Not able to disable the user despite User Administrator role.

Shruti 1 Reputation point
2022-11-17T08:57:40.413+00:00

I am not able to disable user even after having User Administrator role. Getting this error "Insufficient permissions to edit user properties "
I am getting the same issue when calling the graph API.
https://graph.microsoft.com/v1.0/users/a19d6419-f188-4bfd-bd9e-c9335ddbf3ec

Request Body :
{
"AccountEnabled": false
}

261318-image.png

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,545 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Vasil Michev 110.3K Reputation points MVP
    2022-11-17T09:37:39.89+00:00

    Is the target user an admin one? There are certain operations you cannot perform against an admin user, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#who-can-perform-sensitive-actions
    Similarly, you cannot perform this operation against your own user account.

    0 comments No comments

  2. Harpreet Singh Matharoo 8,221 Reputation points Microsoft Employee
    2022-11-17T09:41:55.003+00:00

    Hello @Shruti

    The error you are receiving is expected if the user for which you are trying make this change has some kind of role assigned. To share some more insights, I would like to share that "Disable or enable user" (accountEnabled) is a sensitive property and User Administrator can only perform this action on some type of users.

    Following table shares more information about this for complete information please refer following document: Who can perform sensitive actions.

    261393-image.png

    I hope this helps to resolve your query.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  3. CarlZhao-MSFT 43,491 Reputation points
    2022-11-17T10:04:36.157+00:00

    Hi @Shruti

    If you are trying to update the account enabled attribute of a normal user, then the User Administrator role is sufficient. However, if you want to update the account enabled attribute of an administrator, you must have the Global Administrator role.

    261432-image.png

    261441-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.