This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 57.00000000000001%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Iam trying to access Azuread Report apis. But even though the user have Global Reader and Report Reader role and he grant Report.read.all scope Iam not able to access Reports api it is giving me Invalid permissions error.
API Endpoint: https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D7')
Error: {"error":{"code":"UnknownError","message":"{\"error\":{\"code\":\"S2SUnauthorized\",\"message\":\"Invalid permission.\"}}","innerError":{"date":"2024-10-21T09:53:29","request-id":"464eb548-1530-4361-9362-009cd94039b4","client-request-id":"464eb548-1530-4361-9362-009cd94039b4"}}}
Try decoding the access token via jwt.ms or similar tool and make sure the claims therein reflect the permissions. If using the Graph explorer tool, you can get the token via the Access token tab.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 96%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYH%3C/text%3E%3C/svg%3E)
Hello kalimuthu,
Thank you for reaching out to Microsoft Support!
First you need to make sure that the permissions granted are correct.
if you are using delegated permissions, you also need to grant the user the appropriate role, and use Auth code flow to get the token.
If application permissions are used, client credentials flow is required.
Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
Hello @Yakun Huang-MSFT Thanks for your reply.
As I said in the question Iam having the Global Reader role and Report Reader role and Iam giving the access for scope Reports.read.all as well. But still Iam getting Invalid permission error. can you help on this