`Set-MgUserPhotoContent`: Missing Administrative Unit support

[jpawlowski]

I am writing this report in reference to the upcoming Deprecation of Exchange Online PowerShell UserPhoto cmdlets, which is supposed to be replaces by Microsoft Graph API.

I wanted to let you know about an important feature for the new Microsoft Graph API to manage User Photos that still seems to be missing, and where I was not able to find further information on the internet so far.

Based on my testing, scoped directory permissions are not supported yet. That means when assigning Entra directory role User Administrator, I can only update a user’s profile if the directory scope ID was /. When assigning a stricter permission for User Administrator role with directory scope ID set to an administrative unit like /administrativeUnit/<OID>, I receive the following error message when running Set-MgUserPhotoContent or Set-MgBetaUserPhotoContent:

Set-MgBetaUserPhotoContent_Set: invalid_role

Status: 403 (Forbidden)
ErrorCode: ForbiddenByPolicy
Date: 2024-01-07T03:23:50

Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : a706ca91-e1d4-4433-98e2-8827ae0538ff
client-request-id             : cd2b1ad1-9f4b-432f-ace4-ffdc18dc6124
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF000105C8"}}
Date                          : Sun, 07 Jan 2024 03:23:49 GM

I tried both types of administrative units, regular ones, and new restricted management admin units. The error happens for both types of admin units, and I cannot update a users’ photo if my permissions are scoped to a specific administrative unit only. Because of this, I will need to continue to use the deprecated Set-UserPhoto cmdlet for the time being.

[petrhollayms]

Hi @jpawlowski ,

The Graph API does not offer any parameter to influence it as I see, https://learn.microsoft.com/en-us/graph/api/profilephoto-update?view=graph-rest-1.0&tabs=http Nor do I see anything related in https://learn.microsoft.com/en-us/powershell/module/exchange/set-userphoto?view=exchange-ps

Which means the SDK can only rely on the functionality offered by the API.

Could you please try either Graph Explorer or calling the endpoint using Invoke-MgGraphRequest? https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.authentication/invoke-mggraphrequest?view=graph-powershell-1.0

[jpawlowski]

Thank you, Petr! I've indeed been using the Invoke-MgGraph approach to update the profile photo.

However, User Administrator permissions on directory level are still essential to be able to update profile photos, together with User.ReadWrite.All Microsoft Graph scope.

I do know that behind the scenes, the way administrative unit support is implemented right now seems to be a bottle neck. For example, to create new users, you would also need to have permission on directory level and cannot create new users directly inside an (static) administrative unit like you can for groups. But once they are created, using User Administrator role that is scoped to a specific administrative unit with user objects only works fine to update anything but the user photo.

I think it is different when working with delegated permissions, but app roles that the managed identity uses seem to behave differently here as it becomes a mix of directory permissions and app role permissions that's not fully transparent to me.

[IngoGege]

Hi, Is there any progress? We are phasing the same issue and need to resolve it as soon as possible. Thanks!

[wictorwilen]

Support for Administrative Units for these cmdlets/endpoints are currently not supported. We appreciate the feedback and we're tracking this internally.