Share via

Hard match Microsoft Entra ID user with On-Premises AD user

Delgadillo, Raul 20 Reputation points
2026-01-22T16:26:39.25+00:00

Hello, I tried to merge or match an Office 365 email account with an on-premises user account.

This is the error I get. Thank you for your input.

PS C:\Windows\system32> update-mguser -userid "******@tustinca.org" -onpremisesImmutableid "xxxxxxxxxxxxxtR6A=="

update-mguser : Insufficient privileges to complete the operation.

Status: 403 (Forbidden)

ErrorCode: Authorization_RequestDenied

Date: 2026-01-16T00:14:27

Headers:

Transfer-Encoding : chunked

Vary : Accept-Encoding

Strict-Transport-Security : max-age=31536000

request-id : 6176ee9e-302a-4668-82f5-d1c3a4198acb

client-request-id : 033ed772-3e29-452f-9128-9d74d3907b0f

x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US

3","Slice":"E","Ring":"2","ScaleUnit":"000","RoleInstance":"PH1PEPF0001162D"}}

x-ms-resource-unit : 1

Cache-Control : no-cache

Date : Fri, 16 Jan 2026 00:14:27 GMT

At line:1 char:1

  • update-mguser -userid "******@company.com" -onpremisesImmutableid ...
  • 
    + CategoryInfo          : InvalidOperation: ({ UserId = fmor...softGraphUser }:<>f__AnonymousType52`

   3) [Update-MgUser_UpdateExpanded], Exception

    + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUse

   r_UpdateExpanded

PS C:\Windows\system32> get

Exchange | Hybrid management
Exchange | Hybrid management

The administration of a hybrid deployment that connects on-premises Exchange Server with Exchange Online, enabling seamless integration and centralized control.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 126.9K Reputation points MVP Volunteer Moderator
    2026-01-22T17:11:29.5066667+00:00

    What permissions are running this with? And are you connecting as a user (delegate permissions model) or via app-only auth?

    Generally speaking, you need the User.ReadWrite.All scope, so connect via:

    Connect-MgGraph -Scopes User.ReadWrite.All

    In addition to that, if running as a user, make sure he is assigned the User administrator or equivalent role.

    Was this answer helpful?

  2. AI answer

    2026-01-22T16:27:16.65+00:00

    The error message you are encountering, "Insufficient privileges to complete the operation," indicates that the account you are using to execute the update-mguser command does not have the necessary permissions to update the user in Microsoft Entra ID. This can happen for several reasons:

    1. Permissions: Ensure that the account has the required permissions to perform user updates in Microsoft Entra ID. You may need to be a global administrator or have specific roles assigned that allow user management.
    2. Role Assignment: Check if the user account you are using is assigned the appropriate roles in Azure Active Directory that allow for user modifications. You can do this through the Azure portal.
    3. Scope of Access: Verify that the application or service principal you are using to run the command has been granted the necessary API permissions to update user information.
    4. Directory Role: If you are working in a hybrid environment, ensure that the on-premises Active Directory user and the corresponding Microsoft Entra ID user are properly synchronized and that the appropriate directory roles are configured.

    To resolve the issue, you may need to adjust the permissions or roles associated with your account or the application you are using to execute the command. If the problem persists, consider reaching out to your Azure administrator for further assistance.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.