Azure AD (Entra ID) Permissions Error
Situation | If required permissions aren’t enabled, you may encounter an Azure ( now known as Entra ID) sync error when running a manual sync test. |
---|---|
Solution | Follow the below steps to ensure the necessary permissions are enabled. |
Want some help setting up Azure and syncing with Essentials? Check out our article Azure Active Directory Sync Guide.
Potential Permission Error & Resolution
If required permissions aren’t enabled, you may encounter an Azure sync error when running a manual sync test. Azure will throw an error like the following:
[Authorization_RequestDenied] Insufficient privileges to complete the operation
You need to:
- Please review the Azure (Entra ID) configuration guide: https://help.proofpoint.com/Proofpoint_Essentials/Administrator_Topics/040_usersandgroups/Azure_Active_Directory_Sync_Guide
- Referencing: "Step 1: Creating The Custom Application In Azure (Entra ID)"
- Ensure that the user role within Azure (Entra ID) is correct (Global/Company Admin).
- Ensure that the application has the correct permissions within the Azure (Entra ID) management portal below:
- Delegated Permissions:
- Directory
- Directory.Read.All
- Group
- Group.Read.All
- User
- User.ReadBasic.All
- Directory
- Application Permissions:
- Directory
- Directory.Read.All
- Directory
- Delegated Permissions:
MODIFYING PERMISSIONS WITHIN AZURE (Entra ID):
To modify permissions and resolve the above error:
- Log into Azure Active Directory(Entra ID) Admin center.
- Navigate to All settings > Required permissions > Windows Azure AD (Entra ID).
- Set appropriate permissions under APPLICATION PERMISSIONS and DELEGATED PERMISSIONS (ones shown in sync error).
- Under DELEGATED PERMISSIONS, set Sign in and read user profile to No.
- Under Enable Access, click Save then immediately click Grant Permissions.