0
votes

I'm trying to update the preferred language of a user using the /me endpoint or the /users/{currentUserID} endpoint but this always throws:

403 "Insufficient privileges to complete the operation."

enter image description here enter image description here

I have checked the permissions according to the documentation page and added the permissions for User.ReadWrite, User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All. This does not seem to have any effect. Is the documentation incorrect or are there still permissions missing?

The request works fine if I execute it with an azure ad administrator user.

enter image description here enter image description here

EDIT: 2019-04-18

I did some more testing:

  1. I have created a new demo tenant using https://demos.microsoft.com
  2. I logged in graph explorer with the tenant admin account and gave admin consent for User.ReadWrite (and other default permissions asked by graph explorer).
  3. I logged in with the Demo User.
  4. I set the preferredlanguage to "en-US" using patch on https://graph.microsoft.com/v1.0/me/. This was successful.
  5. I tried to change the language again to "de-DE". This did not work:

"message": "Insufficient privileges to complete the operation.", "innerError": { "request-id": "d1d30483-a3da-4775-af5b-4a3dd9823f11", "date": "2019-04-18T07:40:27" }

Therefore it seems to work when setting the language for the first time. But updating it afterwards is impossible.

2
When did you add those permissions? When you add the permissions, try to logout and login again, close the browser and all that stuff... and try again logging back. you can also check the json web token permissions decoding the token (for example jsonwebtoken.io).Mikel
I closed the browser and started in private mode afterwards. Did not help.Mr Quant
The token looks fine: "scp": "... Directory.AccessAsUser.All Directory.ReadWrite.All Files.ReadWrite.All Group.ReadWrite.All IdentityRiskEvent.Read.All Mail.ReadWrite MailboxSettings.ReadWrite Notes.ReadWrite.All openid People.Read profile Reports.Read.All Sites.ReadWrite.All Tasks.ReadWrite User.ReadBasic.All User.ReadWrite User.ReadWrite.All email",Mr Quant
Well, then I dont know :( at least at the moment... maybe is a bug and is another permission...Mikel

2 Answers

0
votes

Neither documentation issue nor Graph permission missing. You need to check the permission in your azure AD but not just the Graph Exploer. My test based on two account(one MS account and one trial account which is [email protected]). The trial one works well while the MS account cannot.

Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

Based on the test the documentation, not all users can change all profile data, some data have limitation by organization policy which cannot be ignore by the Grape Scopes settings.

For worked case, Directory.AccessAsUser.All is not essential

0
votes

Just to close this issue: I did some testing with Microsoft Support. For some reason updating preferredLanguage is only possible when the app has Directory.AccessAsUser.All.

Quite a heavy permission for just updating the user language...