|
| 1 | +--- |
| 2 | +title: Tenant doesn't have premium license when querying user sign-in activities using Microsoft Graph |
| 3 | +description: Provides solutions to the identity of the calling application could not be established error when using Microsoft Graph. |
| 4 | +ms.date: 04/25/2025 |
| 5 | +ms.service: entra-id |
| 6 | +ms.author: bachoang |
| 7 | +ms.custom: sap:Getting access denied errors (Authorization) |
| 8 | +--- |
| 9 | + |
| 10 | +# Neither tenant is B2C or tenant doesn't have premium license when querying sign-in activities |
| 11 | + |
| 12 | +This article describes the error that occurs when you make Microsoft Graph API calls related to user sign-in activities or user registration details. |
| 13 | + |
| 14 | +## Symptoms |
| 15 | + |
| 16 | +When you run one of the following Microsoft Graph API calls, you might see this error: |
| 17 | + |
| 18 | +```http |
| 19 | +GET https://graph.microsoft.com/v1.0/auditLogs/signIns |
| 20 | +
|
| 21 | +GET https://graph.microsoft.com/v1.0/users?$select=displayName,userPrincipalName,signInActivity |
| 22 | +
|
| 23 | +GET https://graph.microsoft.com/v1.0/reports/UserRegistrationDetails |
| 24 | +``` |
| 25 | + |
| 26 | +Example response |
| 27 | + |
| 28 | +```output |
| 29 | +'error': { |
| 30 | + 'code': 'Authentication\_RequestFromNonPremiumTenantOrB2CTenant', |
| 31 | + 'message': 'Neither tenant is B2C or tenant doesn't have premium license', |
| 32 | + 'innerError': { |
| 33 | + 'date': '2021-03-04T07:53:51', |
| 34 | + 'request-id': 'a0a074e6-xxx-c511669fa420', |
| 35 | + 'client-request-id': 'a0a074e6-xxx-c511669fa420' |
| 36 | + } |
| 37 | +} |
| 38 | +``` |
| 39 | +## Solution |
| 40 | + |
| 41 | +### Scenario 1: Query user sign-in activities |
| 42 | + |
| 43 | +1. Make sure the target tenant has an Entra ID Premium P1 or P2 license. In the Azure portal, go to **Micosoft Entra ID**, select Overview, and then check the **License**. For more information, see [Sign up for Microsoft Entra ID P1 or P2 editions](/entra/fundamentals/get-started-premium). |
| 44 | +1. Verify that the Microsoft Graph Access Token has been granted the `AuditLog.Read.All` and `Directory.Read.All` permissions. |
| 45 | + |
| 46 | +### Scenario 2: Query credential user registration details |
| 47 | + |
| 48 | +1. Make sure the target tenant has an Entra ID Premium P1 or P2 license. |
| 49 | +1. Verify that the Microsoft Graph Access Token has been granted the `Reports.Read.All` permission. |
| 50 | +1. The authenticating user or the service principle of the application must to be in one of these Administrative roles: |
| 51 | + - Reports Reader |
| 52 | + - Security Reader |
| 53 | + - Security Administrator |
| 54 | + - Global Reader |
| 55 | + - Global Administrator |
| 56 | + |
| 57 | +## More information |
| 58 | + |
| 59 | +If an application is configured with only the **AuditLog.Read.All** permission, this error may occur intermittently. This is expected behavior, as the **Directory.Read.All** permission is required to retrieve tenant licensing information when it is not already cached. Ensure both permissions are included to avoid this issue. |
0 commit comments