Azure App Registration Not giving New Refresh Token or Scope because of Permission Error

Question

We are configuring an azure app registration through a service account and believe that we have the correct permissions for the service account yet when the logic app is run an error is thrown when pulling groups from O365 for not having the correct permissions.

enterprise service account access

granted api permissions

error within the logic app designer

"error": {

    "code": "Authorization_RequestDenied",

    "message": "Insufficient privileges to complete the operation.",

These are the current app registration api permissions we have and all are consented by the administrator

We are also have ensured that this service account has: -app registration owner role -administrator roles -subscription owner -the only conditional access policy is no logons after 8pm which we believe shouldn't have affected this

Answer 1

The "Insufficient privileges to complete the operation" occurs if the token doesn't have the required permissions to perform the action.

I created an Azure AD Application and granted API permissions like below:

I generated access token via Postman like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:https://graph.microsoft.com/.default
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

When I tried to fetch the groups, I am able to do it successfully like below:

Azure App Registration Not giving New Refresh Token or Scope because of Permission Error

To get the Refresh token, make sure to grant offline_access API permission like below:

After assigning the API permission, refresh token got generated successfully like below:

If still the issue persists, check the below:

• If you are generating access token via Client Credentials then grant Application API permissions.
• Re-generate the token and try to access the API.
• Decode the token in jwt.ms and check if the scp and aud are like below:

Reference:

Getting a bearer token from AAD using Logic Apps