Graph API assignLicense: Insufficient privileges to complete the operation

0
votes

I'm trying to use the Microsoft Graph API with App Authentication to assign an Office365 License to a newly created user. My App has the App permissions "Directory.Read.All" and "User.ReadWrite.All". I can create (POST /users) and delete (DELETE /users/$id) users successfully and I'm able to get the list of subscriptions (GET /subscribedSkus). But if I try to assign a license, I get an 403 response with:

https://graph.microsoft.com/v1.0/users/$upn/assignLicense

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "...",
      "date": "..."
    }
  }

However according to the Graph API documentation the app permission "User.ReadWrite.All" should be sufficent. My request body looks as follows:

{
  "addLicenses": [
    {
      "disabledPlans": [],
      "skuId": "..."
    }
  ],
  "removeLicenses": []
}

Any idea why "User.ReadWrite.All" permissons are not sufficent, despite that the Graph API doc says otherwise?

1
office365azure-active-directorymicrosoft-graph-api
It seems you have to assign an administrator role (e.g. Global Administrator or User Account Administrator) to the app object. I haven't tested this yet.phatoni
does it work with Directory.ReadWrite.All? Because that is the only permissions mentioned here developer.microsoft.com/en-us/graph/docs/concepts/… that allows you to manage licenses ... so perhaps there is a bug in either the assignLicense doc, or in the API itself ...andresm53
Good point, I will try Directory.ReadWrite.All. I wanted to only give the minimum set of permissions required and therefore used User.ReadWrite.All, but since I'm about to assign a Global Administrator role it doesn't matter.phatoni
I'll double check this. It's possible that Directory.ReadWrite.All is required because to assign a license, you actually need to be able to read the subscriptions that the company has, which would require at least the ability to read directory. It's possible that User.ReadWrite.All and Directory.Read.All may be sufficient. I'll loop back shortly.Dan Kershaw - MSFT

1 Answers

0
votes

I can now confirm that assignLicense works if the Directory.ReadWrite.All permission is granted to the App. User.ReadWrite.All permission is not sufficent to perform assignLicense.