403 Forbidden Authorization_Request Denied when updating AD user properties

Question

403 Forbidden Authorization_Request Denied when updating AD user properties

Rob Garden 0

I have an automation runbook that updates AD user properties like mobile phone etc. I do not have any issues with non-administrator user changes, but anyone that is a O365 admin (and any level of admin) I am unable to update their mobile phone. I found the following and wanted to see if there was a workaround to this limitation (specifically the 2nd bullet). The 2nd point below seemed to suggest that if I added one of the listed roles to those admin users it would work .. but I tried and there was no change.

User's image

Source: https://learn.microsoft.com/en-us/graph/permissions-reference

The Directory.ReadWrite.All permission

No rights to reset user passwords.
Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
No rights to delete resources (including users or groups).
Specifically excludes create or update for resources not listed above. This includes: application, oAuth2PermissionGrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.

Appreciate any guidance.

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-08-23T09:56:14.85+00:00

@Rob Garden

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-08-28T20:47:33.9633333+00:00

@Rob Garden

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-08-23T09:56:14.85+00:00

@Rob Garden

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-08-28T20:47:33.9633333+00:00

@Rob Garden

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

CarlZhao-MSFT 46,376

Hi @Rob Garden

Normal users certainly can't update the administrator's mobilePhone attribute, which is a sensitive attribute, and updating this attribute is a sensitive action, and only administrators can perform sensitive actions.

User's image

If you want to change the admin's mobilePhone attribute, the calling user/app must have an admin role with higher privileges than the target admin. The following image shows higher privilege admin roles that can perform sensitive actions on admins, and you can grant these roles to your users/apps based on the index to change the sensitive attributes of the target admin.

User's image

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Rob Garden 0 Reputation points

2023-08-23T14:10:39.37+00:00

Appreciate the assistance!

This is an automation account using a system identity. The following are the current Azure Role Assignments given to that identity. Is there perhaps another role that I missing in order to accomplish this task? I have no problems creating users or editing non admins.

I went to add Directory.AccessASUser.All using the same method I use to add other app role assignments (like User.ReadWrite.All) but it appears my syntax isn't acceptable. Is there anything here that jumps out to you as wrong?
CarlZhao-MSFT 46,376 Reputation points

2023-08-24T06:16:24.5266667+00:00
Hi @Rob Garden

The role here refers to the directory role and not the appRole. You should grant the administrator role to the calling principal (user/app) connecting to Azure AD, so that you can change sensitive attributes of other administrators.

#Log in as an administrator with higher privileges. Connect-AzureAD
Rob Garden 0 Reputation points

2023-08-25T05:19:16.0666667+00:00

So what I ended up doing was assigning the runbook's service account to Privileged Authentication Administrator under Roles and Administrators. Doing that cleared all errors.
CarlZhao-MSFT 46,376 Reputation points

2023-08-25T05:41:49.01+00:00

Hi @Rob Garden

Great to know your error has been cleared up. If my answer helps you, don't forget to click "Accept Answer", it may help other members of the community with similar problems, thanks.
CarlZhao-MSFT 46,376 Reputation points

2023-08-28T02:27:43.9266667+00:00

Hi @Rob Garden

Please kindly consider this comment as a warm follow up, I want to know if my answer is helpful. If the answer is helpful, please click "Accept Answer" and kindly upvote it. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.

Share via

403 Forbidden Authorization_Request Denied when updating AD user properties

1 answer

Your answer