As a semi-answer, dropping the patch to businessPhones, mail, and mobilePhone allowed the request to go through. I'm guessing because these are password reset factors. In either case, it would still be nice to sync these attributes for admins as well.
Options for Managing Admin User Profiles via Daemon Apps
Hello!
I'm currently developing an automation using the Graph API Users endpoint to sync profile attributes from one tenant to another and it works fine for most our users. However, we come across permission errors (403) when performing the same update actions on admin users. According to the documentation, to do this "applications need to be assigned the Directory.AccessAsUser.All delegated permission." This automation should be run as a daemon app with zero user interaction, no login, and no front-end. Why isn't there an application-equivalent permission for this?
Can I get some other options on how to update these admin profiles or how to use delegated auth without the need for user interaction? I've looked into duct-tape solutions that could rely on a refresh token from a single, hard-coded 'interaction' - but apparently those can expire in various situations and would not be a good, sustainable solution for us.
Thanks in advance :)