0

I have created an application on Azure AD and I have assigned User.Read.All permission to my application.

enter image description here

That being said, I can generate an access token for the app from Postman. When generating access token I supply -

client_id: xxxx
client_secret: yyyy
grant_type: client_credentials
scope: https://graph.microsoft.com/.default

Using the generated access token (as header Authorization: Bearer zzzz) I send a GET request to https://graph.microsoft.com/v1.0/users/jhon.doe@domain.com. Which gives me error -

403 Forbidden

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "aaa-bbb-ccc-ddd",
      "date": "2019-09-10T12:44:46"
    }
  }
}

Can anyone tell me what wrong I am doing?

Thanks in advance.

Jahid Shohel
  • 1,395
  • 4
  • 18
  • 34
  • Check the token at e.g. https://jwt.ms. There should be a `roles` claim that contains the application permissions you have assigned to the app. – juunas Sep 10 '19 at 13:04
  • @juunas There is many other information, but I don't see any roles there. Neither any permission related information. – Jahid Shohel Sep 10 '19 at 13:07
  • And you are looking at the access_token you got in the response? In that case you haven't assigned/granted application permissions to your application yet. – juunas Sep 10 '19 at 13:10
  • But going to API Permissions area of the application I can see that `User.Read.All` permissions is assigned to my application. Isn't that where I see assigned permissions? – Jahid Shohel Sep 10 '19 at 13:16
  • Have you also _granted_ the permission? You need to be an admin to do that too since it is an application permission (delegated permissions can be consented by regular users too in some cases). – juunas Sep 10 '19 at 13:23
  • Permission to my application has been granted by the administrator of my organisation. And I can see all those granted permissions under the `API permissions`, and I can see `User.Read.All` permission is there. – Jahid Shohel Sep 10 '19 at 13:27
  • Could you add a screenshot of the permissions? – juunas Sep 10 '19 at 13:29
  • I have added a screenshot of the permissions on the main post (top) – Jahid Shohel Sep 10 '19 at 13:39

1 Answers1

2

You need to add Application permissions. Not delegated permissions. In your screenshot we can see that they are delegated, which means they only apply in situations where there is a user involved in the authentication. Since you use client credentials authentication, there is no user involved, only the app.

When you add required permissions, there should be an option to choose between Delegated and Application. Choose Application, choose the necessary permissions, and grant them.

juunas
  • 54,244
  • 13
  • 113
  • 149