Unable to patch businessPhones of Azure AD user, Insufficient privileges to complete the operation

0
votes

I am writing a backend application to update user in Azure AD by calling Microsoft Graph. The application is granted with permissions Directory.ReadWrite.All and User.ReadWrite.all.

When I send patch request to update businessPhones of a specific user, successful response code 204 is returned if the businessPhones parameter is an empty collection, i.e. {"businessPhones":[]} .

In case the parameter is not empty, e.g. {"businessPhones":["+86 (321) 456789"]}, response code 403 is returned with the message "Insufficient privileges to complete the operation".

I have tried to patch for another user, there is no problems with both empty and non-empty businessPhones parameter.

I have found this SO question but Directory.AccessAsUser.All is a delegated permission, which is not applicable to my application.

Any help would be appreciated.

1
azure-active-directorymicrosoft-graph-api
Please check whether the value of businessPhones is the same to current businessPhones of the specific user you want to update ?Nan Yu
Before I send the patch request, businessPhones of the user is blank. I sent a non-empty businessPhones and 403 is returned.Johnny Yuen
I find that if I patch the businessPhones of an user who is global or limited administrator, 403 and "Insufficient privileges to complete the operation" would be returned. But I still can patch other properties such as userPrincipalName successfully. If I patch the businessPhones of a general user, there is no problems.Johnny Yuen
As of 24th Aug 2017, the situation is resolved after I reported to and followed-up by Microsoft support. The application permission Directory.ReadWrite.All can now update the businessPhones of an admin.Johnny Yuen

1 Answers

0
votes

Thanks for reporting this Johnny. We'll go and investigate this. In general, with delegated permissions, the authorization is based on an intersection of the permissions that the app has been granted and the permissions (based on user role) that the signed-in user has. This is described here: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#delegated-permissions-application-permissions-and-effective-permissions.

What is the role of the user that is signed-in? If they are a global admin, they should be able to change any other user's info. If they are a limited admin (like User Account Admin), they can only change user profile info of regular users (otherwise this would be an elevation of privilege. Regular users are allowed to change only their own photo and mobilePhone number.

UPDATED BASED ON COMMENT: If the app is using application permissions, then most properties should be updateable by the app. However, the behavior you are seeing is weird. We'll need to investigate - and I'll come back to the thread. This could be a bug.

UPDATE 8/26: This was indeed a bug. The fix has now been deployed.

Hope this helps,