Search code examples
.netazuremicrosoft-graph-apiazure-ad-b2c

GraphClient -> delete user => Insufficient privileges

I'm trying to delete user from azure b2c using graph client

 await _serviceClient.Users[userId].Request().DeleteAsync();

but following error is thrown

 Status Code: Forbidden
  Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied
  Message: Insufficient privileges to complete the operation.
  Inner error:
    AdditionalData:
    date: 2023-08-20T18:31:21
    request-id: 9a8594da-0fdd-4eb1-9f75-f9c60e59e3e8
    client-request-id: 9a8594da-0fdd-4eb1-9f75-f9c60e59e3e8
  ClientRequestId: 9a8594da-0fdd-4eb1-9f75-f9c60e59e3e8

I have following permissions granted to microsoft graph. Am I missing something? enter image description here

graph client works as expected in other scenarios (get, update, create users).

Solution

  • The error usually occurs if the service principal does not have proper roles or permissions to perform the operation.

    I registered one Azure AD B2C application and granted API permissions as below:

    enter image description here

    When I ran below code to delete b2c user, I too got same error:

    using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Graph.Models;
using Microsoft.Kiota.Abstractions;
using Microsoft.Graph.Models.ODataErrors;
using System;

var scopes = new[] { "https://graph.microsoft.com/.default" };

var clientId = "appId";
var tenantId = "tenantId";
var clientSecret = "secret";

var options = new ClientSecretCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};

var clientSecretCredential = new ClientSecretCredential(
    tenantId, clientId, clientSecret, options);

var graphClient = new GraphServiceClient(clientSecretCredential, scopes);

try
{
    await graphClient.Users["userId"].DeleteAsync();
    Console.WriteLine("User deleted successfully!");
}

catch (ODataError odataError)
{
    Console.WriteLine(odataError.Error.Code);
    Console.WriteLine(odataError.Error.Message);
}

    Response:

    enter image description here

    In app-only scenarios, the User.ReadWrite.All application permission isn't enough privilege to delete users with privileged administrative roles.

    To resolve the error, the app must be assigned a higher privileged administrator role like User Administrator or Global Administrator.

    In my case, I assigned User Administrator role to the application like below:

    enter image description here

    When I ran the same code again after few minutes, I got response saying user deleted successfully:

    using Azure.Identity;
using Microsoft.Graph;
using Microsoft.Graph.Models;
using Microsoft.Kiota.Abstractions;
using Microsoft.Graph.Models.ODataErrors;
using System;

var scopes = new[] { "https://graph.microsoft.com/.default" };

var clientId = "appId";
var tenantId = "tenantId";
var clientSecret = "secret";

var options = new ClientSecretCredentialOptions
{
    AuthorityHost = AzureAuthorityHosts.AzurePublicCloud,
};

var clientSecretCredential = new ClientSecretCredential(
    tenantId, clientId, clientSecret, options);

var graphClient = new GraphServiceClient(clientSecretCredential, scopes);

try
{
    await graphClient.Users["userId"].DeleteAsync();
    Console.WriteLine("User deleted successfully!");
}

catch (ODataError odataError)
{
    Console.WriteLine(odataError.Error.Code);
    Console.WriteLine(odataError.Error.Message);
}

    Response:

    enter image description here

    In your case, make sure to assign proper directory role to the application like User Administrator or Global Administrator to resolve the error.

    Reference: Delete a user - Microsoft Graph API