This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 6%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hello!
I'm currently developing an automation using the Graph API Users endpoint to sync profile attributes from one tenant to another and it works fine for most our users. However, we come across permission errors (403) when performing the same update actions on admin users. According to the documentation, to do this "applications need to be assigned the Directory.AccessAsUser.All delegated permission." This automation should be run as a daemon app with zero user interaction, no login, and no front-end. Why isn't there an application-equivalent permission for this?
Can I get some other options on how to update these admin profiles or how to use delegated auth without the need for user interaction? I've looked into duct-tape solutions that could rely on a refresh token from a single, hard-coded 'interaction' - but apparently those can expire in various situations and would not be a good, sustainable solution for us.
Thanks in advance :)
Hi @Krissi Yan
Can you share your api endpoint and request body for me to test?
Hi Carl!
Thanks for taking the time to check this out :)
Here's the logs from my app including the patch data, please mind the censored parts. It basically works until I hit admin accounts:
2022-12-02 22:18:08: INFO : Updating user profile of status onboarded: xxxuser1
2022-12-02 22:18:09: INFO : Updating user profile of status onboarded: xxxuser2
2022-12-02 22:18:09: INFO : Updating user profile of status onboarded: xxxadmin1
2022-12-02 22:18:09: ERROR : Non-2xx catch @ https://graph.microsoft.xxx/v1.0/users/xxxadmin1[@](/users/na/?userId=8b49184f-0000-0003-0000-000000000000).meow: {"businessPhones": ["+xxxxxxxxx"], "city": "xxx", "companyName": "xxx, Inc", "country": "xxx","department": "xxx", "employeeId": null, "employeeType": null, "givenName": "xxxx", "jobTitle": "xxxxxx", "officeLocation": "xxxxx", "postalCode": "xxxx", "state": "XX", "streetAddress": "xxxxxxx", "surname": "xxx"}
2022-12-02 22:18:09: ERROR : Non-2XX response code recieved: 403: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-12-02T22:18:09","request-id":"xxx","client-request-id":"xxx"}}}
Thanks again for taking a look!
-Krissi
As a semi-answer, dropping the patch to businessPhones, mail, and mobilePhone allowed the request to go through. I'm guessing because these are password reset factors. In either case, it would still be nice to sync these attributes for admins as well.