Azure Active Directory Error – Code: Authorization_RequestDenied

While working with Azure Active Directory, I encountered following error on code below:

            string clientID = “970a3de9-6714-4a1e-81b7aaaa”;
             string clientSecret = “I0ieHQ3.8DCQ3HX.RkVEbc:u_dddd”; .
                 string tenantID = “0f0a4aac-8998-4f49-8a17-eeeee”;

            string resourceID = “https://graph.microsoft.com”;
             Uri loginURI = new Uri(“https://login.microsoftonline.com/”);

            // Bearer Token
             string authority = new Uri(loginURI, tenantID).AbsoluteUri;
             AuthenticationContext authenticationContext = new AuthenticationContext(authority);
             ClientCredential clientCredential = new ClientCredential(clientID, clientSecret);
             AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(resourceID, clientCredential).Result;

             IGraphServiceUsersCollectionPage users = new GraphServiceClient(new DelegateAuthenticationProvider(
                 async (requestMessage) =>
                 {
                     requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“Bearer”, authenticationResult.AccessToken);
                 })).Users.Request().GetAsync().Result;

Error displayed below

["System.AggregateException: One or more errors occurred.

(Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.

Inner error:AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734

---> Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied

Message: Insufficient privileges to complete the operation.\r\nInner error:

AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)\r\n --- End of inner exception stack trace ---\r\n at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)\r\n at AzureADPassPOC.Controllers.ValuesController.Get() in C:\\Programs\\AzureADPassPOC\\AzureADPassPOC\\Controllers\\ValuesController.cs:line 45\r\n---> (Inner Exception #0) Status Code: Forbidden\r\nMicrosoft.Graph.ServiceException: Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.\r\nInner error:\r\n\tAdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)<---\r\n"]

Solution

Enable Directory.ReadAll permission on Graph

Open Portal > Active Directory > App Registration > API Permissions blade

image

Choose Application Permissions > Graph API > Directory.ReadAll

image

image

Save changes & Run the code again.

The error should disappear.