search

microsoftgraph / msgraph-sdk-serviceissues

Tracks service issues for follow up.
5 stars 0 forks source link

Update-MgUser -MobilePhone failing with "insufficient privileges to perform this operation" #123

Closed JakeMoe closed 2 years ago

JakeMoe commented 2 years ago

When running "Update-MgUser -UserId -MobilePhone " in Azure Automation using service principal + certificate, I'm getting "Insufficient privileges to complete the operation". If run Connect-MgGraph with the User.ReadWrite.All scope and use my admin account it works fine.

I've added code to my runbook to list the scopes from Get-MgContext, and it shows I have User.ReadWrite.All, which the Graph API reference docs seem to say should be all it needs.

I've found a StackExchange post from 3 years ago that seems to say that PII properties like phone numbers need extra permissions. They added the HelpDesk Administrator role, but I can't find any documentation that confirms this or gives more direction about exactly what permissions are needed; I'd like to keep my service principal with as little perms as possible.

sassdawe commented 2 years ago

I faced the same with the standard AzureAD module, and just decided to leave the MobilePhone property out when I get an Insufficient privileges error.

In my case I can update standard users, but I cannot change privileged users.

JakeMoe commented 2 years ago

@sassdawe I did find a reference in the Microsoft Graph API Users --> Update reference that seemed to say extra permissions are needed to be able to update privileged accounts, but it seems to say User.ReadWrite.All should be sufficient for normal users.

The privileged accounts seem to be admins and users in a few specific roles, but the specific role references (Directory Readers, Guest Inviter, Message Center Reader, and Reports Reader) might also mean that if an admin is placed in these roles, a non-privileged account can update them? The wording is a bit unclear (to me, at least). It also gives a link to the Helpdesk Administrator role docs "for more details", but I can't find any info about updating mobilePhone in the Azure roles doc it links to.

I've given the service principal the HelpDesk Admin role for now. It seems to be able to update mobilePhones, but I'd still like to restrict this further if possible and find what precisely what role(s) and/or permission(s) are needed to update these "sensitive" fields.

peombwa commented 2 years ago

@JakeMoe, please open support ticket/question/feature request at https://developer.microsoft.com/en-us/graph/support to get assistance on this from workload team. The SDK is simply a pass through to the service.