IT Error Decoder
Microsoft Graph PowerShell

How to Fix Get-MgUser insufficient privileges

Last reviewed

Error message

Get-MgUser : Insufficient privileges to complete the operation.

Get-MgUser is one of the first cmdlets people run, so this error is often the first sign that scopes are misconfigured. Fixing it usually takes one Connect-MgGraph call.

What this error means

Your Microsoft Graph PowerShell session can authenticate, but the token doesn't carry a scope that allows reading user objects.

Why this happens

Connect-MgGraph was called without User.Read.All (or a similarly broad directory scope), or you're signed in as a user whose role can't read other users' attributes.

Quick fix (for end users)

  • Disconnect any existing session and reconnect with a scope that allows reading users.
  • Verify the connection with Get-MgContext before retrying.

Admin / engineer fix

  • Disconnect and reconnect with least-privilege scopes for what you actually need.

    command
    Disconnect-MgGraph
Connect-MgGraph -Scopes 'User.Read.All'

  • If you need to see hidden or sensitive attributes (signInActivity, employeeId), add Directory.Read.All or AuditLog.Read.All as appropriate.

  • For app-only scenarios, confirm the application has the matching application permission and admin consent.

Step-by-step fix

  1. Reconnect to Graph with the right scope.

    command
    Connect-MgGraph -Scopes 'User.Read.All'

  2. Confirm scopes on the current session.

    command
    (Get-MgContext).Scopes

  3. Re-run Get-MgUser.

Affected products

Microsoft.Graph PowerShell SDK

Common variations of this error

People also see these phrasings of the same problem:

  • Authorization_RequestDenied: Insufficient privileges
  • Get-MgUser : Authorization_RequestDenied

Still broken? Try these

  • Some properties (signInActivity) require AuditLog.Read.All in addition to User.Read.All.
  • Conditional Access can silently strip token permissions — check Sign-in logs.
  • If using app-only auth, double-check admin consent was granted in the Entra portal, not just requested.

Related errors

Related searches

  • get-mguser permissions
  • get-mguser cannot read
  • user.read.all vs directory.read.all

Frequently asked questions

Is User.Read enough?

No. User.Read only gives the signed-in user access to their own profile. Use User.Read.All to read other users.

How do I read just one specific user?

You still need a directory-wide scope. There's no per-user scope for reading another user's profile.

Browse more errors in Microsoft Graph PowerShell: Fix Microsoft Graph PowerShell errors. Insufficient privileges, invalid object ID, missing cmdlets, token problems, and more. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.