Unable to Modify User Email, Phone Number, Password or Other Personal Information for Azure Active Directory Users
Introduction
This post is in regards to the issues in regards to users having issues modifying Azure Active Directory User attributes such as mail, phone number, resetting passwords, or other personal attributes in user accounts. This will review the reason behind these changes and how to resolve the issue. For many users this was something that was working before and only recently stopped working properly.
Reason Behind Change
There was a recent change to three different attributes that made changing the attributes require the same elevated privileges that password reset requires. The only properties that are being affected are the attributes : mobilePhone, businessPhones/telephoneNumber, and otherMails attributes. User profile changes can be made with User.ReadWrite.All except for the 3 aforementioned properties.
Fix/Resolution
In order to resolve this issue you will need to set the Service Principal or User that is trying to make the change to a Helpdesk Admins, User Account Admins and Company Admins depending on the user you are trying to modifies role is. Only these three admins can make changes to these three attributes in Azure Active Directory now.
Please note the level of power you are giving the service principal by setting the service principal or user to one of the aforementioned roles, realize that you are giving the user/service principal the ability to perform tasks at that level. This should be done with caution.
Microsoft Graph Scenario
Most users experiencing this issue are Microsoft Graph or Azure Active Directory users that are utilizing the Grant Type Client Credentials in order to make modifications to the three mentioned User Attributes. Having the Directory.readwrite.all permission is now not sufficient to make modifications to these user attributes anymore. You will get a 403 error saying insufficient permissions. In order to resolve this issue you can set the Service Principal/Enterprise Application as one of the admin roles in the resolution stated in the last paragraph.
For help on giving a Service Principal an Admin Role please go through this post : https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/
Conclusion
Here we have gone over the User Attribute change's reasoning, how to resolve the issue, the Microsoft/AAD Graph Scenario, and a link explaining how to give a Service Principal/Enterprise Application an Admin role. If you have anymore questions in regards to this issue, feel free to comment below on this issue and I will try to get back to you as soon as possible. If you have any dire issues feel free to open a support ticket for Azure Active Directory Developer, and one of our support engineers will reach out to you to resolve the issue as soon as possible.
Comments
- Anonymous
February 14, 2019
Does this also apply for Azure B2C Graph API?- Anonymous
February 19, 2019
This article is meant only for regular AAD Tenants, it is most likely that Azure B2C has this as a requirement as well, but I am unsure as the B2C tenant is constantly changing.
- Anonymous