Authorization_RequestDenied when adding an agent

Problem :

When trying to add an agent to contact list, Graph API return Authorization_RequestDenied error with error HTTPP 403.

Response sample

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2023-06-15T19:40:25",
            "request-id": "2fb0a251-a4a1-4744-9e67-ff45d47261b9",
            "client-request-id": "dfa64676-e68e-c7b2-d21b-dcb6a7c98206"
        }
}

Troubleshoot

Use JWT decoder to decode request token and to check scope (here value is “scp”: “openid profile User.Read email”).

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8307b345-4463-42a3-a65f-e7b0a35da85a/",
  "iat": 1686859739,
  "nbf": 1686859739,
  "exp": 1686863858,
  "acct": 0,
  "acr": "1",
  "aio": "ATQAy/8TAAAAaYtulXK+zGWJ2MG3p9rsRoagHhMtNNP1K4h3R3Ekg1A5oqtnbWR0kmRilgRwfjWE",
  "amr": [
    "pwd"
  ],
  "app_displayname": "Heedify Agent Console",
  "appid": "dc514838-3e03-453b-9144-ef719e05a8b3",
...
  "ver": "1.0",
  "wids": [
    "b79fbf4d-3ef9-4689-8143-76b194e85509"
  ],
  "xms_st": {
    "sub": "ayc8pK-5o27HQEiWdgpv340rz_o0A_6rwzXi1TLU7qs"
  },
  "xms_tcdt": 1684487337,
  "xms_tdbr": "EU"
}
{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/8307b345-4463-42a3-a65f-e7b0a35da85a/",
  ...
  "platf": "3",
  "puid": "10032002A3B74A5B",
  "rh": "0.AU4ARbMHg2NEo0KmX-ewo12oWgMAAAAAAAAAwAAAAAAAAACDAEw.",
  "scp": "openid profile User.Read email",
  "sub": "IaF_E8lrRKIvpzUr0Yq1-CQbDZEc19sIb5TPQD2Fk1g",
  "tenant_region_scope": "EU",
  "tid": "8307b345-4463-42a3-a65f-e7b0a35da85a",
  "unique_name": "agent01@heedify.co",
  "upn": "agent01@heedify.co",
  "uti": "-937iHDwTEijS-jDj8opAA",
  "ver": "1.0",
  "wids": [
    "b79fbf4d-3ef9-4689-8143-76b194e85509"
  ],
  "xms_st": {
    "sub": "ayc8pK-5o27HQEiWdgpv340rz_o0A_6rwzXi1TLU7qs"
  },
  "xms_tcdt": 1684487337,
  "xms_tdbr": "EU"
}

Expected scope should include these permissions :

"scp": "Calendars.Read Contacts.ReadWrite Contacts.ReadWrite.Shared openid OrgContact.Read.All Presence.Read.All Presence.ReadWrite profile User.Read User.Read.All email"

Solution

Create service principal for ACS

Connect-AzureAD -TenantId xxxxxxxx-4463-xxxx-a65f-e7b0a35da85a
Install-Module AzureAD
New-AzureADServicePrincipal -AppId "1fd5118e-2576-4263-8130-9503064c837a"

Redo the Agent Console consent grant depending on you need (Unify or Extend).

Reference

oAuth Authentication issue with Teams.ManageCalls permission