Azure Active Directory Error – Code: Authorization_RequestDenied

While working with Azure Active Directory, I encountered following error on code below:

            string clientID = “970a3de9-6714-4a1e-81b7aaaa”;
             string clientSecret = “I0ieHQ3.8DCQ3HX.RkVEbc:u_dddd”; .
                 string tenantID = “0f0a4aac-8998-4f49-8a17-eeeee”;

            string resourceID = “https://graph.microsoft.com”;
             Uri loginURI = new Uri(“https://login.microsoftonline.com/”);

            // Bearer Token
             string authority = new Uri(loginURI, tenantID).AbsoluteUri;
             AuthenticationContext authenticationContext = new AuthenticationContext(authority);
             ClientCredential clientCredential = new ClientCredential(clientID, clientSecret);
             AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(resourceID, clientCredential).Result;

             IGraphServiceUsersCollectionPage users = new GraphServiceClient(new DelegateAuthenticationProvider(
                 async (requestMessage) =>
                 {
                     requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“Bearer”, authenticationResult.AccessToken);
                 })).Users.Request().GetAsync().Result;

Error displayed below

["System.AggregateException: One or more errors occurred.

(Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.

Inner error:AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734

---> Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied

Message: Insufficient privileges to complete the operation.\r\nInner error:

AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)\r\n --- End of inner exception stack trace ---\r\n at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)\r\n at AzureADPassPOC.Controllers.ValuesController.Get() in C:\\Programs\\AzureADPassPOC\\AzureADPassPOC\\Controllers\\ValuesController.cs:line 45\r\n---> (Inner Exception #0) Status Code: Forbidden\r\nMicrosoft.Graph.ServiceException: Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.\r\nInner error:\r\n\tAdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)<---\r\n"]

Solution

Enable Directory.ReadAll permission on Graph

Open Portal > Active Directory > App Registration > API Permissions blade

image

Choose Application Permissions > Graph API > Directory.ReadAll

image

image

Save changes & Run the code again.

The error should disappear.

401 Unauthorized Error–Azure Active Directory (AD)

Here I am listing down all the possible solutions for 401 Unauthorized Error during AAD configuration for your App Service or Resources.

image

The scenario can be like this:

  • You are able to Authenticate & Get a Valid Token
  • While presenting the Token for service access the Error 401 Unauthorized is happening

Solution 1: Ensure Resource Parameter

Ensure that while requesting the Authentication Token you are specifying the resource parameter.  Without the parameter you will still get the token but the 401 Error will occur as there is no valid resource.

image

Solution 2: Ensure App ID URI mentioned in the Service

Go to App Services > Authentication blade > Advanced Settings

image

Solution 3: Delete & Create new App Registration

Some of the configuration errors will be tricky to find – especially in restricted access production environments.  So you can try following:

  • Delete the App Registration
  • Create new App Registration
  • Set the new App Registration parameters in App Service

Solution 4: View Application Logs

Go to Log Streaming to view the Application Logs.

image_thumb[10]

You can search on the Detailed error code (401.83) OR IDX10214 error code for more details.

Solution 5: View Kudu Logs

You can see the Authentication Token is passed or not through the Kudu > Debug Console > CMD > W3SVC Logs.

image

Summary

In this post we have seen how to troubleshoot AAD Authorization Error.  If you find another solution not listed here, please comment below so I can update back in the article.  Help us to Help you!

References

Testing with Postman