Insufficient privileges error for every operation starting with the first

[andriysavin]

I did all the steps from samples description: registered an app, gave it Read Directory permission, put client secret in configuration along with other actual values etc. However, starting with accessing tenant info I get famous "Insufficient privileges" error:

DataServiceClientException: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

I even tried to give the app all permissions possible - no luck. Any ideas how to make it working?

[bsrinivas84]

same issue as for user @andriysavin, can someone help please!

[tiagonmas]

same issue. followed as suggested here but still get the error.

[andriysavin]

@tiagonmas in my case I was using a non-default Azure AD which didn't have a subscription bound to it. When I switched to my default AD, all started to work.

Also, for completeness I should tell about the same error I got in a different application. The root of the problem was that even if you enabled needed permissions, they wouldn't become active until a so called admin consent (for those permissions which are marked as "Requires admin"). This flow is IMHO poorly documented, and basically (in my scenario of a web app) a person with administrative rights should log in to the web app using azure AD, and right before entering his credentials he should add a parameter prompt=admin_consent to the current URL in the browser and press enter. After entering credentials a consent is presented (only once) asking the admin user to approve granting the access rights to the application. After approval all starts to work. You can read more about admin consent here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent.

To summarize I want to say that I spent many, many hours trying to find the sources of this error, and was highly disappointed that the error gives so little information about what is wrong, and the azure portal doesn't help you to understand what you're doing wrong either.

Also, I don't understand why that admin consent is needed for the case when an app is being granted access rights to the same AD/tenant it's registered in. It looks like it would be enough for a person with admin rights just grant needed access rights to the app at the portal.

[starmandeluxe]

@andriysavin The prompt=admin_consent solution fixed this issue for me. I don't recall this parameter being necessary for my AD apps previously, and my applications are not multi-tenant. Why would it be required for single-tenant apps?