I registered an app in AD with these delegated permissions. I'm creating an app to activate your PIM role. I'm using Power automate and Power Apps for this.

I'm noticing the token doesn't have any permissions set to it as I'm receiving a "Insufficient privileges to complete the operation." when I try to filter for a specific role. I double checked and have the correct clientid and secret for the token. I also have the correct permissions set to the azure app and consent was granted.

Any ideas on how to fix this?

My Directory role is: Security Admin, Cloud App Admin, Application Admin. Do I need to be global admin?

This does work when I make the calls from Microsoft Graph Explorer.

Directory.AccessAsUser.All
Directory.Read.All
Directory.ReadWrite.All
RoleAssignmentSchedule.ReadWrite.Directory
RoleManagement.Read.Directory
RoleManagement.ReadWrite.Directory
User.Read

CodePudding user response：

To add required permissions in the token, you need to first copy the Client ID (aka App ID) that you are using in your request to get the Access Token and then navigate to:

Azure Portal > Azure Active Directory > App Registration > All Applications > Search with the ClientID/AppID copied earlier.

In that application Navigate to:

Api Permissions > Add a permission > Microsoft Graph > Delegated permissions > Expand User > Select required permissions as shown below. Once the permissions are added, click on Grant Admin Consent for your_tenant button.

Note: Delegated permissions are used when token is acquired under user context. If you are acquiring token under the context of Service Principal, you need to select Application permissions under Microsoft Graph while adding permissions.

After adding the permissions, you need to request for a new token and make sure the token includes the required permissions by decoding it at https://jwt.ms or https://jwt.io

CodePudding user response：

The solution was to consent the permission as application not delegated