Can't patch user identities despite permissions granted

Anna 21 Reputation points
2022-12-20T09:29:04.57+00:00

I have an app registered on Azure AD and granted it
User.ManageIdentities.All permission.
I try to update the user's identities with patch request:

PATCH https://graph.microsoft.com/v1.0/<tenant-id>/users/<user-id>

added a Bearer token to the header.
I send a json request body:

{
"identities": [
{
"signInType": "emailAddress",
"issuer": "<my-domain-name>",
"issuerAssignedId": "<email-address>"
},
<other identities as received with GET request>

Despite the granted permissions, I keep getting

"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",

What am I missing?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,645 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alistair Ross 7,101 Reputation points Microsoft Employee
    2022-12-20T12:01:53.257+00:00

    I am not an Azure AD expert, but I've been doing some digging and waiting for a colleague to ask him a question, but with my testing I can confirm in a normal azure AD tenant (not B2C)

    • Getting a users identities and updating them with the same details do not work when using the permission User.ManageIdentities.All
    • Getting a users identities and updating them with the same details dowork when using the permission User.ReadWrite.All

    I did this test to see if it would still deny me, but it doesn't. I don't know what else needs to be done to make the permissions more restrictive at this time.

    I think this is a bug and have raised it as such. In the meantime I would suggest you use the permission User.ReadWrite.All