Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

403 Insufficient Privileges error received when calling applications.updatePasswordCredentials

See original GitHub issue

I am trying to delete Service principle keys. I can achieve this with graph explorer sending a Patch command to the endpoint

When I call this, I see the keys for the Application updated to match those I passed into the patch command.

However when I send the same data using client.applications.updatePasswordCredentials in the SDK, I get a 403 error (see below for full details).

I have tried granting the Service Principal I am connecting with all AD and graph rights.

    at client.pipeline (/home/turbot/turbot/node_modules/azure-graph/lib/operations/applications.js:1306:19)
    at retryCallback (/home/turbot/turbot/node_modules/ms-rest/lib/filters/systemErrorRetryPolicyFilter.js:89:9)
    at retryCallback (/home/turbot/turbot/node_modules/ms-rest/lib/filters/exponentialRetryPolicyFilter.js:140:9)
    at handleRedirect (/home/turbot/turbot/node_modules/ms-rest/lib/filters/redirectFilter.js:39:9)
    at /home/turbot/turbot/node_modules/ms-rest-azure/lib/filters/rpRegistrationFilter.js:59:14
    at Request.defaultRequest [as _callback] (/home/turbot/turbot/node_modules/ms-rest/lib/requestPipeline.js:125:16)
    at Request.self.callback (/home/turbot/turbot/node_modules/request/request.js:186:22)
    at emitTwo (events.js:126:13)
    at Request.emit (events.js:214:7)
    at Request.<anonymous> (/home/turbot/turbot/node_modules/request/request.js:1163:10)
    at emitOne (events.js:121:20)
    at Request.emit (events.js:211:7)
    at IncomingMessage.<anonymous> (/home/turbot/turbot/node_modules/request/request.js:1085:12)
    at Object.onceWrapper (events.js:313:30)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1056:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)

[message]: undefined,
  statusCode: 403,
   { rawResponse: false,
     queryString: {},
     url: '',
     method: 'PATCH',
      { 'Content-Type': 'application/json; charset=utf-8',
        'x-ms-client-request-id': '98091249-5f4f-4785-95f7-2e9d67fbb725',
        'accept-language': 'en-US',
        'user-agent': 'Node/v8.9.1 (x64-Linux-4.4.0-53-generic) ms-rest/2.2.7 ms-rest-azure/2.4.5 azure-graph/2.2.0 Azure-SDK-For-Node' },
     body: '{"value":[{"startDate":"2017-12-18T11:32:56.147Z","endDate":"2299-12-31T00:00:00.000Z","keyId":"30fbe2b4-bb76-4815-a5fa-0eaf98fae48e"}]}' },
   { body: '{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}',
      { 'cache-control': 'no-cache',
        pragma: 'no-cache',
        'content-type': 'application/json; odata=minimalmetadata; streaming=true; charset=utf-8',
        expires: '-1',
        server: 'Microsoft-IIS/8.5',
        'ocp-aad-diagnostics-server-name': 'iNQLRKPaViSNJPZgwTkFBErZ9++/HsuTPOY6L+sp4p4=',
        'request-id': '58ab05a5-aa02-4d83-92ab-ed4d3881af04',
        'client-request-id': '2f95e0e8-aa82-470b-ac2f-490821223488',
        'x-ms-dirapi-data-contract-version': '1.6',
        'ocp-aad-session-key': 'Dqu5YMU56a2Vd00HfElkiGGyaAgJUBJ4beMeiGxWwPog12zcc60p37_unyDNTvRKHJD6uhVzvRr-4pRs-hj3_M5QlLLoRvU3bZwhJIRAKcXopgK2F-d8qaIL6bOpHuI8.SNRXz1kBMRkftzh0u9D-6xtPQItn9Lom6toxEudXUQo',
        'x-content-type-options': 'nosniff',
        dataserviceversion: '3.0;',
        'strict-transport-security': 'max-age=31536000; includeSubDomains',
        'access-control-allow-origin': '*',
        'x-aspnet-version': '4.0.30319',
        'x-powered-by': 'ASP.NET, ASP.NET',
        duration: '2993198',
        date: 'Mon, 18 Dec 2017 12:23:18 GMT',
        connection: 'close',
        'content-length': '139' },
     statusCode: 403 },
  code: undefined,
   { code: 'Authorization_RequestDenied',
     message: 'Insufficient privileges to complete the operation.' } }

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:13 (7 by maintainers)

github_iconTop GitHub Comments

amarzaverycommented, Jan 2, 2018

@kaidaguerre - We were able to find out the problem.

For a service principal to be able to update password of another service principal, it needs to

  • be an owner of that service principal (Today, this happens only when you are logged in as a the primary service principal and created the other service principal )
  • have atleast 4 permissions from the Windows Azure Active Directory and one needs to grant permissions to that sp

I will go step by step.

Iteration 1

  1. We created a service principal (testsp876), set 4 Application Permissions - saved the changes and then clicked on grant permissions (To grant permissions, you must be a global admin user in the tenant). image
  2. After that we logged in as that service principal (testsp876) and created another service principal(testsp2).
  3. Then we tried to update the password credentials of that sp (testsp2) and were able to do that successfully.
  4. We could also see testsp876 as the owner of testsp2 in the portal. image However, there seems to be a bug in the portal or it may be by design (not sure). We were not able to manually add any other sp as the owner. It only allowed us adding users (humans) as owner of that sp.

Iteration 2.

  1. We logged in as service principal (testsp876) and then tried to update the password credentials of service principal (foosp45). The only difference is that testsp876 did not create this sp (foosp45). Now we get the 403 insufficient privileges error.

So it looks like, only if SP A created SP B then SP A can update SP B’s credentials. In short it needs to be an owner.

Hope that helps.

amarzaverycommented, Feb 28, 2018

Closing this issue based on the above comments.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Getting 403: "Insufficient privileges to complete the operation ...
In the example application we've used the code from here to create a custom authorize attribute that allows us to group based authentication....
Read more >
insufficient privilages to complete operations Graph API POST ...
While trying to create a user using POST graph api getting following error. "code": ...
Read more >
Insufficient privileges when calling the api/users/create ...
But I get a 403 Forbidden - Insufficient privileges. I am passing my token in using Basic Auth and other endpoints work for...
Read more >
I am getting Insufficient Privileges error when trying to access ...
I have set up an Azure AD application as a web app. I have obtained an oAuth token using the following steps: 1....
Read more >
Marketing Cloud REST Route returns Insufficient Privileges error
If your API call is returning the following error in the Response when hitting a REST route, your app is likely missing a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found