Permissions Needed to Access User Data Based on UPN

Question

An app registration has been created with the permissions: User.Read and User.Read.All. This has been confirmed with a screen capture from the admin. A token has been successfully obtained and passed when accessing https://graph.microsoft.com/v1.0/users/<UPN>. The response received is:

code: Authorization_RequestDenied

message: Insufficient privileges to complete the operation.

What additional permissions might be needed from the admin to resolve this issue?

Answer 1

Hello Greg Schumacher (DDB Technology),

Thank you for reaching out to Microsoft Support!

For your question, after our tests, everything works well, the test results are as follows:

For the error that you do not have enough permissions, it is recommended that you first parse your token in jwt.ms and check the permissions of your token in the scp properties, as shown below:

Reference document:

https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Answer 2

If your application runs in the context of a user (the so-called "delegate permissions" model), the effective permissions are the subset of those granted to the app (i.e. User.Read.All) and those assigned to the user itself in Entra/M365. Thus, for most directory calls in delegate context, the user must also be assigned an admin role.

User.Read.All should be sufficient if you are running in application context, without a signed in user.