Sudenly Authorization_denied error when DELETE user with Graph API

Calderara Serge 46

Dear all,

Does MS guys could help in this we are stuck for a while

Since a full year now we have used MS graph API to handle user account in our Active directory through scripting.
We are creating new account , updating an acount, add account to groups and Delete accounts

Until now all was working without any trouble

Since last week we notice that the DELETE operation using Graph api was not working anymore for some reason and return the following error :

"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2022-10-18T12:55:27",
"request-id": "f21b7f4c-19c6-4183-b55a-cbd01e7ab103",
"client-request-id": "f21b7f4c-19c6-4183-b55a-cbd01e7ab103"
}
}

By cross checking MSGraph Api documentation on the DELETE operation all our permission are correct and do not see why WITHOUT ANY CHANGE in our side on this it suddenly stop to work.

The following is our current configuration

What could be the reason ?

Thanks for help on solving this as we have many internal scripts which stopped working due to that

Regards

Zehui Yao_MSFT 5,846 Reputation points

2022-10-19T02:51:26.863+00:00

Hi @Calderara Serge , we are currently doing research on this issue, can you print the return token and parse it in the jwt.ms and then share the parsing result, so we can get more useful information from it to help us find the cause of the problem. Hope you can understand.
Calderara Serge 46 Reputation points

2022-10-19T07:59:29.37+00:00

Hello @Zehui Yao_MSFT , here is attached the parsing result of the return token
251885-token.txt

Thanks for your return on this

Regards

1 answer

Zehui Yao_MSFT 5,846 Reputation points

2022-10-19T10:00:36.223+00:00

Hi @Calderara Serge , based on my tests, you may be trying to delete some accounts with special roles so this leads to privilege issues. In my tests, the same error occurred when I used client credentials flow to get authentication and then used the API to delete the account that was granted the role.

You can grant your app the global administrator role in AD.portal to solve the problem of privileges. Hope this can help, wish you all the best.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.
Calderara Serge 46 Reputation points

2022-10-20T08:40:36.92+00:00

Hi @Zehui Yao_MSFT , we have try to set the Global admin role on the AD for our register APP.

This works and we do not get the error any more, BUT we have a big complain from our customer IT security which do not accept to set the GLobal Admin role as the app will have then full rights.

Which role could be use for our app in order to have less privilege's but still got it to work fine ?

Regards
serge

Zehui Yao_MSFT 5,846 Reputation points

2022-10-20T10:14:22.213+00:00

Hi, Global Administrator role has the highest priority to ensure that other accounts who have been granted roles can be deleted, and if you are concerned about the security risks of having too large permissions, you can choose to grant the Global Administrator role only every time you need to delete a account.

Calderara Serge 46 Reputation points

2022-10-20T12:27:56.163+00:00

Hello @ ZehuiYaoMSFT-7151,

I thing you did not catch my all process and your asnwer is a bit wierd.

We are running user account management from a portal of services through Graph API.
The application does not have admin right in order to change the role dynamically , so we cannot change at the time of the process goes for DELETE to set that permmission

We need to have all permission ready and set in Azure in order that the application is able to perform its automatics operation on user accounts.

Question 1 :

The permission actually in place was there and working for a long time, why suddenly the DELETE operation fails ? Some MS config has been change in AD during that time ?

Question 2 :
Will it work with permission role set to User admin instead of Global admin ?

Thanks for help

Zehui Yao_MSFT 5,846 Reputation points

2022-10-21T02:42:11.117+00:00

Hi @Calderara Serge , you can automatically add roles via POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments endpoints.
Documentation: https://learn.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http

You can get roleDefinitionId through https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
and principalId by https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '{your App client ID}', and take the id value in the response as principalId
Documentation: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list?view=graph-rest-1.0&tabs=http

And per my I test, the user administrator couldn't do the same thing as a global administrator. Hope this helps.

Calderara Serge 46 Reputation points

2022-10-21T07:27:48.97+00:00

Hello @ ZehuiYaoMSFT-7151,

Could you please explain to me what has change in AD in order that now we need to get that Role set in order to delete an a account, while as I said it was working so far without my app to be part of that role ?

I have made a test by creating a free trial azure subscription.
Then I add a Guest account in the ad in same way we do from my app at my customer side
Then once the user is active, I delete the account using POSTMAN

As a result the user gets deleted succesfully wihout having the Role Set but only minimal permission as User.Read, User.ReadWriteAll, User.InviteAll

What is the difference that it works ok with free sbscription and not with my customer one ?

Regards

Zehui Yao_MSFT 5,846 Reputation points

2022-10-21T09:25:14.46+00:00

Hi @Calderara Serge , because different roles have different permissions, and they do have some status priorities within AD,
when some accounts have special roles such as User Admin, you must use a user or application with a higher status than him (since you are using client-credentials-flow, according to the token resolution you share, so the subject of the deletion operation is your application) to have permission to delete it such as Global Admin.

As for why your program worked fine before, my guess is that the accounts you created and deleted before were normal users who were not granted any roles in the lowest priority position, just like the guest accounts you create now, so your program can have default permission to delete them without any role, which is the same on the client side or subscription.

Zehui Yao_MSFT 5,846 Reputation points

2022-10-24T09:58:51.863+00:00

Hi @Calderara Serge , do if you still have any doubts about this issue?
Sign in to comment

Share via

Sudenly Authorization_denied error when DELETE user with Graph API

1 answer