Search code examples
azure-active-directorymicrosoft-graph-api

Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation

I am writing an application to update users in Entra's "Azure AD for Customers" (now in Preview) by calling Microsoft Graph. The application is granted with permissions "User.ReadWrite.All".

When I send a patch request to update businessPhones of a specific user e.g. {"businessPhones":["+41761234567"]}, I always receive a response code 403 with the message "Insufficient privileges to complete the operation", even if the businessPhones parameter is just an empty collection, i.e. {"businessPhones":[]}. It also does not matter whether the businessPhones is empty or not.

I have used Microsoft Graph Explorer to test / reproduce this and it seems that:

  • It is not a problem when I post (instead of patch) the request with businessPhones.
  • It is not a problem I patch a user in a regular Azure AD repository.
  • It is a problem when I patch a user in an Azure AD for Customers repository.

I have tried to modify permissions using Microsoft Graph Explorer e.g. by adding Directory.ReadWrite.All but this also didn't result in any improvement.

There are a number of similar issues on StackOverflow but in my opinion this issue behaves slightly different and I can only reproduce this for Azure AD for Customers users (the issue does not occur for regular Azure AD users).

Solution

  • I have user named SriCustomer in my Azure AD for Customers repository:

    enter image description here

    When I tried to update businessPhones property of this user using below PATCH request, I got same error as you even after granting User.ReadWrite.All and Directory.ReadWrite.All permissions:

    PATCH https://graph.microsoft.com/beta/users/11475d17-d370-4ecc-9bec-xxxxxxxxx/
{
    "businessPhones": [
        "+41761234567"
    ]
}

    Response:

    enter image description here

    Note that, businessPhones and mobilePhone are sensitive properties that requires additional permissions or roles to update.

    In delegated scenarios, updating sensitive properties require extra permission named Directory.AccessAsUser.All.

    As Graph Explorer works with delegated authentication, I added Directory.AccessAsUser.All permission like below:

    enter image description here

    When I ran the PATCH request again after granting consent to above permission, I got response like this:

    PATCH https://graph.microsoft.com/beta/users/11475d17-d370-4ecc-9bec-xxxxxxxxx/
{
    "businessPhones": [
        "+41761234567"
    ]
}

    Response:

    enter image description here

    To confirm that, I checked the same in Portal where businessPhones property updated successfully like below:

    enter image description here

    Similarly, you can also update mobilePhone property after granting consent to Directory.AccessAsUser.All permission.

    Reference: Update user - Microsoft Graph beta