Search code examples
powershellmicrosoft-graph-api

Non-Interactive - Get-MgUser : Insufficient privileges to complete the operation

I followed https://www.christianfrohn.dk/2022/04/23/connect-to-microsoft-graph-with-powershell-using-a-certificate-and-an-azure-service-principal/ to connect to Microsoft Graph but I'm getting the following error.

Get-MgUser -Top 1

> Get-MgUser : Insufficient privileges to complete the operation.
> At line:1 char:1
> + Get-MgUser -Top 1
> + ~~~~~~~~~~~~~~~~~
>    + CategoryInfo          : InvalidOperation: ({ ConsistencyLe...ndProperty =  }: <>f__AnonymousType62`9) [Get-MgUser
>   _List1], RestException`1
>    + FullyQualifiedErrorId : > Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.GetMgUser_List1

From what I can tell I need to consent to the permissions. I found numerous sources for how to do this for interactive sessions but nothing said how to do this for non-interactive sessions.

I tried adding -Scopes to the connection string but got this error

Connect-MgGraph -ClientID [snip] -TenantId [snip] -CertificateThumbprint [snip] -Scopes 'User.Read.All'

> Connect-MgGraph : Parameter set cannot be resolved using the specified named parameters.
> At line:1 char:1
> + Connect-MgGraph -ClientID 19cb80c5-b355-42bc-a892-e73d11f57ef4 -Tenan ...
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>    + CategoryInfo          : InvalidArgument: (:) [Connect-MgGraph], ParameterBindingException
>    + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

How do I do this?

EDIT

This is how I'm connecting

Connect-MgGraph -ClientId $clientId -TenantId $tenantId -CertificateThumbprint $thumbPrint

Welcome To Microsoft Graph!

API Permissions

enter image description here

Thanks

Solution

  • Your App Registration has the incorrect permissions. There are 2 types of permissions, delegated (aka scope), and application (aka role).

    Reference: Permission types

    For an "interactive" session, your app will be interacting on behalf of the user, therefore uses delegated permissions.

    For a "non-interactive" session, your app will be acting as itself, so it needs application type permissions.

    When connecting as an application ("non-interactive"), you also don't specify the -Scopes parameter