You may see the error “Authorizaion_RequestDenied” below
'message': 'Insufficient privileges to complete the operation.',
when using Microsoft Graph to manage users. The error happens most likely because the user does not have sufficient permissions. In summary the call requires both of the following:
1) The user or application needs to be in an Administrative role
2) The MS Graph access needs to have the proper permissions.
In this blog post, I will demonstrate a couple of things using postman for Delegated and Application permissions
- How to enable or disable the user.
- How to create or delete the users.
Requirement: You must have a client Application registered in Azure Active Directory and configure the proper permissions (Delegated and/or Application) which I will discuss below.To understand the difference between Delegated and Application permission refer to difference between application permission and delegated permission | Azure Active Directory Developer Support Team (aaddevsup.xyz).
The authenticating principal (user or application) that logs in to Azure AD and get an Access Token needs to be in the following Azure AD Admin Roles: User Administrator or Global Admin. Below is my sample screenshot to check the specific roles of my user.
For Azure AD built-in Administrative roles refer to the link below.
Below is my sample app registration. In the overview blade, take note of the Application (client) ID, Directory (tenant) ID fields, token and the authorize endpoints as you will need to configure those in Postman.
To enable or disable user accounts we need to send a PATCH request to the user end point
PATCH https://graph.microsoft.com/v1.0/users/<UPN or Object ID> request body:
“accountEnabled”: true or false
The required Microsoft Graph permission is listed in the link below.
For my sample app, I use User.ReadWrite.All permission
Note: You need to Grant Admin Consent to these permissions before requesting an access token.
using Postman to configure the access token and Make the call to the user endpoint using
1) Delated permissions.
Note: For delegated permission token, the permission shows up in the scp claim (decoded using https://jwt.ms)
2) For application permission
Note: For application permission token, the permission shows up in the roles claim (decoded using https://jwt.ms)
For creating and deleting users, refer to the MS Graph documentation below for required MS Graph permission (make sure the permissions are admin consented before getting a token). The process for getting access tokens is the same as above
1) Create an user using Delegated/Application Permissions.
2)Delete a user using Delegated/Application Permissions.
For permissions, add the least privileged delegated permission Directory.AccessAsUser.All.The application permission would be User.ReadWrite.All.
Using postman to delete the user I created previously using the delegated,application permissions.