Search code examples
azureazure-active-directoryadalazure-ad-msal

Read Azure AD groups by Web API controller fails with 'Insufficient privileges to complete the operation'

I have a Web API application registered in my company's AAD. This is a multi-tenant application that is capable of querying AADs of subscribed customers. When customers subscribe to our service they register our app in their AAD's Enterprise Applications registration section and provide us with tenantId, clientId, and clientSecret. We then use these parameters to query customer's AAD.

I'm using the following to read groups from customer's Azure AD:

    public async Task<GraphServiceClient> CreateGraphServiceClient(string tenantId, string clientId, string clientSecret)
    {
        string aadInstance = "https://login.microsoftonline.com/{0}";
        string resource = "https://graph.microsoft.com";
        string authority = string.Format(aadInstance, tenantId);

        AuthenticationContext authContext = new AuthenticationContext(authority);
        ClientCredential credentials = new ClientCredential(clientId, clientSecret);
        var authResult = await authContext.AcquireTokenAsync(resource, credentials);
        if(authResult == null)
        {
            throw new Exception("GetGraphServiceClient: AcquireTokenAsync failed!");
        }

        var accessToken = authResult.AccessToken;
        var graphServiceClient = new GraphServiceClient(
            new DelegateAuthenticationProvider(
                requestMessageClientOtherTenant =>
                {
                    requestMessageClientOtherTenant.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);
                    return Task.FromResult(0);
                }));

        return graphServiceClient;
    }

//....
        var graphServiceClient = CreateGraphClient(tenantId, clientId, clientSecret);

        var graphGroupsPage = await graphServiceClient.Groups
            .Request()
            .Select(e => new {
                e.Id,
                e.DisplayName
            })
            .GetAsync();

I'm getting 'Insufficient privileges to complete the operation' error.

I've seen quite a number of workarounds on-line which were 2-3 years old but neihter of them worked for me.

The permissions granted to the app in customer's "Enterprise applications" section : enter image description here

These permissions are exactly the same as permissions assigned to the app in our AAD registration.

I'm at a loss here. All required permissions seem to be granted and I'm still getting the error.

I can use the same graph client to get all users from customer's AAD with no problems.

Any suggestion will be appreciated.

Solution

  • When customers subscribe to our service they register our app in their AAD's Enterprise Applications registration section and provide us with tenantId, clientId, and clientSecret. We then use these parameters to query customer's AAD.

    Since your customer has granted your multi-tenant app to access their tenant information, only customer's tennantId is needed, you should use your own multi-tenant app's clientId and clientSecret to access customers' AD.

    If you use customer's client_id and secret, you should check the permissions under their app(not enterprise app), but, this doesn't make any sense. If so, there is no need to use your multi-tenant application.