I am encountering "Authorization_RequestDenied" errors when attempting to perform password reset, user disable, and MFA enforcement operations using the Microsoft Graph API. Despite configuring the appropriate permissions and roles, the operations consistently fail with "Insufficient privileges to complete the operation."
Details of the Issues:
API Operations:
Password Reset:
Endpoint: https://graph.microsoft.com/v1.0/users/{user-id}
Method: PATCH
Request Body:
json
Copy code
{
"passwordProfile": {
"password": "NewPassword123!",
"forceChangePasswordNextSignIn": true
}
}
User Disable:
Endpoint: https://graph.microsoft.com/v1.0/users/{user-id}
Method: PATCH
Request Body:
json
Copy code
{
"accountEnabled": false
}
MFA Enforcement:
Endpoint: https://graph.microsoft.com/v1.0/users/{user-id}/authentication/temporaryAccessPassMethods
Method: POST
Request Body:
json
Copy code
{
"lifetimeInMinutes": 60,
"isUsableOnce": true
}
Roles Included in Access Token:
User.ReadWrite.All
Directory.ReadWrite.All
User.EnableDisableAccount.All
PrivilegedAccess.ReadWrite.AzureAD
PrivilegedAccess.ReadWrite.AzureResources
User.ManageIdentities.All
Steps Taken:
Admin consent has been granted for all necessary permissions to the app.
I can use the access token related to the app with GET requests.
Token includes the necessary roles and scopes, confirmed through JWT decoding.
Tested operations via Microsoft Graph Explorer and API calls, but the errors persist.
Sample error:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2024-08-18T19:31:13",
"request-id": "711212-assasas-133332-122112",
"client-request-id": "711212-assasas-133332-122112"
}
}
}
Summary:
Despite having the necessary roles and permissions, I continue to receive "Authorization_RequestDenied" errors when attempting password resets, disabling users, and enforcing MFA via the Microsoft Graph API. Assistance in diagnosing and resolving these issues is requested.
Desired Outcome:
Please provide guidance on any additional configurations or steps required to successfully execute these operations, or confirm if there are tenant-specific restrictions causing this issue.
Thank you for your support.