I've spent some time recently setting up a new Azure AD for testing out the Azure AD Graph Client Library, mostly following along with the the .NET Graph API Web Sample.
Following those steps alone, I ran into a permissions issue when running delete operations:
{
"odata.error": {
"code":"Authorization_RequestDenied",
"message": {
"lang":"en",
"value":"Insufficient privileges to complete the operation."
}
}
}
The solution I found was to add the "User Account Administrator" role to the application using PowerShell cmdlets. Here are the steps I followed (largely borrowed from this article):
First, download and install the Microsoft Online Services Sign-In Assistant. Then download and install the 64-bit Azure Active Directory module for Windows PowerShell.
After you install the PowerShell module, open PowerShell and connect to your tenant. After you run Get-Credential, you will be prompted for a user name and password, Enter the user name and password of your tenant administrator account.
> $msolcred = Get-Credential
> Connect-MsolService -credential $msolcred
NB: If you are dealing with a brand new AD, you will need to add a new AD user with the 'Global Admin' organizational role before you can run this command.
Find your Application by running Get-MsolServicePrincipal:
> Get-MsolServicePrincipal
Once you have found your application, note down the ObjectId. You need to assign it the permissions it needs to perform user CRUD operations.
Assign the application three roles: directory readers (to read users), directory writers (to create and update users), and a user account administrator (to delete users). These roles have well-known identifiers, so you can replace the -RoleMemberObjectId parameter with ObjectId from above and run the following commands.
> Add-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -RoleMemberObjectId 42cece49-ff32-4727-a1bb-ce84f0a89991 -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId 9360feb5-f418-4baa-8175-e2a00bac4301 -RoleMemberObjectId 42cece49-ff32-4727-a1bb-ce84f0a89991 -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId 42cece49-ff32-4727-a1bb-ce84f0a89991 -RoleMemberType servicePrincipal
NB: To see the list of all directory roles, try running Get-MsolRole:
Your application should now have sufficient permissions to perform all Graph API operations. Hopefully this will save someone some time down the track!