Changing accountEnabled throws 403 Authorization_RequestDenied

问题

I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:

{
    "accountEnabled": false,
    "city": "C234",
    "country": "AFG",
    "displayName": "Steve Rogers",
    "givenName": "Steve",
    "jobTitle": "Azure",
    "mailNickname": "steve",
    "postalCode": "Z345",
    "streetAddress": "S123",
    "surname": "Rogers",
    "userPrincipalName": "steve@***.onmicrosoft.com",
    "id": "aec...278",
    "mobilePhone": null
}

But all requests ends with 403

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "e7a...e42",
      "date": "2019-04-10T08:21:12"
    }
  }
}

Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?

回答1:

Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role. https://docs.microsoft.com/en-us/graph/permissions-reference#remarks-2

回答2:

On my side, it works. The following is my process:

1. Use the client credential to get bearer token:

To parse the bearer token:

2. Use this bearer token to call ms graph api:

3. Check the disabled user in the azure portal:

回答3:

No Its mandatory to grant permission for accessing this API on azure portal.

Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.

1. If you are admin in your AAD, You could grant permission for users in organization by click Grant permission button.

2. Then you could use your code (client credential flow to get the token) and query users information . If you check the claims in access token issued by azure ad , you could find Directory.Read.All permission in roles claim

In given reference same thread answered there You could refer here .

Note For Client Credentials code example you could check here

If you still have any query feel free to ask in comment. Thank you.

来源：https://stackoverflow.com/questions/55608063/changing-accountenabled-throws-403-authorization-requestdenied