Error Authorization_RequestDenied while Editing Azure AD Object

Azure Active Directory allows applications to add user via Graph API through an Application Key. Generally there is no such issue when adding a new record. However, when someone wants to modify or delete a particular record may face the below issue

 

System.Data.Services.Client.DataServiceRequestException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

 

This is because the Application Credential we are using does not have sufficient permissions to do so. In Azure portal under Application configuration we may try to add all settings

This also does not help a lot. So we need to take the PowerShell path.

Download the Azure AD PowerShell

First install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version), and click Run to run the installer package.

Then we can follow the below steps

Login to Azure AD from PowerShell. Before that please make sure you have one user created in the same AD with Global Admin rights. You need to use this user to login. Before you do the below step you need to make sure the user password is changed if it is first time login and no MFA enabled.

Connect-MsolService

After that run the below statement to get the App Id. You may also copy it from Application's configuration of AAD.

Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId –AutoSize

Once you have copied the GUID of the Application you use this below statement

$appClientId = '45f5e820-8fc0-4e07-9d56-cbb40e409cd8'

$graphapp = Get-MsolServicePrincipal -AppPrincipalId $appClientId

Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $graphapp.ObjectId

Now ideally the application will no more send an error while trying to modify AAD record.

Note: Please give AD sometime before you try to check if it is getting deleted.

Thanks.

Namoskar!!!

Comments

  • Anonymous
    August 18, 2016
    Hi ! First thank you for the post, was helpfull. I curretnly developed a Web app using a Azure AD. I a have a list of user who need to be able to delete group or users from the application. Is there a way to do your method in C# or doing the PS in the app ? Thanks !
    • Anonymous
      October 21, 2016
      Yes you can provided those users have access to AD.