I am using Graph api https://graph.microsoft.com/v1.0/me to access user email from a different tenant using access token I am getting .
I have used profile and openid scopes but can't use User.read as it will need admin consent for the app.
Any solutions to this ?
"error": { "code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.",
This error occurs if you don't add Delegated type User.Read API permission or missed granting the admin consent to the added permission.
I registered one Multi-tenant Entra ID application and granted API permission like below:
To get code, I ran below authorization request in browser:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
&client_id=<app_id>
&client_secret = <client_secret>
&redirect_uri= https://jwt.ms
&response_type=code
&response_mode=query
&scope= https://graph.microsoft.com/.default
When I tried to generate access token with below parameters via Postman, I got same error as below:
POST https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=<app_id>
client_secret = <client_secret>
redirect_uri= https://jwt.ms
code=code
scope= https://graph.microsoft.com/.default
Response:
To resolve the error, add Delegated type User.Read API Permission and grant admin consent :
Now, generated code and access token using same code snippet:
Now, you can call /me enpoint to get mail_id:
GET https://graph.microsoft.com/v1.0/me
User.Readpermission to resolve the error.