This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 45%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I am not able to disable user even after having User Administrator role. Getting this error "Insufficient permissions to edit user properties "
I am getting the same issue when calling the graph API.
https://graph.microsoft.com/v1.0/users/a19d6419-f188-4bfd-bd9e-c9335ddbf3ec
Request Body :
{
"AccountEnabled": false
}
Hello @Shruti
Thank you for reaching out. I would be checking this would get back to you in sometime.
Hi @Shruti
You may be trying to update the account enabled property of an administrator, the user administrator role will not be sufficient, and only a global administrator can change this property for an administrator in the tenant. If you want to change through the graph api, then you also need Directory.AccessAsUser.All delegated permissions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Shruti ,
I just wanted to check in and see if you had any other questions or if you were able to get the answer you needed?
If the information helped you, please Accept as answer so that others in the community with similar questions can more easily find a solution.
Otherwise, if you have any other questions, please let me know.
Is the target user an admin one? There are certain operations you cannot perform against an admin user, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#who-can-perform-sensitive-actions
Similarly, you cannot perform this operation against your own user account.
Hello @Shruti
The error you are receiving is expected if the user for which you are trying make this change has some kind of role assigned. To share some more insights, I would like to share that "Disable or enable user" (accountEnabled) is a sensitive property and User Administrator can only perform this action on some type of users.
Following table shares more information about this for complete information please refer following document: Who can perform sensitive actions.
I hope this helps to resolve your query.
----------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @Shruti
If you are trying to update the account enabled attribute of a normal user, then the User Administrator role is sufficient. However, if you want to update the account enabled attribute of an administrator, you must have the Global Administrator role.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 91%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVR%3C/text%3E%3C/svg%3E)
You must review the assigned groups and extend the "Role assignments allowed" column to check its value. If this setting is enabled for a group, deactivating the user via Graph API is not permitted. Just remove the common Group and it will work