This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 24%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPF%3C/text%3E%3C/svg%3E)
Hi all,
I am using powershell to update user properties (like Jobrole, department ...) from our HR system once a day. Powershell is authenticationg to MsGraph using an app and ApplicationOnly permissions.
This works fine for all users but a bunch of privileged user, who do have some admin permissions (in this case to invite guest which we have forbidden for the general user).
Everytime I want to update thos users, I get a 403 Error. What permissions priviledges to I have to give to update those users:
Error:
Line |
95 | $UpdateMgUserResult = Update-MgUser @params
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Insufficient privileges to complete the operation. Status: 403 (Forbidden) ErrorCode: Authorization_RequestDenied Date: 2024-03-07T20:33:08 Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id
| : 1c6785e4-79ef-4356-b75e-632884632602 client-request-id : fd284b72-2417-475a-a14b-a39164716b7a x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF0002D7E9"}} x-ms-resource-unit : 1 Date
| : Thu, 07 Mar 2024 20:33:08 GMT
For the ability to update privileged users: ( Consider adding the app to the User Admin role for example)
https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http
I can only assign those roles to users, but not to applications. As I thought I missed something basic I googled quite a while after assigning these "user admin roles" to an app, but I found no way for doing this. As far as my understanding goes, I can only grant privileges to apps via API-Permissions. If there is another way, I am looking forward to the explanation.
Hi, You can assign service principals to elevated roles. I have many like that
Thanks for that hint. I was not aware you just need to put in the Full name of the app in the Entra admin console for it to be assignable. Thanks a lot!