0

I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:

{
    "accountEnabled": false,
    "city": "C234",
    "country": "AFG",
    "displayName": "Steve Rogers",
    "givenName": "Steve",
    "jobTitle": "Azure",
    "mailNickname": "steve",
    "postalCode": "Z345",
    "streetAddress": "S123",
    "surname": "Rogers",
    "userPrincipalName": "steve@***.onmicrosoft.com",
    "id": "aec...278",
    "mobilePhone": null
}

But all requests ends with 403

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "e7a...e42",
      "date": "2019-04-10T08:21:12"
    }
  }
}

Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?

Sebastian Busek
  • 952
  • 1
  • 14
  • 28

3 Answers3

2

Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role. https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2

Sebastian Busek
  • 952
  • 1
  • 14
  • 28
0

On my side, it works. The following is my process:

  1. Use the client credential to get bearer token: enter image description here

To parse the bearer token:

enter image description here 2. Use this bearer token to call ms graph api:

enter image description here

  1. Check the disabled user in the azure portal:

enter image description here

SunnySun
  • 1,900
  • 1
  • 6
  • 8
  • @Sebastian Busek. The user that I used is the normal user without any directory role, so your problem may be caused by the user role that same as joy said. I think that's because your bearer token is just app only token, it has no privilege to change the user account with a directory role. – SunnySun Apr 10 '19 at 10:38
0

No Its mandatory to grant permission for accessing this API on azure portal.

Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.

  1. If you are admin in your AAD, You could grant permission for users in organization by click Grant permission button.

  2. Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All permission in roles claim

In given reference same thread answered there You could refer here .

Note For Client Credentials code example you could check here

If you still have any query feel free to ask in comment. Thank you.

Community
  • 1
  • 1
Md Farid Uddin Kiron
  • 16,817
  • 3
  • 17
  • 43