My end goal is to be able to empty or modify the OnPremisesImmutableId field in a user's cloud profile in order to break the relationship with their onpremises AD object,
I have created an app for connecting to MS Graph API with a certificate and am therefor using application permissions in the API Permissions tab of the application. I have granted the application lots of permissions as dictated by my experiments on the Graph Explorer, both delegated and application since the Explorer uses a logged in user and the application logs in with an unattended certificate. Those permissions include Directory.ReadWrite.All, User.ReadWrite.All, DeviceManagementApps.ReadWrite.All, User.ManageIdentities.All and many more as recommended to me both by the Graph Explorer Modify Permissions tab and Find-MgGraphPermission/Find-MgGraphCommand. I was able to get it to work last Friday, 10/7/22, but Monday morning, 10/10/22, in the same window as before and then many others to test, I now get the below error message
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId " "
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "ni1MsaFrakWp9ZxafvyqCQ=="
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
PS C:\Users\SPAdmin> (Get-MgUser -UserId $userId -Property "onPremisesImmutableId").onpremisesimmutableid
ni1MsaFrakWp9ZxafvyqCQ==
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId " "
Update-MgUser : Another object with the same value for property onPremisesImmutableId already exists.
At line:1 char:1
+ Update-MgUser -UserId $userid -OnPremisesImmutableId " "
+ \~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~
+ CategoryInfo : InvalidOperation: ({ UserId = psno...softGraphUser }:<>f__AnonymousType64`2) [Update-MgU
ser_UpdateExpanded], RestException`1
+ FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUser_UpdateExpanded
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "1"
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "ni1MsaFrakWp9ZxafvyqCQ=="
Above this line was on 10/7/22 and below this line was the same PowerShell window on 10/10/22
PS C:\Users\SPAdmin> Update-MgUser -UserId $userid -OnPremisesImmutableId "2"
Update-MgUser : Insufficient privileges to complete the operation.
At line:1 char:1
+ Update-MgUser -UserId $userid -OnPremisesImmutableId "2"
+ \~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~\~
+ CategoryInfo : InvalidOperation: ({ UserId = psno...softGraphUser }:<>f__AnonymousType64`2) [Update-MgU
ser_UpdateExpanded], RestException`1
+ FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUser_UpdateExpand
ed
Update-MgUser : Insufficient privileges to complete the operation.
At line:1 char:1
- Update-MgUser -UserId $userid -OnPremisesImmutableId "2"
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidOperation: ({ UserId = psno...softGraphUser }:<>f__AnonymousType64
2) [Update-MgU ser_UpdateExpanded], RestException
1
- FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.UpdateMgUser_UpdateExpanded
These are the permissions required as shown by the Find-MgGraphCommand cmdlet , all of which I have granted in the type Application, in addition for Graph Explorer testing I also granted User.ReadWrite.All and Directory.ReadWrite.All in the delegated type:
DeviceManagementApps.Read.All True Read Microsoft Intune apps Allows the app to...
DeviceManagementApps.ReadWrite.All True Read and write Microsoft Intune apps Allows the app to...
DeviceManagementManagedDevices.Read.All True Read devices Microsoft Intune devices Allows the app to...
DeviceManagementManagedDevices.ReadWrite.All True Read and write Microsoft Intune devices Allows the app to...
DeviceManagementServiceConfig.Read.All True Read Microsoft Intune configuration Allows the app to...
DeviceManagementServiceConfig.ReadWrite.All True Read and write Microsoft Intune configuration Allows the app to...
Directory.Read.All True Read directory data Allows the app to...
Directory.ReadWrite.All True Read and write directory data Allows the app to...
User.Read False Sign you in and read your profile Allows you to sig...
User.Read.All True Read all users' full profiles Allows the app to...
User.ReadBasic.All False Read all users' basic profiles Allows the app to...
User.ReadWrite False Read and update your profile Allows the app to...
User.ReadWrite.All True Read and write all users' full profiles Allows the app to.
I have removed and re-added the required permissions, removed and re-granted the admin consent, I have tried other users, I have tried using Graph Explorer in addition to powershell, and it refuses to let me do it again. Please help me regain my sanity, why would it have let me do it one day but not the next?