IT Error Decoder
Microsoft Graph PowerShell

How to Fix Microsoft Graph 403 Forbidden

Error message

Response status code does not indicate success: 403 (Forbidden).

If you're seeing "Microsoft Graph 403 Forbidden", you're not alone. Here's what it means, why it happens, and the steps to resolve it.

What this error means

The Microsoft Graph endpoint understood the request but refused to authorize it. The token does not carry a scope/role that allows this operation on this object.

Why this happens

Missing scope on a delegated session, missing application permission on an app-only session, or a Conditional Access policy blocking the call. Some endpoints also require a specific Entra role beyond having the Graph permission.

Step-by-step fix

  1. Check the scopes on the current session.

    command
    (Get-MgContext).Scopes

  2. Reconnect with a more privileged scope appropriate to the operation (least-privilege first).

    command
    Connect-MgGraph -Scopes 'Directory.Read.All'

  3. For app-only auth, confirm the application permission was granted with admin consent in the Entra portal.

  4. Check whether the operation requires an Entra directory role assignment (e.g. User Administrator) in addition to the Graph scope.

Affected products

Microsoft Graph PowerShell

Still broken? Try these

  • Reproduce the call in Graph Explorer to compare scopes.
  • Review the Sign-in logs in Entra to see if Conditional Access denied the request.
  • If targeting a specific user, confirm RBAC on Administrative Units does not block your account.

Related errors

Frequently asked questions

What does "Microsoft Graph 403 Forbidden" mean?

The Microsoft Graph endpoint understood the request but refused to authorize it. The token does not carry a scope/role that allows this operation on this object.

What causes "Microsoft Graph 403 Forbidden"?

Missing scope on a delegated session, missing application permission on an app-only session, or a Conditional Access policy blocking the call. Some endpoints also require a specific Entra role beyond having the Graph permission.

How do I fix "Microsoft Graph 403 Forbidden"?

1. Check the scopes on the current session. 2. Reconnect with a more privileged scope appropriate to the operation (least-privilege first). 3. For app-only auth, confirm the application permission was granted with admin consent in the Entra portal. 4. Check whether the operation requires an Entra directory role assignment (e.g. User Administrator) in addition to the Graph scope. Always test changes in a non-production environment first.

Browse more errors in Microsoft Graph PowerShell: Fix Microsoft Graph PowerShell errors. Insufficient privileges, invalid object ID, missing cmdlets, token problems, and more. Or paste your own error into the error decoder tool to find a match. You can also go back to the homepage to browse common errors by topic.