We’re running gateway management in aziotc with Azure AD integration for identity synchronization. The gateways need to authenticate users from our Azure AD tenant, but the identity sync process keeps failing.
We’ve configured the Azure AD application registration with proper API permissions (User.Read.All, Directory.Read.All), but when gateways attempt to sync identities, we get AAD sync errors:
Azure AD sync failed: 403 Forbidden
Insufficient privileges to complete operation
Identity sync cancelled
This prevents users from accessing gateway management functions. We need identity management to work so that Azure AD groups can control gateway access permissions. Has anyone successfully configured Azure AD sync for gateway authentication in aziotc? Are there additional permissions or consent requirements we’re missing?
I just checked with our Azure AD admin, and they confirmed admin consent was granted for both permissions last week. The consent status shows green checkmarks in the portal. Could there be a propagation delay, or is something else blocking the sync?
I’ve seen this exact scenario. Beyond admin consent, you need to verify that your Azure AD application is configured with the correct authentication flow for service-to-service calls. Gateway management typically uses client credentials flow, not delegated permissions. Make sure you’re requesting application permissions, not delegated permissions, and that your token acquisition code uses the client credentials grant type. The 403 suggests your tokens might be using delegated permissions which don’t have sufficient privileges for directory-wide identity sync operations.
That’s a good point about application vs delegated permissions. Looking at our configuration, we did add the permissions as application permissions in the portal. How can I verify that the gateway management service is actually requesting application permissions in its token requests? Is there a way to inspect the tokens being used?
Admin consent propagation is usually immediate. If consent is granted but you’re still getting 403 errors, check the service principal permissions in your tenant. Sometimes the app registration shows consent, but the service principal that actually makes the API calls doesn’t have the permissions properly assigned. Also verify that your gateway management service is using the correct client credentials and tenant ID when authenticating to Azure AD. A misconfigured client secret or certificate can cause authentication to succeed but authorization to fail.
The 403 error usually indicates admin consent hasn’t been granted for the application permissions. Directory.Read.All and User.Read.All are admin-restricted permissions that require tenant-wide admin consent. Even if the permissions are added to your app registration, they won’t work until a global administrator explicitly grants consent. Check your Azure AD app registration’s API permissions page - there should be a “Grant admin consent” button.
You can decode the access tokens your gateway management service obtains to see what permissions are included. Use jwt.ms or a similar JWT decoder. Look for the ‘roles’ claim in application permission tokens (vs ‘scp’ claim in delegated permission tokens). If you see ‘scp’ instead of ‘roles’, your authentication flow is wrong. Also check the ‘aud’ claim matches the Microsoft Graph API endpoint you’re calling for identity sync.