0

I am able to register application by following information provided in Creating Azure AD application and a service principal using .NET Core (the API and HTTP), but when I tried the following endpoint using Postman, I got an Insufficient Privileges error.

As I am able to create an app with the API, I don't believe it is a permission issue.

POST https://graph.windows.net/{{tenant_id}}/servicePrincipals?api-version=1.6

body like this:

{
  "appId":"eb167a6d-aaaa-aaaa-aaaa-46e981be37fa"
}

and getting this error

{
    "odata.error": {
        "code": "Authorization_RequestDenied",
        "message": {
            "lang": "en",
            "value": "Insufficient privileges to complete the operation."
        }
    }
}
Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
James
  • 75
  • 3
  • 9

1 Answers1

0

Please note that there are two kinds of permissions. Delegated permissions and Application permissions. You can see the difference here.

enter image description here

It depends on the way you used to get the access token. If you get the token without a signed-in user, you need to use application permissions and grant admin consent.

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • Thanks for your response. I have granted Application and Delegated permissions i.e. Delegated (work or school account) Directory.AccessAsUser.All and Application.ReadWrite.OwnedBy and Directory.Read.All, Application.ReadWrite.All and Directory.Read.All with Admin consent. In fact, i have assigned more permissions than this for testing. I am using "https://graph.windows.net" as a resource type for getting access token. – James Feb 03 '20 at 21:47
  • @James Can you share the details of how you obtained the access token? – Tony Ju Feb 04 '20 at 00:20
  • Getting from this end point- post to https://login.microsoftonline.com/tenentID/oauth2/token – James Feb 05 '20 at 17:56
  • @James What is the value of `grant_type`? And please provide the screenshot of your permission list in the portal. – Tony Ju Feb 06 '20 at 00:29