microsoftgraph / msgraph-beta-sdk-java

Microsoft Graph Beta Java SDK
https://docs.microsoft.com/en-us/graph/sdks/use-beta?tabs=Java
MIT License
25 stars 9 forks source link

Calling User.setProxyAddresses() results in "Insufficient privileges to complete the operation" even with elevated permissions #951

Open Chris-AdamsonQHR opened 5 months ago

Chris-AdamsonQHR commented 5 months ago

Expected behavior

Making a call to User.setProxyAddresses() succeeds when "User.ReadWrite.All" and "Directory.ReadWrite.All" application permissions are granted in the Azure portal with admin consent given.

Actual behavior

An exception is thrown: com.microsoft.graph.beta.models.odataerrors.ODataError: Insufficient privileges to complete the operation.

Steps to reproduce the behavior

Using version 6.9.0 of the beta SDK:

Here are the permission settings we tried using in the Azure Portal: image

We also set the application in Azure to both User Administrator and then Global Administrator without succcess.

Related

Patch request to do the same operation is the suggested operation via graph explorer: https://stackoverflow.com/questions/65198916/remove-old-proxyaddress-entry-for-user-in-azure-active-directory/71577425#71577425

petrhollayms commented 5 months ago

Hi @Chris-AdamsonQHR ,

Looking at the Graph API docs: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-beta#properties proxyAddresses - Read-only in Microsoft Graph; you can update this property only through the Microsoft 365 admin center. Not nullable.

Chris-AdamsonQHR commented 4 months ago

Hi @petrhollayms. Thank you for looking at this. In the non-beta version of the SDK when we attempted to change the proxy address it indeed resulted in an error stating that the property was read only. However in the beta version, the same call resulted in an exception of insufficient privileges (as reported here).

With this different error, I was hoping that this property was no longer read-only, but from your description of the underlying documentation, would seem that it is still read-only (at least in the Graph API) and just that the error has changed.

Cpcrook commented 2 weeks ago

I'm going to add on to this - if you update the Mail property and ProxyAddresses property in a single Patch call with the beta graph API it produces an error message saying they cannot be updated together, implying the latter is indeed possible to update.

This also raises an issue overall where changing a user's email address and addresses associated with their Identities, it does not "release" the former email address from proxyAddresses, meaning a user cannot re-use that email address in the future, which can be problematic.