Insufficient privileges to complete the operation When attempting to update user OnPremisesImmutableId property with Update-MgUser

Scott Stanton 26 Reputation points
2022-10-11T19:30:46.057+00:00

My end goal is to be able to empty or modify the OnPremisesImmutableId field in a user's cloud profile in order to break the relationship with their onpremises AD object,

I have created an app for connecting to MS Graph API with a certificate and am therefor using application permissions in the API Permissions tab of the application. I have granted the application lots of permissions as dictated by my experiments on the Graph Explorer, both delegated and application since the Explorer uses a logged in user and the application logs in with an unattended certificate. Those permissions include Directory.ReadWrite.All, User.ReadWrite.All, DeviceManagementApps.ReadWrite.All, User.ManageIdentities.All and many more as recommended to me both by the Graph Explorer Modify Permissions tab and Find-MgGraphPermission/Find-MgGraphCommand. I was able to get it to work last Friday, 10/7/22, but Monday morning, 10/10/22, in the same window as before and then many others to test, I now get the below error message

PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId " "  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
  
  
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "ni1MsaFrakWp9ZxafvyqCQ=="  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
  
  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
  
  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
  
  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
  
  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
  
  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
  
  
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid  
ni1MsaFrakWp9ZxafvyqCQ==  
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId " "  
Update-MgUser : Another object with the same value for property onPremisesImmutableId already exists.  
At line:1 char:1  
+ Update-MgUser -UserId $userid -OnPremisesImmutableId " "  
+ \~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~  
    + CategoryInfo          : InvalidOperation: ({ UserId = psno...softGraphUser }:<>f__AnonymousType64`2) [Update-MgU  
   ser_UpdateExpanded], RestException`1  
    + FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUser_UpdateExpanded  
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "1"  
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "ni1MsaFrakWp9ZxafvyqCQ=="  

Above this line was on 10/7/22 and below this line was the same PowerShell window on 10/10/22

PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "2"  
Update-MgUser : Insufficient privileges to complete the operation.  
At line:1 char:1  
+ Update-MgUser -UserId $userid -OnPremisesImmutableId "2"  
+ \~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~  
    + CategoryInfo          : InvalidOperation: ({ UserId = psno...softGraphUser }:<>f__AnonymousType64`2) [Update-MgU  
   ser_UpdateExpanded], RestException`1  
    + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUser_UpdateExpand  
   ed  

Update-MgUser : Insufficient privileges to complete the operation.
At line:1 char:1

  • Update-MgUser -UserId $userid -OnPremisesImmutableId "2"
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    • CategoryInfo : InvalidOperation: ({ UserId = psno...softGraphUser }:<>f__AnonymousType642) [Update-MgU ser_UpdateExpanded], RestException1
    • FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUser_UpdateExpanded

These are the permissions required as shown by the Find-MgGraphCommand cmdlet , all of which I have granted in the type Application, in addition for Graph Explorer testing I also granted User.ReadWrite.All and Directory.ReadWrite.All in the delegated type:

DeviceManagementApps.Read.All True Read Microsoft Intune apps Allows the app to...
DeviceManagementApps.ReadWrite.All True Read and write Microsoft Intune apps Allows the app to...
DeviceManagementManagedDevices.Read.All True Read devices Microsoft Intune devices Allows the app to...
DeviceManagementManagedDevices.ReadWrite.All True Read and write Microsoft Intune devices Allows the app to...
DeviceManagementServiceConfig.Read.All True Read Microsoft Intune configuration Allows the app to...
DeviceManagementServiceConfig.ReadWrite.All True Read and write Microsoft Intune configuration Allows the app to...
Directory.Read.All True Read directory data Allows the app to...
Directory.ReadWrite.All True Read and write directory data Allows the app to...
User.Read False Sign you in and read your profile Allows you to sig...
User.Read.All True Read all users' full profiles Allows the app to...
User.ReadBasic.All False Read all users' basic profiles Allows the app to...
User.ReadWrite False Read and update your profile Allows the app to...
User.ReadWrite.All True Read and write all users' full profiles Allows the app to.

I have removed and re-added the required permissions, removed and re-granted the admin consent, I have tried other users, I have tried using Graph Explorer in addition to powershell, and it refuses to let me do it again. Please help me regain my sanity, why would it have let me do it one day but not the next?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,540 questions
{count} votes

Accepted answer
  1. CarlZhao-MSFT 43,411 Reputation points
    2022-10-14T02:37:00.573+00:00

    Hi @Anonymous

    Based on my tests, if you have the Directory.ReadWrite.All application permission you can absolutely change the OnPremisesImmutableId property or even all user attributes except sensitive information.

    You said in the context of the problem that the same command worked well last week, so I think it could be an occasional error. As it needs additional troubleshooting, request you to report this by raising a support case a specialized support engineer will assist you better on this.

    You can raise technical support request from
    https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview or https://admin.microsoft.com/#/support/requests.

    Hope this helps.


    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have extra questions about this answer, please click Comment.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.