Share via

Not able to disable the user despite User Administrator role.

Shruti 1 Reputation point
2022-11-17T08:57:40.413+00:00

I am not able to disable user even after having User Administrator role. Getting this error "Insufficient permissions to edit user properties "
I am getting the same issue when calling the graph API.
https://graph.microsoft.com/v1.0/users/a19d6419-f188-4bfd-bd9e-c9335ddbf3ec

Request Body :
{
"AccountEnabled": false
}

261318-image.png

Microsoft Security | Microsoft Entra | Microsoft Entra ID

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 123.6K Reputation points MVP Volunteer Moderator
    2022-11-17T09:37:39.89+00:00

    Is the target user an admin one? There are certain operations you cannot perform against an admin user, as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#who-can-perform-sensitive-actions
    Similarly, you cannot perform this operation against your own user account.

    0 comments
  2. Harpreet Singh Matharoo 8,416 Reputation points Microsoft Employee Moderator
    2022-11-17T09:41:55.003+00:00

    Hello @Shruti

    The error you are receiving is expected if the user for which you are trying make this change has some kind of role assigned. To share some more insights, I would like to share that "Disable or enable user" (accountEnabled) is a sensitive property and User Administrator can only perform this action on some type of users.

    Following table shares more information about this for complete information please refer following document: Who can perform sensitive actions.

    261393-image.png

    I hope this helps to resolve your query.

    ----------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  3. CarlZhao-MSFT 46,406 Reputation points
    2022-11-17T10:04:36.157+00:00

    Hi @Shruti

    If you are trying to update the account enabled attribute of a normal user, then the User Administrator role is sufficient. However, if you want to update the account enabled attribute of an administrator, you must have the Global Administrator role.

    261432-image.png

    261441-image.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Valerius Reitz 0 Reputation points
    2025-02-03T12:48:39.7+00:00

    You must review the assigned groups and extend the "Role assignments allowed" column to check its value. If this setting is enabled for a group, deactivating the user via Graph API is not permitted. Just remove the common Group and it will work

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.