Error "Insufficient privileges to complete the operation" to acquire Azure endpoint
Article ID: 412544
Updated On:
Products
Issue/Introduction
While trying to acquire Azure endpoint the following error is displayed in the Java Connector Server log.
[ApacheDS Worker-thread-57] (com.ca.jcs.core:com.ca.jcs.osgi.exchange.router.MessageRouter:551) ERROR - A remote server returned an error: org.apache.directory.shared.ldap.exception.LdapNamingException: JCS@my_jcs_host: AzureRest: Forbidden, Detailed Error: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"YYYY-MM-DDTHH:MM:SS","request-id":"xxxxx-xxx-zzz-www-aaaaaaaaa","client-request-id":"xxxxx-xxx-zzz-www-aaaaaaaaa"}}}
Environment
Identity Manager 14.x
Cause
The cause.
In the Azure UI, the required Microsoft Graph permissions are configured as Delegated.
See the documentation, step 5, the required Microsoft Graph permissions in the Register a Client Application with Microsoft Entra ID
In the Example below, both permissions "AdministrativeUnit.Read.All" and "AdministrativeUnit.ReadWrite.All" the Type was set as Delegated.
Resolution
In the Identity Manager Azure documentation, check all Microsoft Graph permission are set as "Application", if it set as "Delegated" for example, change them to Application in the Azure
You can delete the delegated permission and add the same again with type Application Or add the same permission with type Application and after testing delete the delegated one since we don't require it
Example of some of the required permissions set as Application.
Feedback
