Options for Managing Admin User Profiles via Daemon Apps

Krissi Yan 1 Reputation point
2022-12-01T18:55:42.96+00:00

Hello!

I'm currently developing an automation using the Graph API Users endpoint to sync profile attributes from one tenant to another and it works fine for most our users. However, we come across permission errors (403) when performing the same update actions on admin users. According to the documentation, to do this "applications need to be assigned the Directory.AccessAsUser.All delegated permission." This automation should be run as a daemon app with zero user interaction, no login, and no front-end. Why isn't there an application-equivalent permission for this?

Can I get some other options on how to update these admin profiles or how to use delegated auth without the need for user interaction? I've looked into duct-tape solutions that could rely on a refresh token from a single, hard-coded 'interaction' - but apparently those can expire in various situations and would not be a good, sustainable solution for us.

Thanks in advance :)

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,532 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Krissi Yan 1 Reputation point
    2022-12-02T22:48:41.457+00:00

    As a semi-answer, dropping the patch to businessPhones, mail, and mobilePhone allowed the request to go through. I'm guessing because these are password reset factors. In either case, it would still be nice to sync these attributes for admins as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.