GraphAPI: Create temporary access pass on behalf of user, error 403 self service not supported

Stapf, Peter 26 Reputation points
2022-05-04T21:07:29.6+00:00

Hi,

I'm trying to create a temporary access pass with the /authentication/temporaryAccessPassMethods endpoint on behalf of the user.

Permission: UserAuthenticationMethod.ReadWrite (Delegated) is set connecly on the app registration.

When I call the API I get an 403 forbidden error with the following details:
{"error":{"code":"accessDenied","message":"Self-service operations are currently not supported for user {GUID].","innerError":{"message":"Self-service operations are currently not supported for user {GUID}

What am I missing here?

TAP is activated in my tenant for all users.

Thx in advance
Peter

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,728 questions
0 comments No comments
{count} votes

Accepted answer
  1. CarlZhao-MSFT 40,221 Reputation points
    2022-05-05T07:53:22.713+00:00

    Hi @Stapf, Peter

    Azure AD TAP is still in public preview and currently does not support creating TAP for user self, you can only use administrators to create TAP for other users.

    199098-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Stapf, Peter 26 Reputation points
    2022-05-05T08:11:08.943+00:00

    Yes thanks, that really help.

    One point from my side: The Graph API Docu states that "acting on self" is possible and lists the permissions.
    https://learn.microsoft.com/en-us/graph/api/temporaryaccesspassauthenticationmethod-post?view=graph-rest-beta&tabs=http

    There should be a hint in the beta docu that this is currently not possible.

    Is there any ETA when "acting on self" will be available ?

    /Peter

    1 person found this answer helpful.

  2. JanardhanaVedham-MSFT 3,536 Reputation points
    2022-05-05T08:13:33.567+00:00

    Hi @Stapf, Peter ,

    As it's stated in the API error message, creation of temporaryAccessPassAuthenticationMethod for self-user account is currently not supported or allowed. As you can see in the below screenshot from Azure portal, the same is the case even from Azure portal UI and "Add authentication method" option is disabled for the self-user account. Hence this restriction of not allowing temporaryAccessPassAuthenticationMethod for self-user account is applicable either using Azure portal UI or Graph API.

    199116-image.png

    Create temporaryAccessPassAuthenticationMethod Graph API with UserAuthenticationMethod.ReadWrite.All Delegated permissions is working fine for the other users in the tenant, as you can see in the below example screenshot. As mentioned in this documentation, for delegated scenarios where an admin is acting on another user, the admin needs one of the following Azure AD roles:

    • Global administrator
    • Privileged authentication administrator
    • Authentication administrator

    Example :

    POST https://graph.microsoft.com/beta/users/MyTestuser9@o365XXXX.onmicrosoft.com/authentication/temporaryAccessPassMethods  
    

    199171-image.png

    Note : Temporary Access Pass Authentication Method Graph API is currently available only in Beta. APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.

    Hope this helps.

    If the answer is helpful to you, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, please click "Comment".

    0 comments No comments