Graph API - Update existing User - Insufficient privileges to complete the operation

Question

I am currently developing an app that communicates with the Graph API. I don't have any Backend, only a SPA. I use the npm package @microsoft/microsoft-graph-client.

The app should be able to change givenName, surname of an AD user.

At the beginning i create a new AuthCodeMSALBrowserAuthenticationProvider instance and use it with the graph client, i'm not sure if the used scope is correct:

 const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(
        this.msalService.instance as PublicClientApplication,
        {
          account: this.msalService.instance.getActiveAccount()!,
          scopes: ['User.ReadWrite.All'],
          interactionType: InteractionType.Redirect,
        }
      );

 this.graphClient = Client.initWithMiddleware({
        authProvider: authProvider,
        defaultVersion: 'beta',
      });

My call looks like this

 const result = await this.authService.graphClient
        .api(`/users/${userId}`)
        .patch({
          givenName: firstname,
          surname: lastname
        });

However, I get an "Insufficient privileges" error message.

Could not update user with id 8639e42f-de7f-485a-9b18-ccd67d7b0146 {
  "statusCode": 403,
  "code": "Authorization_RequestDenied",
  "requestId": "xy",
  "date": "2022-02-03T11:45:48.000Z",
  "body": "{\"code\":\"Authorization_RequestDenied\",\"message\":\"Insufficient privileges to complete the operation.\",\"innerError\":{\"date\":\"2022-02-03T12:45:48\",\"request-id\":\"xy\",\"client-request-id\":\"xy\"}}"
}

I have set the following permissions (under "Enterprise applications"):

API Permissions (under "App registrations"):

What authentication method are you using ? is it Service Principal Credentials ? — Ansuman Bal, Feb 03 '22 at 13:42

score 1 · Accepted Answer · answered Feb 03 '22 at 14:19

1

Please make sure you have granted the Delegated Permission Admin Consent .

I tested the same using implicit flow where I created a Azure AD application and provided the Delegated Permission like below without granting admin consent :

After granting the Admin Consent the problem was fixed like below :

answered Feb 03 '22 at 14:19

Ansuman Bal

9,705
2
10
27

i already granted the Delegated Permission Admin Consent (under "API Permissions"), but it doesn't work. have I forgotten something ? I have updated my posting above with my "API Permissions" settings. – pbachman Feb 03 '22 at 14:37
If implicit flow is being used then the admin consented delegated permission should suffice .. if the scope for access token is set `https://graph.microsoft.com/.default` but if client credentials is used the application permissions is required. – Ansuman Bal Feb 03 '22 at 15:10
@pbachman, can you try giving application permission for user.readwrite.all? – Ansuman Bal Feb 03 '22 at 15:11
Also make sure you are using correct client Id while generating the access token using your mail . – Ansuman Bal Feb 03 '22 at 15:13
i use the MSAL Library from Microsoft (see https://github.com/AzureAD/microsoft-authentication-library-for-js) and i'm not sure, if i use the right scope. i updated my posting above with my MSAL code. – pbachman Feb 04 '22 at 08:51

score 0 · Answer 2 · answered Feb 04 '22 at 09:33

You can check permissions reference here, to set the right scope : https://learn.microsoft.com/en-us/graph/permissions-reference#mail-permissions

You have to notice that "In delegated scenarios, the effective permissions granted to your app are constrained by the privileges of the signed-in user in the organization."

If your app is a daemon (back end service without human interaction) you should use "Application permission" instead of "Delegated permission".

You can choose the right authentication provider and the right permission type, based on scenario here : https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?tabs=Javascript

PS : you should hide the status column of your second screen shot, as it shows private information.

i already set the right "Delegated permissions". I don't have any Backend, only a SPA, thats why i I have used the following example as a guide (see https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-acquire-token?tabs=angular2) And thanks for the hint, i removed all private information ;-) — pbachman, Feb 07 '22 at 08:17

Graph API - Update existing User - Insufficient privileges to complete the operation

2 Answers2