Fix Insufficient privileges to complete the operation in MgGraph

  • Post author:
  • Post category:Main
  • Post last modified:November 30, 2022
  • Reading time:4 mins read

In this tutorial I am going to show you how to resolve the following error when running commands in Microsoft Graph (such as Get-MgUser):

Insufficient privileges to complete the operation when calling an MgGraph command.

Unlike common PowerShell modules (MSOnline and AzureAD), when you connect to your tenant through Microsoft Graph, not only does your user account in the tenant need the correct permission level to complete the task, but you must also define the permission scope when connecting. I provide examples for this in my post: How To Install the Microsoft Graph PowerShell Module. If you do not have or do either of these things, that you will likely receive the error highlighted in bold above.

Hopefully by the end of this post you will be able to successfully connect to your environment with Microsoft Graph PowerShell and run the relevant commands you need to run.

Determine what permissions you need

You should start by deciding what permissions you need to complete the task. For example you know that if you only want to export information pertaining to the groups in your tenant and do not need to make any modifications, you will need read access to groups. 

In Microsoft Graph the permissions your require are defined as scopes, so you need to determine the name of the scope which provides you read access to groups, so you can define that in your script when connecting to your tenant.

Identify required permissions using the Microsoft Graph explorer

You can open the Graph explorer tool here and sign in with your tenant login credentials. Then you can use the pre-defined commands to query your tenant. Right away you will see the error “Insufficient privileges to complete the operation.”. Select the Modify permissions tab and it will sell all the optional permissions for you to run the command/query. 

msgraph permissions error with explorer

You may not find a pre-defined query to choose from within the Graph Explorer that matches your need. If so, you can use the Microsoft Graph REST API reference docs to find your query and it will usually show the necessary permissions on that same page. For example: https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0

Connect to Microsoft Graph PowerShell with the correct permissions

Now let’s say we want to us the Microsoft Graph PowerShell SDK to list all the groups in our tenant, we would need to do the following.

1. Open PowerShell and import the Microsoft Graph Groups module
import-module Microsoft.Graph.Groups

2. Run the Connect-MgGraph cmdlet with the group.read.all permission scope defined

 connect-MgGraph -Scopes "group.read.all"

If you want to define multiple scopes, you can do as follows

 connect-MgGraph -Scopes "group.read.all","directory.read.all"

3. Now run the Get-MgGroup cmdlet

Get-MgGroup
get mggroup graph example

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply