Google Directory API Connector - Permission Issue with User Signout

[derekbolichowski]

Having some trouble with the Google Directory API Connector here - https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/GoogleDirectory/Playbooks/GoogleDirectoryAPIConnector

I'm able to use the 'Updated User' function in a Logic App to reset passwords and such - this works fine following the documentation from the Connector page linked above.

I deployed the "Google-SignOutUser" Playbook but am getting a 403 Forbidden. Permissions appear to be granted per the documentation - not sure what else might be causing this.

To Reproduce
Steps to reproduce the behavior:

1. Deploy Google Directory API Connector per the setup docs.
2. Deploy the Google-SignOutUser playbook, trigger it.
3. Look at error log in Logic App with 403 Forbidden error.

{ "statusCode": 403, "headers": { "Vary": "Origin,X-Origin,Referer", "X-XSS-Protection": "0", "X-Frame-Options": "SAMEORIGIN", "X-Content-Type-Options": "nosniff", "Alt-Svc": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000", "WWW-Authenticate": "Bearer realm=\"https://accounts.google.com/\", error=\"insufficient_scope\", scope=\"https://www.googleapis.com/auth/admin.directory.user.security https://www.googleapis.com/auth/apps.security\"", "Date": "Mon, 02 Mar 2026 18:09:19 GMT", "Content-Length": "658", "Content-Type": "application/json; charset=UTF-8" }, "body": { "error": { "code": 403, "message": "Request had insufficient authentication scopes.", "errors": [ { "message": "Insufficient Permission", "domain": "global", "reason": "insufficientPermissions" } ], "status": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT", "domain": "googleapis.com", "metadata": { "method": "ccc.hosted.frontend.directory.v1.DirectoryUsersSessions.ResetUserSessions", "service": "admin.googleapis.com" } } ] } } }

https://www.googleapis.com/auth/admin.directory.user is enabled on the Google Consent page, and it works for updating other user-related data.

[v-utpalkumar]

Hello @derekbolichowski, thanks for flagging this issue. We will investigate this issue and get back to you with some updates. Thanks!

[v-utpalkumar]

Hello @derekbolichowski, the request to the Google Admin SDK API (admin.googleapis.com) failed with HTTP 403 – PERMISSION_DENIED because the Access Token does not contain the required permissions/authorization scopes.

From the error response:

• Reason: ACCESS_TOKEN_SCOPE_INSUFFICIENT
• API Method: ccc.hosted.frontend.directory.v1.DirectoryUsersSessions.ResetUserSessions
• Service: admin.googleapis.com

Required Scopes:

• https://www.googleapis.com/auth/admin.directory.user.security
• https://www.googleapis.com/auth/apps.security

The WWW-Authenticate header explicitly indicates that the current token lacks these scopes.

• Error: insufficient_scope

To fix this, regenerate the Access Token with the required scopes and ensure the Google Workspace admin account or service account has the necessary permissions and domain-wide delegation configured. Kindly generate a new token with the specified scopes and verify whether the issue is resolved. I will await your feedback. Thank you for your cooperation!

[derekbolichowski]

I have seen the same error - I have those exact scopes applied yet the issue persists. How do I generate a new token as you mentioned? [signatureImage] Derek Bolichowski Officer - Cloud Infrastructure & Networks St. Clair Catholic District School Board 519-627-6762 Ext. 10316 ***@***.******@***.***> www.st-clair.net<http://www.st-clair.net/>

…

________________________________ From: v-utpalkumar ***@***.***> Sent: Thursday, March 5, 2026 6:37:59 AM To: Azure/Azure-Sentinel ***@***.***> Cc: Bolichowski, Derek ***@***.***>; Mention ***@***.***> Subject: [EXTERNAL] Re: [Azure/Azure-Sentinel] Google Directory API Connector - Permission Issue with User Signout (Issue #13727) ⚠ EXTERNAL EMAIL — This message originated outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. [https://avatars.githubusercontent.com/u/193235945?s=20&v=4]v-utpalkumar left a comment (Azure/Azure-Sentinel#13727)<#13727 (comment)> Hello @derekbolichowski<https://github.com/derekbolichowski>, the request to the Google Admin SDK API (admin.googleapis.com) failed with HTTP 403 – PERMISSION_DENIED because the Access Token does not contain the required permissions/authorization scopes. From the error response: * Reason: ACCESS_TOKEN_SCOPE_INSUFFICIENT * API Method: ccc.hosted.frontend.directory.v1.DirectoryUsersSessions.ResetUserSessions * Service: admin.googleapis.com Required Scopes: * https://www.googleapis.com/auth/admin.directory.user.security * https://www.googleapis.com/auth/apps.security The WWW-Authenticate header explicitly indicates that the current token lacks these scopes. * Error: insufficient_scope To fix this, regenerate the Access Token with the required scopes and ensure the Google Workspace admin account or service account has the necessary permissions and domain-wide delegation configured. Kindly generate a new token with the specified scopes and verify whether the issue is resolved. I will await your feedback. Thank you for your cooperation! — Reply to this email directly, view it on GitHub<#13727 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BU7SCARNTHZB4U4XUXFNXED4PFRJPAVCNFSM6AAAAACWEQWHAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMBUGQZTCMJUGM>. You are receiving this because you were mentioned.Message ID: ***@***.***>

________________________________ Confidentiality Warning: This message and any attachments are only for the use of the intended recipient(s) and may contain confidential or personal information that may be protected under law. If you are not the intended recipient or an authorized representative of the intended recipient, any dissemination of this communication is strictly prohibited. You should notify the sender immediately that you have received the message in error and then permanently delete the message and any attachments from your system.

[v-utpalkumar]

Hello @derekbolichowski, there is a possibility that the required scopes were not configured when the access token was generated. Therefore, we request you to regenerate a new token with the specified scopes. I am emphasizing on this based on the error response we observed. We have also shared the documentation to assist you with the process. Thank you!

Documentation link: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleDirectory/Playbooks/readme.md

[derekbolichowski]

Hi there, I’ve followed that doc and have the issue described. The proper scopes are assigned. Were you able to successfully run the Google-SignOutUser playbook? [Icon Description automatically generated] Derek Bolichowski Officer – Cloud Infrastructure & Networks St. Clair Catholic District School Board 519-627-6762 Ext. 10316 ***@***.******@***.***> www.st-clair.net<http://www.st-clair.net/> From: v-utpalkumar ***@***.***> Sent: Thursday, March 5, 2026 8:50 AM To: Azure/Azure-Sentinel ***@***.***> Cc: Bolichowski, Derek ***@***.***>; Mention ***@***.***> Subject: [EXTERNAL] Re: [Azure/Azure-Sentinel] Google Directory API Connector - Permission Issue with User Signout (Issue #13727) ⚠ EXTERNAL EMAIL — This message originated outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. [https://avatars.githubusercontent.com/u/193235945?s=20&v=4]v-utpalkumar left a comment (Azure/Azure-Sentinel#13727)<#13727 (comment)> Hello @derekbolichowski<https://github.com/derekbolichowski>, there is a possibility that the required scopes were not configured when the access token was generated. Therefore, we request you to regenerate a new token with the specified scopes. I am emphasizing on this based on the error response we observed. We have also shared the documentation to assist you with the process. Thank you! Documentation link: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleDirectory/Playbooks/readme.md — Reply to this email directly, view it on GitHub<#13727 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BU7SCAVD3ADTFBWSCPHTNQD4PGAYZAVCNFSM6AAAAACWEQWHAWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMBVGE4TEMJZGA>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

…

________________________________ Confidentiality Warning: This message and any attachments are only for the use of the intended recipient(s) and may contain confidential or personal information that may be protected under law. If you are not the intended recipient or an authorized representative of the intended recipient, any dissemination of this communication is strictly prohibited. You should notify the sender immediately that you have received the message in error and then permanently delete the message and any attachments from your system.