This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 83%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Hello,
I am trying to use the 'update' Graph API to disable user's account. This is the REST API I am using:
Request Body:
{
"accountEnabled":"false"
}
Unfortunately I get the following response:
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation."
I am using the client_id and client_secret to get the OAUTH token. Although, I can update any other field for the same user using the same API call.
Is there anything that I am missing? Any help is appreciated.
Thank you!
Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.
Hi RidhimaBhalerao-8704,
Could you check if the user you want to disable has a role assigned to him?
In my case I can only change it to users who do not have any role assigned
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 3%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Same, when try to disable account that has any kind of role assigned to it, the action fails.
Is there any resolution to that, or probably a workaround?
@Ridhima Bhalerao
Looking at your error message it looks like you might not have the correct permissions to disable the user's account. Are you trying to do this through Microsoft Graph Explorer?
I wasn't able to replicate your issue but will post my findings below: Using the Microsoft Graph API
Patch
https://graph.microsoft.com/v1.0/users/testuser1@.domain.onmicrosoft.com
Request Body - {"accountEnabled":"false"}
Once the command returned the appropriate response. I checked to make sure the account was actually disabled.
Get
https://graph.microsoft.com/v1.0/users/testuser1@.domain.onmicrosoft.com?$select=accountEnabled
Please let me know if you have any questions.
Thank you for your time and patience throughout this issue!
Hi @JamesTran-MSFT ,
Thank you for the response, I am testing it in Postman. Are there any special permissions that need to be enabled in order to disable a user's account? I am using the client_id and client_secret to authorize the request. I have attached some screenshots for reference:
Thank you!
@Ridhima Bhalerao
Thanks for the info! I've reached out to our engineering team for further assistance on this issue.
Findings:
1-MS Graph API's access token is granting not only App permissions but also User consented permissions as well. Therefore, if you copy/paste the token to Postman, the operation will work.
2-However, if you just use Postman's token the operation fails, even if you have the proper permissions.
Using the MSGraph API, I copied the access token and put it into Postman: Operation succeeded
When using Postman's token with proper permissions: Operation Failed
If you have any questions in the meantime please let me know.
Thank you for your time and patience throughout this issue.
Hi @JamesTran-MSFT ,
Thank you so much for your response, really appreciate it! You are right, your workflow works perfect for me too, but I need to achieve this through Java, so I am not sure if this workflow would work as expected,
because similar to Postman, I won't be able to grant permissions for the operation from the code right? Any thoughts around this one?
Thanks,
Ridhima
@Ridhima Bhalerao
Thanks for your response! I was able to reach out to our engineering team and will post their update below.
PG Update:
Can you give the application a Global Admin role and then try to update the "accountEnabled" property.
Steps:
1)Navigate to your Azure Active Directory
2)On the left blade, select "Roles and Administrators" - Search & Select "Global Admin"
3)Select "Add Assignments" at the top of the screen
4)Search for your App Registration -> Add the role to your App.
Retry the "accountEnabled" command via Postman.
I hope this helps!
Thank you for your time and patience throughout this issue.
@Ridhima Bhalerao
I just wanted to check in and see if you had a chance to review my previous post or if you had any other questions?
----------
If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 7.000000000000001%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
Hi RidhimaBhalerao-8704,
Can you verify if the user ID that you are using has got "User Administrator" role assigned, if not try giving this role to your ID and then try executing the command or Patch Query.
User Administrator role has access to manage all aspects of users and groups.
Thanks,
Ravi
Hi Ravi (@Bhanot Ravi ),
Thank you for the response. I am using a client ID and a secret which is associated to an application in Azure AD.
I have given all the Directory Write rights and it has all the admin rights too. I am not sure why it doesn't work. I am able to update all the fields for any user except the 'accountEnabled' parameter.
Thanks,
Ridhima
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 20%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFP%3C/text%3E%3C/svg%3E)
This may be too late to be useful, but it sounds like you are trying to use a token from the user to make the request to Graph. If you gave the API permissions to your app, I believe you need to generate a token on behalf of the app within the java code. So you call a graph /token endpoint using your client id and secret, and then pass your app token in your auth header for the subsequent call to Graph.
Get access without a user:
https://learn.microsoft.com/en-us/graph/auth-v2-service
(Assuming you already have admin consent, you can go to section 4)
Just be aware that anyone who can access these endpoints now has the same permissions as your application (not user specific), so be sure you are sufficiently checking the end user making the request.
Thanks Ridhima for detailed answer. I would suggest let's wait for response from James as he is checking from Engineering team.
Thanks,
Ravi
HI Ridhima,
Could you please confirm if there is any progress.
Thanks,
Ravi