I get Insufficient privileges when trying to update accountEnabled on an admin user with an OAuth app token which has been authorized by a global admin.
App permission: User.ReadWrite.All
REQUEST
PATCH /v1.0/users/{{ ADMIN USER ID }} HTTP/1.1
HOST : graph.microsoft.com
HEADERS:
Accept: application/json
Authorization: Bearer {{ OAUTH APP TOKEN }}
Content-Type: application/json
BODY :
{
"accountEnabled": false
}
RESPONSE
STATUS : 403 Forbidden
BODY :
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "9c6f279f-f781-4da5-948d-aa3d97ef5103",
"date": "2020-02-16T00:58:37"
}
}
}
I'm guessing that the note in the user update doc applies to more fields than specified.
Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader, and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
But if thats the case, is there another way to get permission to lock an admin account with an OAuth application?
