Not able to disable the user despite User Administrator role.

Question

I am not able to disable user even after having User Administrator role. Getting this error "Insufficient permissions to edit user properties "
I am getting the same issue when calling the graph API.
https://graph.microsoft.com/v1.0/users/a19d6419-f188-4bfd-bd9e-c9335ddbf3ec

Request Body :
{
"AccountEnabled": false
}

Answer 1

Is the target user an admin one? There are certain operations you cannot perform against an admin user, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#who-can-perform-sensitive-actions
Similarly, you cannot perform this operation against your own user account.

Answer 2

Hello @Shruti

The error you are receiving is expected if the user for which you are trying make this change has some kind of role assigned. To share some more insights, I would like to share that "Disable or enable user" (accountEnabled) is a sensitive property and User Administrator can only perform this action on some type of users.

Following table shares more information about this for complete information please refer following document: Who can perform sensitive actions.

I hope this helps to resolve your query.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Hi @Shruti

If you are trying to update the account enabled attribute of a normal user, then the User Administrator role is sufficient. However, if you want to update the account enabled attribute of an administrator, you must have the Global Administrator role.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.