Failed to update user profile with Microsoft Graph API via REST API

2
votes

I'm trying to update user profile via Microsoft Graph API by a server side (Java) application without user consent. I have an app in MS Azure which has the following "Permissions to other applications": "Microsoft Graph - Read and write all user's full profiles" as an "Application Permission", administrator had consent with these settings.

So I can fetch any user profile from our tenant. Also, with "Read and write calendars in all mailboxes" permission I can list and patch users' calendar entries. Using the same code snipets to update user profiles however does not works.

Here is a REST representation of the workflow,

obtain access token:

POST https://login.microsoftonline.com/<my-tenant>/oauth2/token 
Content-Type: application/x-www-form-urlencoded

{
grant_type=client_credentials
&resource=https%3A%2F%2Fgraph.microsoft.com
&client_secret=<my-client-secret>
&client_id=<my-client-id>
}

so far so good, patch user profile:

PATCH https://graph.microsoft.com/v1.0/<my-tenant>/users/<target-user>
Authorization: Bearer <access_token from prev response>
Accept: application/json
Content-Type: application/json

{"aboutMe": "happy"}

And the response is:

response code: 500
{
  "error": {
    "code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
    "message": "Attempted to perform an unauthorized operation.",
    "innerError": {
      "request-id": "<request-id>",
      "date": "2016-09-27T11:07:18"
    }
  }
}

According to the http://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_update documentation I should have set "User.ReadWrite; User.ReadWrite.All; Directory.ReadWrite.All" scopes, unfortunately there is no such thing at manage.windowsazure.com app setting page but I believe "Read and write all user's full profiles" should do the trick. The sample requests above have some data replaced with <> tags, they are oviously filled correctly during normal workflow. It is working perfectly for patching a calendar event (which is almost exactly the same except a minor changing in the url) but fails with patching the user object.

2
jsonmicrosoft-graph-api

2 Answers

3
votes

Microsoft Graph has currently some limitations on operations at Users and Groups depending on the permission type. According to the site Known issues, you can find out that there is a limitation: Cannot perform any CRUD operations on User other than updating user HD photo and extended profile properties for both Delegated and Application permission types.

Selecting Directory.ReadWrite.All permission (Read and write directory data in the new Azure portal), as indicated in Alternative column in the table in Microsoft Graph permissions section, should solve the problem.

2
votes

I also could reproduce this issue too.

Based on the test, the issue is relative to the specific filed(aboutMe) we were updating. And the patch user API works well for me when I update the jobTitle using the Directory.ReadWrite.All.

If you want the Microsoft Graph to support updating the aboutMe field, you can submit the feedback from here.