|
| 1 | +--- |
| 2 | +title: Troubleshoot Authorization_RequestDenied error with Microsoft Graph |
| 3 | +description: Guides to troubleshoot Authorization_RequestDenied error with Microsoft Graph in Postman. |
| 4 | +ms.author: anukala |
| 5 | +ms.date: 12/24/2024 |
| 6 | +ms.service: entra-id |
| 7 | +ms.custom: sap:Microsoft Graph Users, Groups, and Entra APIs |
| 8 | +--- |
| 9 | + |
| 10 | +# Troubleshoot Authorization_RequestDenied error with Microsoft Graph |
| 11 | + |
| 12 | +When you use Microsoft Graph API to manage users, you might receive the following error message: |
| 13 | + |
| 14 | +> `Authorization_RequestDenied. Insufficient privileges to complete the operation.` |
| 15 | +
|
| 16 | +This article demonstrates how to troubleshoot the `Authorization_RequestDenied` error in Microsoft Graph API by using Postman, through a "disable user" scenario. |
| 17 | + |
| 18 | +## Cause of the Authorization_RequestDenied error |
| 19 | + |
| 20 | +This error typically occurs because the user or app doesn't have sufficient permissions. To call Graph APIs, your app registration must have the following permissions: |
| 21 | + |
| 22 | +- The appropriate Microsoft Entra RBAC role for the required access level. For more information, see [Microsoft Entra built-in roles](/entra/identity/role-based-access-control/permissions-reference). |
| 23 | +- The necessary API permissions to access Microsoft Graph. |
| 24 | + |
| 25 | + |
| 26 | +## Troubleshooting Microsoft Graph API by using Postman |
| 27 | + |
| 28 | + |
| 29 | +### Step 1: Assign Microsoft Entra RBAC role to the app registration (Service Principal) |
| 30 | + |
| 31 | +1. Log in to the [Azure portal](https://portal.azure.com), and go to **Microsoft Entra ID**. |
| 32 | +1. In the **Manage** section, select **Roles and administrators**. |
| 33 | +1. Select the appropriate role based on the required level of access. In this article, the app will manage the users. Therefore, **User Administrator** is selected. |
| 34 | +1. Select **Add assignments**, select your app registration, and then select **Add**. |
| 35 | + |
| 36 | +### Step 2: Locate the application ID, client secret, and token endpoints of your app |
| 37 | + |
| 38 | +1. In the [Azure portal](https://portal.azure.com), go to **App registrations**, and then select your app registration. |
| 39 | +1. On the **Overview** page, record the **Application (client) ID**. |
| 40 | +1. Select **Endpoints**. This selection provides information, such as token endpoints, that will be used in the Postman configuration. This article uses OAuth 2.0 and token-based authentication together with Entra ID. In this case, you should record the **OAuth 2.0 token endpoint (v2)**. |
| 41 | + |
| 42 | + :::image type="content" source="media/troubleshoot-authorization-requestdenied-graph-api/check-endpoints.png" alt-text="Screenshot that shows checking the endpoints of the app registration." lightbox="media/troubleshoot-authorization-requestdenied-graph-api/check-endpoints.png"::: |
| 43 | +1. In the **Manage** section, select **Certificates & secrets**. Create a client secret or use an existing client secret for testing. |
| 44 | + |
| 45 | + In the Postman configuration, ensure you use the Client secret value, not the Secret ID. The client secret value cannot be viewed, except immediately after it's created. |
| 46 | + |
| 47 | +### Step 3: Configure Postman |
| 48 | + |
| 49 | +1. In Postman, select a request or collection, and then select **Authorization**. |
| 50 | +1. Set Auth type to **OAuth 2.0**. |
| 51 | +1. In the **Configure New Token** section, specify the following configuration: |
| 52 | + |
| 53 | + - Grant type: Client Credentials |
| 54 | + - Access Token URL: \<OAuth 2.0 token endpoint\>. |
| 55 | + - Client ID: \<Application (client) ID\> |
| 56 | + - Client secret: \<Client secret value\> |
