How to set correct privileges to use Python Azure SDK for Graph?

Question

I am trying to add a reply_url programmatically to an Azure app registration, but I receive an GraphErrorException: Insufficient privileges to complete the operation.

Problem is I don't understand which privileges my app registration needs.

Basically I am using the credentials of the app registration to change its own reply_urls.

The privileges set are User.Read and Application.ReadWrite.OwnedBy. Both granted.

Which one am I missing? And how can I find out?

This is the SDK I am using: azure-graphrbac==0.61.1

My code looks like this:

class GraphClient:
    def __init__(self, client_id, client_secret, tenant_id, object_id):
        self._credentials = ServicePrincipalCredentials(
            client_id=client_id,
            secret=client_secret,
            tenant=tenant_id,
            resource="https://graph.windows.net"
        )
        self._graph_client = GraphRbacManagementClient(
            credentials=self._credentials,
            tenant_id=tenant_id
        )
        self._application = self._graph_client.applications.get(object_id)

    def get_reply_urls(self) -> List[str]:
        return self._application.reply_urls

    def add_reply_url(self, reply_url) -> None:
        reply_urls: list = self.get_reply_urls()
        self._graph_client.applications.patch(
            self._application.app_id,
            ApplicationUpdateParameters(
                reply_urls=[
                    *reply_urls,
                    reply_url]
            )
        )

EDIT: Added permissions screenshot

Hi, could you please share a screenshot of the permissions which you added(the "API permmissions" tab of your azure app registration) ? — Hury Shen, May 06 '20 at 05:18

score 1 · Accepted Answer · answered May 06 '20 at 07:21

1

If use microsoft graph, the resource should be: https://graph.microsoft.com

If use azure ad graph, the resource should be: https://graph.windows.net

According to your code, the resource is https://graph.windows.net, so it request azure ad graph api in the backend. So we need to add the permissions of azure ad graph but not microsoft graph.

The screenshot you provided shows you added the permission Application.ReadWrite.OwnedBy of microsoft graph but not azure ad graph. So please remove it and add the same permission which belongs to azure ad graph.

Then don't forget to grant admin consent for it.

Hope it helps~

answered May 06 '20 at 07:21

Hury Shen

14,948
1
9
18

What if I just change the resource to use Microsoft Graph correctly? I tried it and get a `azure.graphrbac.models.graph_error_py3.GraphErrorException: Your access token has expired. Please renew it before submitting the request.` error. – Moritz Schmitz v. Hülst May 06 '20 at 07:56
@MoritzSchmitzv.Hülst It seems the resource should be `https://graph.windows.net` when we use this python sdk. I don't know if we can change the resource, I think the best way is change the permission but not change the resource. – Hury Shen May 06 '20 at 07:59
Thanks, it works. Now I get another one `azure.graphrbac.models.graph_error_py3.GraphErrorException: Specified HTTP method is not allowed for the request target.` Different topic, I guess. – Moritz Schmitz v. Hülst May 06 '20 at 08:03
@MoritzSchmitzv.Hülst Could you please create another post for the new issue and provide details of it (such as which sdk you use in your code), I will try to investigate it. – Hury Shen May 06 '20 at 08:10
Done here: https://stackoverflow.com/questions/61630690/how-to-patch-an-existing-application-using-python-azure-sdk-and-graph – Moritz Schmitz v. Hülst May 06 '20 at 08:29

How to set correct privileges to use Python Azure SDK for Graph?

1 Answers1