This question already has an answer here:
-
Insufficent privileges when accessing azure graph api users list
1 answer
I have registered an AAD Application in my Tenant/Directory, and I want to call the Graph API in the App Only Context. (Using the Client Credential Flow)
When making certain AAD Graph API calls, I get the error:
"odata.error":{
"code":"Authorization_RequestDenied",
"message":{
"lang":"en","value":"Insufficient privileges to complete the operation."
}
}
I want to give this application full access to the Graph API in the context of my tenant.
Or
I want to grant this application permissions to my tenant which are not currently supported with the permissions exposed by the AAD Graph API.
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator
Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember
command to add this role to the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the Company Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType
is ServicePrincipal
and DisplayName
is the name of your application.
Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.
Let me know if this helps!