This question already has an answer here:
I have registered an AAD Application in my Tenant/Directory, and I want to call the Graph API in the App Only Context. (Using the Client Credential Flow)
When making certain AAD Graph API calls, I get the error:
"odata.error":{
"code":"Authorization_RequestDenied",
"message":{
"lang":"en","value":"Insufficient privileges to complete the operation."
}
}
I want to give this application full access to the Graph API in the context of my tenant.
Or
I want to grant this application permissions to my tenant which are not currently supported with the permissions exposed by the AAD Graph API.
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the
Company Administrator
Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
Search for Directory Role by Name
Now we can use the
Add-MsolRoleMember
command to add this role to the service principal.To check everything is working, lets get back all the members of the Company Administrator role:
You should see your application in that list, where
RoleMemberType
isServicePrincipal
andDisplayName
is the name of your application.Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.
Let me know if this helps!