Insufficient privileges when trying to add schema extension to User

Question

I am trying to add custom properties to User object using graph.microsoft.com. I chose schema extensions for that, but the POST request to https://graph.microsoft.com/v1.0/schemaExtensions returns Authorization_RequestDenied.

First, I checked the permissions via the Azure CLI (the id is my app id):

az ad app permission list-grants --id 229e9b3d-5a17-4a46-930a-60e8ca114027 --show-resource-name

For Microsoft Graph, there are many permissions, but as I understand it, I should need only User.ReadWrite.All and Directory.AccessAsUser.All which are there.

Then I used Insomnia (to check functionality without coding problems) and call POST https://graph.microsoft.com/v1.0/schemaExtensions with JSON body:

{
  "id": "extTest",
  "description": "test extension",
  "targetTypes": [
     "User"
  ],
  "properties": [
    {
      "name" : "isAvailable",
      "type" : "Boolean"
    }
  ]
}

and the returned response is:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "d5c1e7b3-f1c5-44c0-917d-5e43d7483bdf",
      "date": "2019-06-10T13:44:36"
    }
  }
}

Is there something I missed?

Answer 1

It seems that your access token didn't have Directory.AccessAsUser.All permission. You can decode it by using https://jwt.io/ and check if this permission exists in 'scp'.

I have tested it on my side and it works. Here are my main steps.

1.add Directory.AccessAsUser.All permission to your app and click grant admin consent button.

2.get access token by using auth code grant flow. You can not use client credential grant flow here since you must sign in with a user.