Up until around two to four weeks ago, I'd been able to make use of the Set-AzureADUser commandlet from the AzureADPreview module to "fix" mismatched ImmutableId values
It's not a common request, but having received another instance yesterday, running Set-AzureADUser -ImmutableId yielded an "Authorization_RequestDenied" error.
I have asked the relevant administrators at the client site if my access has changed, and they assure me it hasn't.
Testing within my own tenant shows that only membership in the "Global Administrator" role allows me to set the ImmutableId, which I can categorically say I've never had in the client's tenant. I have membership in "User Administrator", which I assume was providing the necessary clearance to successfully run Set-AzureADUser in the past.
It's worth pointing out that the identity being changed has no memberships in any privileged roles.
At this stage, I cannot rule anything out, including that it's an issue with my account's configuration, but since I'm having trouble reconciling that I never had Global Administrator membership, nor any form of explicit Directory.ReadWrite.All (or equivalent) access, I figured I'd ask here.
Has anyone else that is not a Global Administrator noticed a change in behaviour with Set-AzureADUser -ImmutableId in the past month?