Graph API - Insufficient privileges to complete the operation

Question

When trying to access the Graph Service Client using I am receiving the error :

Code: Authorization_RequestDenied
Message: Insufficient privile

Answer 1

Grant permissions by ticking 'Directory.Read.All/ Write' is not enough.

I run into the same issue. and solved by adding service principle to administrator role.

If you application is created recently, this can be done Azure AD Powershell.

$pricinple = Get-AzureADServicePrincipal || Where-Object {$_.DisplayName -eq 'youappname'}

 $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}

Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $pricinple.ObjectId

for detail, see https://docs.microsoft.com/en-us/powershell/module/Azuread/Add-AzureADDirectoryRoleMember?view=azureadps-2.0

If you application was created long time ago, you will need to use MSOnline. see: https://docs.microsoft.com/en-us/powershell/module/msonline/Add-MsolRoleMember?view=azureadps-1.0

Answer 2

Make sure click "Grant Permissions" and than Yes for all users accounts.

Answer 3

Please refer to below steps :

1. From your screenshot , seems you grant Read and write directory data application permission for Windows Azure Active Directory(azure ad graph api) . Since you are using microsoft graph (https://graph.microsoft.com/) , you need to grant application permission for Microsoft Graph :

2. Since you are admin in your AAD, You could grant permission for users in organization by click Grant permission button shown in above screenshot .

3. Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All permission in roles claim .