A client I’m working with had trouble adding permissions to their Azure Active Directory Application (AAD App). We added application permissions to allow the app to read all users’ full profiles, read directory data and read O365 unified groups, but no matter what we did our code would get an “insufficient privileges” answer back from the Microsoft Graph. We even added a brand new app, but it too had the same problems, indicating that the problem lied deeper than the app permissions.
Reaching out to Microsoft support they clearly had a hard time figuring out what was wrong, but finally their engineers presented the following solution that worked:
- Open PowerShell
- Connect-MsolService (sign in with a Global Admin account)
- Remove-MsolServicePrincipal -ObjectId [GUID] -TenantId [GUID]
- Start an InPrivate browsing window
- Open: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=[GUID]&prompt=admin_consent
This is supposed to remove the Service Principal and following the admin consent workflow a new Service Principal should be created and inherit the permissions given to the application object.
I hope this is helpful to someone in the same situation.