Authorization_RequestDenied Errors for Password Reset, User Disable, and MFA Enforcement via Microsoft Graph API

Question

I am encountering "Authorization_RequestDenied" errors when attempting to perform password reset, user disable, and MFA enforcement operations using the Microsoft Graph API. Despite configuring the appropriate permissions and roles, the operations consistently fail with "Insufficient privileges to complete the operation."

Details of the Issues:

API Operations:

Password Reset:

Endpoint: https://graph.microsoft.com/v1.0/users/{user-id}
Method: PATCH
Request Body:
json
Copy code
{
  "passwordProfile": {
    "password": "NewPassword123!",
    "forceChangePasswordNextSignIn": true
  }
}

User Disable:

Endpoint: https://graph.microsoft.com/v1.0/users/{user-id}
Method: PATCH
Request Body:
json
Copy code
{
  "accountEnabled": false
}

MFA Enforcement:

Endpoint: https://graph.microsoft.com/v1.0/users/{user-id}/authentication/temporaryAccessPassMethods
Method: POST
Request Body:
json
Copy code
{
  "lifetimeInMinutes": 60,
  "isUsableOnce": true
}

Roles Included in Access Token:

User.ReadWrite.All

Directory.ReadWrite.All

User.EnableDisableAccount.All

PrivilegedAccess.ReadWrite.AzureAD

PrivilegedAccess.ReadWrite.AzureResources

User.ManageIdentities.All

Steps Taken:

Admin consent has been granted for all necessary permissions to the app.

I can use the access token related to the app with GET requests.

Token includes the necessary roles and scopes, confirmed through JWT decoding.

Tested operations via Microsoft Graph Explorer and API calls, but the errors persist.

Sample error:

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2024-08-18T19:31:13",
            "request-id": "711212-assasas-133332-122112",
            "client-request-id": "711212-assasas-133332-122112"
        }
    }
}

Summary:

Despite having the necessary roles and permissions, I continue to receive "Authorization_RequestDenied" errors when attempting password resets, disabling users, and enforcing MFA via the Microsoft Graph API. Assistance in diagnosing and resolving these issues is requested.

Desired Outcome:

Please provide guidance on any additional configurations or steps required to successfully execute these operations, or confirm if there are tenant-specific restrictions causing this issue.

Thank you for your support.

Answer 1

Hi @Ade

According to the document you have granted permission is not enough to complete the above three operations, for password reset and user disable operation, the delegated permission you need to grant is Directory.AccessAsUser.All.

For MFA Enforcement operation, the delegated permission you need to grant is UserAuthenticationMethod.ReadWrite.All.

For more details please see the following document link:

https://learn.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http

https://learn.microsoft.com/en-us/graph/api/authentication-post-temporaryaccesspassmethods?view=graph-rest-1.0&tabs=http

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.