stackoom
  简体   繁体   中英

Mirosoft Graph API gives unsupported privileges error

 原文  2017-02-23 16:37:25       azure/ oauth-2.0/ azure-active-directory/ azure-ad-graph-api

Question

I have created the app in apps.dev.microsoft.com . I am using https://login.microsoftonline.com/common/oauth2/v2.0/authorize for authorization code and https://login.microsoftonline.com/common/oauth2/v2.0/token for access and refresh tokens. I am getting the access token successfully but when I am trying to read the signed in user's profile data it gives me the error : 

Array (
    [error] => Array
        (
            [code] => Authorization_RequestDenied
            [message] => Insufficient privileges to complete the operation.
            [innerError] => Array
                (
                    [request-id] => 02269b14-2cf9-458e-b9d6-2aec1a23cee3
                    [date] => 2017-02-23T16:30:44
                )

        )

)

When I use the original Id with which the app was created then this error doesn't show up . But when I use any other id outside my tenancy this error shows up. Can anyone suggest any workaround for this?

1 answers

solution1
 1 ACCPTED  2017-02-24 02:30:57

Based on the preview post , you were using the request like below to acquire the token: 

GET:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={clientId}&scope=openid%20profile&redirect_uri={redirectURL}

In this request, you were using the scope ( openid,profile ) which wouldn't return the access_token for using the Microsoft Graph REST . The profile scope only return the user info in the id_token instead of grant the permission to you to access the user info via Microsoft Graph REST.

If you want to use the Microsoft Graph REST, we need to add the scope like https://graph.microsoft.com/user.Read (more scope about read user info please refer here ). And here is a sample request for your reference to enable to access the user's profile via https://graph.microsoft.com/v1.0/me : 

GET:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id={clientId}&scope=https://graph.microsoft.com/user.Read%20openid%20profile&redirect_uri={redirectURL}

And please note the access_token is different with id_token. We should perform the request for the resource(Microsoft Graph) using the access_token . The id_token is only used to validate the identity of user for the client. More about the concept of client and resource you can refer here .

Please let me know if it helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Microsoft Graph API get groups for user gives privileges error Azure AD Graph API call gives “Insufficient privileges to complete the operation” exception Microsoft Graph API: Insufficient privileges to complete the operation Graph API - Insufficient privileges to complete the operation Insufficient privileges error when trying to fetch signed in user's group membership using Azure AD Graph API "Update User" operation giving "Insufficient privileges to complete the operation.' error in Microsoft Graph API Microsoft Graph API change user password return an error Insufficient privileges to complete the operation Azure ActiveDirectory Graph API client Update user error: “Insufficient privileges to complete the operation” Azure isMemberOf api gives “Insufficient privileges to complete the operation.” error when trying to access from Azure Virtual Machine Insufficent privileges when accessing azure graph api users list
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM