Authorization_RequestDenied: "Insufficient Privileges" When Attempting to Update User Password via Microsoft Graph API (PATCH)

Question

Authorization_RequestDenied: "Insufficient Privileges" When Attempting to Update User Password via Microsoft Graph API (PATCH)

Ray Garg 20

I have a few clarifications and additional context to provide:

About the Issue:

My app already has User.ReadWrite.All and Directory.ReadWrite.All permissions granted with admin consent.
- The app is performing the operation with application permissions, not delegated permissions.
  - The user is a member of the directory and was successfully created during a migration process using a random password.
  Operation Details:
```
    - I'm attempting to update the user's password via a PATCH request to `https://graph.microsoft.com/v1.0/users/{user-id}`.
    
    
       - The request body contains the `passwordProfile` object with the new password and `forceChangePasswordNextSignIn` set to `false`.
    ```1. **Your Suggestion:**
```
- Roles are not currently available in azure ad b2c to be assigned to app registrations. therefore i cannot follow your previous suggestion of providing the user.admin role to the app registration in azure ad b2c tenant.
- Is there another prerequisite or configuration required to make this work?

Additional Notes:

The error is Authorization_RequestDenied, stating "Insufficient privileges to complete the operation."
- There are no conditional access policies or other restrictions that would interfere with this operation. here is the error message i see in the server logs with the request id and client request id: Unexpected Exception: Graph API Error: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-12-10T16:44:09","request-id":"db7efa4e-cddb-4535-b5fe-fa00b2fa3e14","client-request-id":"db7efa4e-cddb-4535-b5fe-fa00b2fa3e14"}}}

Ray Garg 20 Reputation points

2024-12-11T18:10:49.71+00:00

here is the error message ith the request id and client request id:

Unexpected Exception: Graph API Error: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-12-10T16:44:09","request-id":"db7efa4e-cddb-4535-b5fe-fa00b2fa3e14","client-request-id":"db7efa4e-cddb-4535-b5fe-fa00b2fa3e14"}}}
Anonymous

2024-12-12T01:19:50.88+00:00

Please share your parsing token information in jwt.ms.
Ray Garg 20 Reputation points

2024-12-12T18:10:52.9433333+00:00

@Anonymous Thank you for your response. ive reviewed the bearer token being sent in the request and here are the details of the decoded token using jwt.ms.

{ "typ": "JWT", "nonce": "zPVDxQ7EY5Ugicf_eJPxzbfM-l5cemsTbn-RtZ7xObM", "alg": "RS256", "x5t": "zxeg2WONpTkwN5GmeYcuTdtC6J0", "kid": "zxeg2WONpTkwN5GmeYcuTdtC6J0" }.{ "aud": "https://graph.microsoft.com/", "iss": "https://sts.windows.net/ff8913f4-cf4e-44f8-9c51-b0c24fce09bc/", "iat": 1734026408, "nbf": 1734026408, "exp": 1734030308, "aio": "k2BgYFCruFSb06atdaz4rlnvrewZAA==", "app_displayname": "JITv1MigrationAPI", "appid": "1c4b2ea7-7995-4be7-be7c-e55894e24f37", "appidacr": "1", "idp": "https://sts.windows.net/ff8913f4-cf4e-44f8-9c51-b0c24fce09bc/", "idtyp": "app", "oid": "1ed7b829-b252-4e5a-94c2-bce779e3417d", "rh": "1.AR4A9BOJ_07P-EScUbDCT84JvAMAAAAAAAAAwAAAAAAAAABuAQAeAA.", "roles": [ "Policy.ReadWrite.ConditionalAccess", "UserAuthenticationMethod.Read.All", "User.ReadWrite.All", "UserAuthenticationMethod.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedAdminRelationship.ReadWrite.All", "Policy.Read.All" ], "sub": "1ed7b829-b252-4e5a-94c2-bce779e3417d", "tenant_region_scope": "NA", "tid": "ff8913f4-cf4e-44f8-9c51-b0c24fce09bc", "uti": "Vr2GuhVPfUShq_pYPAILAA", "ver": "1.0", "wids": [ "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ], "xms_idrel": "7 6", "xms_tcdt": 1728598145 }.[Signature]

the token appears to have necessary permissions including user.readwrite.all and directory.readwrite.all. however i am getting that authorization request denied insufficient privileges to complete the operation error when trying to send apatch request to update the users password in azure ad b2c directory.

Accepted answer

0 additional answers

Your answer

Ray Garg 20 Reputation points

2024-12-11T18:10:49.71+00:00

here is the error message ith the request id and client request id:

Unexpected Exception: Graph API Error: {"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2024-12-10T16:44:09","request-id":"db7efa4e-cddb-4535-b5fe-fa00b2fa3e14","client-request-id":"db7efa4e-cddb-4535-b5fe-fa00b2fa3e14"}}}
Anonymous

2024-12-12T01:19:50.88+00:00

Please share your parsing token information in jwt.ms.
Ray Garg 20 Reputation points

2024-12-12T18:10:52.9433333+00:00

@Anonymous Thank you for your response. ive reviewed the bearer token being sent in the request and here are the details of the decoded token using jwt.ms.

{ "typ": "JWT", "nonce": "zPVDxQ7EY5Ugicf_eJPxzbfM-l5cemsTbn-RtZ7xObM", "alg": "RS256", "x5t": "zxeg2WONpTkwN5GmeYcuTdtC6J0", "kid": "zxeg2WONpTkwN5GmeYcuTdtC6J0" }.{ "aud": "https://graph.microsoft.com/", "iss": "https://sts.windows.net/ff8913f4-cf4e-44f8-9c51-b0c24fce09bc/", "iat": 1734026408, "nbf": 1734026408, "exp": 1734030308, "aio": "k2BgYFCruFSb06atdaz4rlnvrewZAA==", "app_displayname": "JITv1MigrationAPI", "appid": "1c4b2ea7-7995-4be7-be7c-e55894e24f37", "appidacr": "1", "idp": "https://sts.windows.net/ff8913f4-cf4e-44f8-9c51-b0c24fce09bc/", "idtyp": "app", "oid": "1ed7b829-b252-4e5a-94c2-bce779e3417d", "rh": "1.AR4A9BOJ_07P-EScUbDCT84JvAMAAAAAAAAAwAAAAAAAAABuAQAeAA.", "roles": [ "Policy.ReadWrite.ConditionalAccess", "UserAuthenticationMethod.Read.All", "User.ReadWrite.All", "UserAuthenticationMethod.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedAdminRelationship.ReadWrite.All", "Policy.Read.All" ], "sub": "1ed7b829-b252-4e5a-94c2-bce779e3417d", "tenant_region_scope": "NA", "tid": "ff8913f4-cf4e-44f8-9c51-b0c24fce09bc", "uti": "Vr2GuhVPfUShq_pYPAILAA", "ver": "1.0", "wids": [ "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ], "xms_idrel": "7 6", "xms_tcdt": 1728598145 }.[Signature]

the token appears to have necessary permissions including user.readwrite.all and directory.readwrite.all. however i am getting that authorization request denied insufficient privileges to complete the operation error when trying to send apatch request to update the users password in azure ad b2c directory.

Answer 1

Anonymous

Hello Ray Garg,

Thank you for reaching out to Microsoft Support!

Judging from your parsed token, the permissions granted are sufficient, for this, we did the same test as you did, initially when we only granted the application permissions User.ReadWrite.All, we had the same error as you when changing the password, 403 permissions are insufficient.

According to the documentation, it is necessary to grant the application User Administrator role, for which we grant the application administrator role in Azure AD, as shown below:

Screenshot 2024-12-13 063321

After the role is granted, the token is obtained again, and the response is successful in the re-test. The test result is as shown in the following figure:

Screenshot 2024-12-13 063729

Check that the application is granted permission in Microsoft Entra ID->Roles and administrators->User Administrator.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

Ray Garg 20 Reputation points

2024-12-13T18:33:59.2+00:00

Hello @Anonymous

my app is currently in my app registration in my azure ad b2c tenant. do i have to also create the app in my microsoft entra id tenant, inside enterprise apps? and then somehow form a connection from the microsoft entra id tenant and teh azure ad b2c tenant? can you please provide calrifications. currenbtly roles (like user admin or global admin) are only able to be assigned at the microsoft entra id tenant at the application level. therefore i need a workaround since i cannot assign the role directly into my app that resides in my azure ad b2c tenant
Anonymous

2024-12-17T08:08:25.0366667+00:00

No, as far as I know, there are Roles and administrators under the Manage option in Azure AD B2C, where you can grant application roles.
Ray Garg 20 Reputation points

2024-12-17T20:01:31.5233333+00:00

it loooks like what i had to do what while im in my azure ad b2c tenant, in here i had to serach for micorosoft entra id, and create a new app in here and assign it teh necessary role. the issue i was doing was switchingt o the microsoft entra id tenant, but i had to create the app in microosft enytra id while im in my b2c tenant. looks like this allowed teh patch request to go through. do u have any sugegsitons on how i can test that the password actually got reset. because i think retrieiving a password via a graph call is impossible. my print stamenets from my code seems to say it worked but i just really wnated to check if indeed teh irght password is now assigned

Share via

Authorization_RequestDenied: "Insufficient Privileges" When Attempting to Update User Password via Microsoft Graph API (PATCH)

0 additional answers

Your answer