search

microsoftgraph / aspnet-snippets-sample

A repository of code snippets that use Microsoft Graph to perform common tasks such as sending email, managing groups, and other activities from an ASP.NET Core MVC app. This sample uses the Microsoft Graph .NET Client Library to work with data, and the Microsoft Identity Web Library for authentication on the Microsoft identity platform v2.0 endpoint.
MIT License
189 stars 101 forks source link

Authorization_RequestDenied . Insufficient privileges to complete the operation #44

Closed Shreelekha19 closed 4 years ago

Shreelekha19 commented 6 years ago

I have been added as a guest user in a tenant by cloud administrator. i have been given directory roles of Application administrator , Application developer. I am having scopes : "Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All Group.Read.All Group.ReadWrite.All User.Invite.All User.Read User.ReadBasic.All User.ReadWrite User.ReadWrite.All"

I am using Graph client to update guest user mobile phone and department.

Issue i am getting is : Authorization_RequestDenied . Insufficient privileges to complete the operation

Questions i have:

  1. Can a guest user with application administrator role update a user profile ?
  2. I am doing it programaticaly .. so delegated permissions are sufficient ? or do i have to give application permissions as well for above scopes. if yes why ?
  3. solution for above error.

Thank you!

jasonjoh commented 4 years ago

Based on the description of the roles, I would say no. Nothing in those roles talks about editing users. Guest users are limited via Graph as well - for example, they cannot query the users endpoint to get a list of users.

https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator