Certain operations against admin users require you to have additional scopes granted, i.e. you will need the Directory.AccessAsUser.All permission.
GraphAPI - Authorization_RequestDenied when attempting to delete/restore privileged user
Hi,
I receive error code Authorization_RequestDenied when attempting to POST a microsoft.graph.restore request, but only when the target user (being restored or deleted) has admin roles assigned.
POST https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id-of-deleted-user-which-has-admin-roles}/microsoft.graph.restore
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2023-01-05T10:38:10",
"request-id": "b35bba04-ad29-406c-a595-31f6985958e8",
"client-request-id": "93a153a8-630a-6c0e-6257-00fac9cbe015"
}
}
}
- User.ReadWrite.All (delegated) is present in token scp
- Executing user has Privileged Authentication Administrator role assigned
- Target user has Service Support Administrator role
- I can perform this operation fine in MSOnline PowerShell
Edit: apologies posted incorrect error, updated now
1 additional answer
Sort by: Most helpful
-
Bhanu Kiran 3,611 Reputation points
2023-01-05T11:15:17.347+00:00 Hi @Chris Lemon ,
From the error message, it seems like you might be using the wrong HTTP method to query this API. Could you please check and validate if you are using POST method as instructed in the document?
Also, could you please decode your token using jwt.ms and validate the scopes that are being used?
Hope this helps.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".