update-mguser 403 Insufficient privileges to complete the operation

Jia Tan 0 Reputation points Microsoft Employee
2024-05-27T10:05:53.33+00:00

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http#permissions

As it descripted, the Least privileged permissions is "User.ManageIdentities.All" for app permission. But I tested with command: Update-MgUser -UserId jiatan@evait.onmicrosoft.com -DisplayName "Tan Jia"

403 insufficient privileges to complete the operation was returned.

I connect-mggraph with app-only authentication https://learn.microsoft.com/en-us/powershell/microsoftgraph/app-only?view=graph-powershell-1.0

This action can be completed with app permission "User.ReadWrite.All".

Does User.ManageIdentities.All really use as Least privileged permissions for update user properties?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,057 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 98,201 Reputation points MVP
    2024-05-27T17:02:32.95+00:00

    I don't believe the User.ManageIdentities.All permission can be used for this operation. According to its description, it's only relevant for the identities property: https://learn.microsoft.com/en-us/graph/permissions-reference#usermanageidentitiesall

    0 comments No comments

  2. CarlZhao-MSFT 38,936 Reputation points
    2024-05-28T03:08:28.7066667+00:00

    Hi @Jia Tan

    The User.ManageIdentities.All permission is a fine-grained least privilege permission that can only be used to manage the user's identities property, and the displayName property is obviously not included in this list.

    0 comments No comments