| 57 | + - Scope: `https://graph.microsoft.com/.default` |
| 58 | + - Client Authentication: Send as Basic Auth header |
| 59 | + |
| 60 | + :::image type="content" source="media/troubleshoot-authorization-requestdenied-graph-api/postman-config.png" alt-text="Screenshot of Postman configurations." lightbox="media/troubleshoot-authorization-requestdenied-graph-api/postman-config.png"::: |
| 61 | + |
| 62 | +1. Select **Get New Access Token**. If the configuration is correct, you should receive a token that will be used to run the Microsoft Graph API call. |
| 63 | +1. Select **Proceed**, and then select **Use token**. |
| 64 | + |
| 65 | +### Step 4: Test and troubleshoot the Microsoft Graph API |
| 66 | + |
| 67 | +1. Send the following PATCH request to disable a user. `1f953789-0000-0000-0000-6f21508fd4e2` is the object ID of a user in the Entra ID. |
| 68 | + |
| 69 | + ``` HTTP |
| 70 | + Patch https://graph.microsoft.com/v1.0/users/1f953789-0000-0000-0000-6f21508fd4e2 |
| 71 | + ``` |
| 72 | +
|
| 73 | + ```JSON |
| 74 | + { |
| 75 | + "accountEnabled": false |
| 76 | + } |
| 77 | + ``` |
| 78 | +
|
| 79 | +1. The `Authorization_RequestDenied` error message is received in the response: |
| 80 | +
|
| 81 | + ```Output |
| 82 | + { |
| 83 | + "error": { |
| 84 | + "code": "Authorization_RequestDenied", |
| 85 | + "message": "Insufficient privileges to complete the operation.", |
| 86 | + "innerError": { |
| 87 | + "date": "2024-12-24T03:25:32", |
| 88 | + "request-id": "096361b2-75be-479b-b421-078610030949", |
| 89 | + "client-request-id": "096361b2-75be-479b-b421-078610030949" |
| 90 | + } |
| 91 | + } |
| 92 | + } |
| 93 | + ``` |
| 94 | + |
| 95 | +1. Check the [Update user scenario in Microsoft Graph REST API v1.0 endpoint reference](/graph/api/user-update?view=graph-rest-1.0&tabs=http#permissions&preserve-view=true). The following permission is required to enable and disable a user, as described in the Microsoft Graph REST API v1.0 endpoint reference. |
| 96 | +
|
| 97 | + | Property | Type | Description | |
| 98 | + |:----------------|:--------|:------------| |
| 99 | + | accountEnabled | Boolean | `true` if the account is enabled; otherwise, `false`. This property is required when a user is created. <br/> - *User.EnableDisableAccount.All* + *User.Read.All* is the least privileged combination of permissions required to update this property. <br/> - In delegated scenarios, *Privileged Authentication Administrator* is the least privileged role that's allowed to update this property for all administrators in the tenant. | |
| 100 | +
|
| 101 | +1. Check whether the app registration has the required permissions: |
| 102 | + 1. Locate your app registration in the Azure portal. |
| 103 | + 2. In the **Manage** section, select **API permissions** |
| 104 | + 3. Check the configured API permissions. In this case, the app registration doesn't have the **User.EnableDisableAccount.All** permission that is the root cause of the issue. |
| 105 | +
|
| 106 | + :::image type="content" source="media/troubleshoot-authorization-requestdenied-graph-api/check-api-permissions.png" alt-text="Screenshot that shows checking API permissions." lightbox="media/troubleshoot-authorization-requestdenied-graph-api/check-api-permissions.png"::: |
| 107 | +
|
| 108 | +1. Select **Add a permission** to add **User.EnableDisableAccount.All** to the app registration. |
| 109 | +1. You must also select **Grant admin consent for default directory** for the permissions. Select **Yes** to confirm that you want to grant admin consent. |
| 110 | +1. Send the PATCH request to disable a user. If the request is successful, you should receive a `204 No Content` response. |
| 111 | +
|
| 112 | +[!INCLUDE [third-party-disclaimer](../../../includes/third-party-disclaimer.md)] |
0 commit comments