exact same steps. Even going as far as checking all the permissions like so:

I keep getting an "Authorization Request Denied, Insufficient privileges" message. The error is null so I know everything else went through correctly.

I can't figure out why because everything processes through and I checked all of my AAD and Graph permissions.

log result:

-----body------

'{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}'

Thanks for any help, and appreciate everyone's time

You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:

Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId