Hi folks,
We are attempting to assign a DirectoryRole to an AD user via GRAPH.
When we execute the code, we get:
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
Any insight here will be appreciated!
Here's a snippet of code:
IActiveDirectoryClient client = _activeDirectoryClientFactory.GetClient(tenant); IUser user = await client.Users.Where(x => x.UserPrincipalName == userPrincipalName).ExecuteSingleAsync(); IPagedCollection<IDirectoryRole> pagedCollection = await client.DirectoryRoles.ExecuteAsync(); IList<IDirectoryRole> directoryRoles = await GetListFromPagedCollection(pagedCollection); string limitedAccessAdminRoleTemplateId = "729827e3-9c14-49f7-bb1b-9608f156bbb8"; DirectoryRole directoryRole = directoryRoles.FirstOrDefault(x => x.RoleTemplateId == limitedAccessAdminRoleTemplateId) asDirectoryRole; directoryRole.Members.Add(user asDirectoryObject); await directoryRole.UpdateAsync(); //thows exception
Here's the HTTP request:
POST https://graph.windows.net/a85e2d41-a8ad-445c-9fb4-3f476755b02b/directoryObjects/8bca114b-92fb-4991-b8b9-286f69863502/Microsoft.DirectoryServices.DirectoryRole/$links/members?api-version=1.6 HTTP/1.1DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/json;odata=minimalmetadata
Accept-Charset: UTF-8
Content-Type: application/json;odata=minimalmetadata
DataServiceUrlConventions: KeyAsSegment
User-Agent: Microsoft Azure Graph Client Library 2.1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0IiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYTg1ZTJkNDEtYThhZC00NDVjLTlmYjQtM2Y0NzY3NTViMDJiLyIsImlhdCI6MTQ0MDA3NDYxMSwibmJmIjoxNDQwMDc0NjExLCJleHAiOjE0NDAwNzg1MTEsInZlciI6IjEuMCIsInRpZCI6ImE4NWUyZDQxLWE4YWQtNDQ1Yy05ZmI0LTNmNDc2NzU1YjAyYiIsIm9pZCI6ImNhMGJlNmJjLTIzNGQtNGViZC1iM2QxLTVhNzVmNzNiMjgxZCIsInN1YiI6ImNhMGJlNmJjLTIzNGQtNGViZC1iM2QxLTVhNzVmNzNiMjgxZCIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2E4NWUyZDQxLWE4YWQtNDQ1Yy05ZmI0LTNmNDc2NzU1YjAyYi8iLCJhcHBpZCI6ImNjMzg4M2JjLTNmOWEtNGI2Ni1hMzFjLTg1NTdmN2E1ODkyMCIsImFwcGlkYWNyIjoiMSJ9.Tvtwfx86QoFq45MqURLqD5XlID1N-98J_EKwY7Viu_TfDhjQQv_hCROLlvm-LS9DJMGM4quwxQIvMSiTuG23kqYeMQA6-CQQe88XrHA6pcJUu3fYfP6GXArXpITyZvgqbf01vkDDE1QIcvLXlxfWglRW7eaSUcf4Z1rUVqxAOvB-JDpO9sm9_vaUIdbkew7e2ZqlcAwjkAw_H7sGC0GypZSXUKQgqjeKzPkt4MCrm0_qtbVOxVP3XMRIYHJK0KhDhgDRZ2gFEp9aiDW11kz_ssFcH5-gBNhnB_IGf3xbX9exRFPZ3Da-hJrzRG-cZ4jG4SSnIqWEGjAe1n-NIk_rZg
X-ClientService-ClientTag: Office 365 API Tools 1.1.0612
Host: graph.windows.net
Content-Length: 159
Expect: 100-continue
{"url":"https://graph.windows.net/a85e2d41-a8ad-445c-9fb4-3f476755b02b/directoryObjects/1301bb39-858e-4a33-836b-64c62506bffe/Microsoft.DirectoryServices.User"}
And here's the HTTP response:
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
ocp-aad-diagnostics-server-name: iOvQZ3lq+EN3O6bjEXlKwtpOwhulFDQXHJuKGZwpMe0=
request-id: d4cddbfa-188d-4941-b9e5-9c8089b12012
client-request-id: f48dab9c-487a-46fd-81a0-273007c08ec2
x-ms-gateway-rewrite: false
x-ms-dirapi-data-contract-version: 1.6
ocp-aad-session-key: okuqDhs9qYQeOUM23Z-diBtYTHroPKgB_cV-W_YBzKF8aigrXNwP4zq2AFal6y9bJ-jLzUG-zAzh096d9gyjkjI--JpdrfI7YmApU64Yr6LpLhjJEJBiy3MgqKcrJR8C.tIQObTNsFbb2_GS4d7X3FT_FJRcf13FI-_USWIpQvK0
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Origin: *
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
Date: Thu, 20 Aug 2015 13:22:15 GMT
Content-Length: 139
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
Thanks!
-Greg