Insufficient privileges to complete the operation - Graph API

1
votes

I'm getting this error when attempting to update the business or mobile phone attribute of a user using Microsoft's Graph API using Client Credentials (registered app). I'm able to update other attributes (city, country, department, displayName, givenName, jobTitle, officeLocation, postalCode, state, streetAddress and surName) just fine and if I send the same request via Microsoft's Graph Explorer using user credentials, it works.

I have tried this with both beta and v1.0 versions of Graph API, with the same error

I have the proper application permissions (User ReadWrite and Directory ReadWrite) as per https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0

Our code uses an http client to send raw http requests (like Postman)

PATCH /v1.0/users/{user-GUID} HTTP/1.1
Authorization: Bearer {bearer token}
Content-type: application/json
Content-Length: 38

{
   "mobilePhone": "+16122229876"
}
2
microsoft-graph-api

2 Answers

1
votes

Business and mobile phones are "special" because they are used in MFA Authentication and therefore require higher permissions to update.

Your application needs to be granted at a minimum Helpdesk Administrator role, or if you want to update an administrators account you will need Company Administrator.

Unfortunately doing this is not simple and powershell is required as detailed here:

How to Add an Azure AD Role to a Enterprise Application (Service Principal)

I am not aware of this being documented anywhere, we also found this out the hard way when the permissions were changed some time back without warning or notice.

0
votes

I'm going to write this off as an anomoly. The user for which I'm getting this error, happens to be the admin user in AD. If I try to update any other user, or at least the few I've tried, it works perfectly.

To make it even stranger, if I put a space in the phone number after the +1, it works for the user (admin) that normally gives me an error.

Even though Graph API accepts phone numbers without a space after the +1, if you attempt to edit the phone number in Azure Admin Center, it warns you that the phone number is an invalid format.