In this tutorial I am going to show you how to resolve the following error when running commands in Microsoft Graph (such as Get-MgUser):
Insufficient privileges to complete the operation when calling an MgGraph command.
Unlike common PowerShell modules (MSOnline and AzureAD), when you connect to your tenant through Microsoft Graph, not only does your user account in the tenant need the correct permission level to complete the task, but you must also define the permission scope when connecting. I provide examples for this in my post: How To Install the Microsoft Graph PowerShell Module. If you do not have or do either of these things, that you will likely receive the error highlighted in bold above.
Hopefully by the end of this post you will be able to successfully connect to your environment with Microsoft Graph PowerShell and run the relevant commands you need to run.
Determine what permissions you need
You should start by deciding what permissions you need to complete the task. For example you know that if you only want to export information pertaining to the groups in your tenant and do not need to make any modifications, you will need read access to groups.
In Microsoft Graph the permissions your require are defined as scopes, so you need to determine the name of the scope which provides you read access to groups, so you can define that in your script when connecting to your tenant.
Identify required permissions using the Microsoft Graph explorer
You can open the Graph explorer tool here and sign in with your tenant login credentials. Then you can use the pre-defined commands to query your tenant. Right away you will see the error “Insufficient privileges to complete the operation.”. Select the Modify permissions tab and it will sell all the optional permissions for you to run the command/query.
You may not find a pre-defined query to choose from within the Graph Explorer that matches your need. If so, you can use the Microsoft Graph REST API reference docs to find your query and it will usually show the necessary permissions on that same page. For example: https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0
Connect to Microsoft Graph PowerShell with the correct permissions
Now let’s say we want to us the Microsoft Graph PowerShell SDK to list all the groups in our tenant, we would need to do the following.
import-module Microsoft.Graph.Groups
2. Run the Connect-MgGraph cmdlet with the group.read.all permission scope defined
connect-MgGraph -Scopes "group.read.all"
If you want to define multiple scopes, you can do as follows
connect-MgGraph -Scopes "group.read.all","directory.read.all"
3. Now run the Get-MgGroup cmdlet
Get-MgGroup