#MicrosoftGraphOrgEntityProviderAuthorization_RequestDenied - Insufficient privileges to complete the

Hello,

I'm trying to use the catalog-backend-module-msgraph to fetch users and groups. I receive an error indicating the application doesn't have the permissions, even though it serenely has.
(image attached)

The weird part is that it worked, but it's not working anymore.
I see that there was a commit 4 days ago that might affect this functionality.

This is the config I have
catalog: providers: microsoftGraphOrg: default: tenantId: clientId: clientSecret: user: filter: accountEnabled eq true and userType eq 'member' loadPhotos: true select: ['id', 'displayName', 'mail', 'jobTitle'] schedule: frequency: PT1H timeout: PT50M

I have admin consent for the app registration

Hey!

Which commit are you referring to? that might help debug/confirm as well 🙂

Commit 5c9cc05

https://github.com/backstage/backstage/commit/5c9cc05eee5493cc7acd48587ff71d037b04c309

https://github.com/backstage/backstage/tree/master/plugins/catalog-backend-module-msgraph

@gleaming owl just FYI 🙏🏻

Alright. Do you have the corporate proxy stuff set up? (HTTPS_PROXY env var etc)

Also just to verify, this part -> https://github.com/backstage/backstage/tree/master/plugins/catalog-backend-module-msgraph#getting-started you don't fall under 2 right?

Namely:

If using Managed Identity or App Registration for authentication, grant the following application permissions (not delegated)

GroupMember.Read.All
User.Read.All

I assume not because you said it worked before, but just checking

Yes, the application has these permissions and I changed it to "not delegated". still, it doesn't work, unfortunately ):

I am not sure, checking on my PC, I don't have this env var

It seems that it does work
now I get different errors:

Microsoft Graph: GatewayTimeout - Timed out on external dependency
Error while reading users photos from Microsoft Graph: GatewayTimeout - Timed out on external dependency
Error: Error while reading users photos from Microsoft Graph: UnknownError -

Any idea how I can resolve this?
it there any common issues with the msgrapgh integration I missed?
I followed all the troubleshooting steps at https://backstage.io/docs/integrations/azure/org

You can choose to not load the photos if you want IIRC

I am on mobile today so it's a bit tricky to send links, I think I've seen an issue in the past about the photos, I'd suggest doing a search in the repo for it

I've tested with only one user (mine)

user:filter: displayName eq '<username>'

And still, it doesn't get the data because when I try to login I get

Failed to sign-in, unable to resolve user identity. Please verify that your catalog contains the expected User entities that would match your configured sign-in resolver.

The last time I saw it changing the resolvers worked, now I just set all the resolvers but it still doesn't work
signIn: resolvers: # See https://backstage.io/docs/auth/microsoft/provider#resolvers for more resolvers - resolver: emailMatchingUserEntityProfileEmail - resolver: emailLocalPartMatchingUserEntityName - resolver: emailMatchingUserEntityAnnotation

Can this be related?
Every time I start the app I see this
rootHttpRouter info [05/Dec/2024:15:47:09 +0000] "GET /api/auth/microsoft/refresh?optional&scope=openid%20offline_access%20profile%20email%20User.Read&env=development HTTP/1.1" 401 - "http://localhost:3000/"

tried also with env=production and it doesn't work

Any idea what I need to do?
even using local file I still get
Failed to sign-in, unable to resolve user identity. Please verify that your catalog contains the expected User entities that would match your configured sign-in resolver.
and the users can't sign in

Hmmm its been a long while since I used the MsGraph provider I suggest maybe trying a search in the discord channel for it, see if you can surface anything.

I also vaguely remember having to request the Azure team to allow us to connect from localhost / dev as well as prod.

Sorry that's about all I can remember, this was about a year ago 😦 - but maybe someone else will stumble across the thread and have some advice