Microsoft Graph API Insufficient privileges when trying to update 'mobilePhone'

6
votes

When trying to update (PATCH) a user's mobilePhone property using Application permissions, the response from Graph is "Insufficient privileges to complete the operation" (Authorization_RequestDenied).

Both the User.ReadWrite.All and Directory.ReadWrite.All permissions are granted. The access token is requested via the client_credentials grant (oauth2/v2.0/token endpoint) with specifying the .default scope and both permissions are present in the role claim in the access token.

Updating other properties works fine. The error is only when updating the mobilePhone property and only with application permissions (using the Graph Explorer with an admin user works).

This behavior suddenly started October 2. 2018. Before that, updating the mobile phone property also worked with application permissions (the same permissions).

As far as I can tell no new restrictions/required permissions have been added to the Graph documentation for user PATCH requests or the mobilePhone property. What could be the issue here?

NOTE: The requests are made using the Microsoft.Graph.GraphServiceClient (.NET Standard) but the same behaviour is also true when making the requests using Postman.

EDIT:

This is the response from the Graph API:

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "request-id": "e956cb0b-af0a-4bb7-aae3-59d39d007a82",
            "date": "2018-10-11T08:27:19"
        }
    }
}
1
azure-active-directorymicrosoft-graph-api
Frankly sounds like a bug on Graph API's end, upvoted for awareness, the product does follow the microsoft-graph tag so hopefully they take notice to this :) - juunas
Indeed. Can you please provide the client request id and timestamp that you should see in the 403 error response OR just provide the full error response. This will help us take a look at the logs and figure out what's going on. In theory, User.ReadWrite.All should provide enough permission to allow this change. - Dan Kershaw - MSFT
Thanks for the replies. @DanKershaw-MSFT I have edited the question - added the response - RinaldsR
@DanKershaw-MSFT We see the same problem. The same application can set the mobilePhone field in the initial Create New User (POST) operation but it can not change or set it in a Update User (PATCH). - Pontus Ullgren

1 Answers

5
votes

Our team had the same issue, we opened a Support Request with Microsoft and resolved the issue.

The solution is to add the Helpdesk Administrator role to the Service Principal/Enterprise application.

Microsoft changed the security policy on updating PII and changed the security roles allowed to update.

Here is more from our support request answer:

The reason that this is occurring is because there was a recent change due to new PII sensitivity issues.

So now you will need to add the Helpdesk Administrator role to the Service Principal/Enterprise application now.

You can do this by following the article here : https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/

This is to modify values such as : mobile/othermails/telephonenumber attributes.