GraphAPI - Authorization_RequestDenied when attempting to delete/restore privileged user

Chris Lemon 31 Reputation points
2023-01-05T10:43:39.737+00:00

Hi,

I receive error code Authorization_RequestDenied when attempting to POST a microsoft.graph.restore request, but only when the target user (being restored or deleted) has admin roles assigned.

POST https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id-of-deleted-user-which-has-admin-roles}/microsoft.graph.restore  


 

{  
    "error": {  
        "code": "Authorization_RequestDenied",  
        "message": "Insufficient privileges to complete the operation.",  
        "innerError": {  
            "date": "2023-01-05T10:38:10",  
            "request-id": "b35bba04-ad29-406c-a595-31f6985958e8",  
            "client-request-id": "93a153a8-630a-6c0e-6257-00fac9cbe015"  
        }  
    }  
}  
  • User.ReadWrite.All (delegated) is present in token scp
  • Executing user has Privileged Authentication Administrator role assigned
  • Target user has Service Support Administrator role
  • I can perform this operation fine in MSOnline PowerShell

Edit: apologies posted incorrect error, updated now

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,796 questions
0 comments No comments
{count} vote

Accepted answer
  1. Vasil Michev 111.8K Reputation points MVP
    2023-01-05T11:26:50.367+00:00

    Certain operations against admin users require you to have additional scopes granted, i.e. you will need the Directory.AccessAsUser.All permission.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Bhanu Kiran 3,611 Reputation points
    2023-01-05T11:15:17.347+00:00

    Hi @Chris Lemon ,

    From the error message, it seems like you might be using the wrong HTTP method to query this API. Could you please check and validate if you are using POST method as instructed in the document?

    Also, could you please decode your token using jwt.ms and validate the scopes that are being used?

    Hope this helps.
    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.