Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Microsoft Graph API Insufficient privileges when trying to update 'mobilePhone'

Tags:

azure-active-directory

microsoft-graph-api

When trying to update (PATCH) a user's mobilePhone property using Application permissions, the response from Graph is "Insufficient privileges to complete the operation" (Authorization_RequestDenied).

Both the User.ReadWrite.All and Directory.ReadWrite.All permissions are granted. The access token is requested via the client_credentials grant (oauth2/v2.0/token endpoint) with specifying the .default scope and both permissions are present in the role claim in the access token.

Updating other properties works fine. The error is only when updating the mobilePhone property and only with application permissions (using the Graph Explorer with an admin user works).

This behavior suddenly started October 2. 2018. Before that, updating the mobile phone property also worked with application permissions (the same permissions).

As far as I can tell no new restrictions/required permissions have been added to the Graph documentation for user PATCH requests or the mobilePhone property. What could be the issue here?

NOTE: The requests are made using the Microsoft.Graph.GraphServiceClient (.NET Standard) but the same behaviour is also true when making the requests using Postman.

EDIT:

This is the response from the Graph API:

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "request-id": "e956cb0b-af0a-4bb7-aae3-59d39d007a82",
            "date": "2018-10-11T08:27:19"
        }
    }
}
like image 997
RinaldsR Avatar asked Oct 03 '18 11:10

RinaldsR

1 Answers

Our team had the same issue, we opened a Support Request with Microsoft and resolved the issue.

The solution is to add the Helpdesk Administrator role to the Service Principal/Enterprise application.

Microsoft changed the security policy on updating PII and changed the security roles allowed to update.

Here is more from our support request answer:

The reason that this is occurring is because there was a recent change due to new PII sensitivity issues.

So now you will need to add the Helpdesk Administrator role to the Service Principal/Enterprise application now.

You can do this by following the article here : https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/

This is to modify values such as : mobile/othermails/telephonenumber attributes.

like image 84
inspektor99 Avatar answered Oct 11 '22 14:10

inspektor99
Sign in to Comment

Related questions

Azure AD admin consent required when it shouldn't
Active Directory Integration issue Nodejs
Azure AD automatically added offline_access
Azure AD Signing Keys for JWT
Integrating Microsoft(both personal and work Azure AD) OIDC to AWS Cognito
Azure Active Directory: Get user's UPN with OpenID Connect authentication
Azure AD Tenant Name
How to get ClaimsPrincipal from ADAL AuthenticationResult
Can Azure AD be used with SAML based Identity Providers?
How to get list of all roles assignments using RBAC API
Login failed when trying to perform git push to Azure Devops
ARM Template: Looking up a user object Id
Azure AD prevents adding HTTP reply URLs
Azure AD Custom Claims in JWT
How to validate azure active directory user credentials?
Authenticating a PHP Web App with Azure Active Directory and Azure Mobile Services
Azure AD B2C - Multiple sub domains
What are "delegated permissions" in the context of an Azure Active directory Application?
Azure AD B2C: Bad Request - Request Too Long HTTP Error 400. The size of the request headers is too long. After login
Azure Active Directory, App registrations, reply url with hash

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!