This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 78%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi,
I am writing a PowerShell script to disable Azure AD users that are not synced from on-premises.
As part of the script I am running a foreach loop to disable the users with the following command:
$params = @{
AccountEnabled = "false"
}
Update-MgUser -UserId $User.Id -BodyParameter $params
This worked for a load of guest users but it did not work for accounts which have admins roles assigned to them. I am getting the following error for these accounts:
"Update-MgUser : Insufficient privileges to complete the operation.
At line:3 char:9
2) [Update-MgUser_Update1], RestException1 The connection into MS Graph is using an App Registration and Certificate for authentication. The app permissions included are the following:
Hopefully someone can help in locating the actual permissions required.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 47%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
If anyone comes across this in the future, you need to include the scope "User.EnableDisableAccount.All" when starting a new session.
To update the accountEnabled property of admin users, you need to use delegate permissions. It's not possible to do it via application permissions. See for example this GitHub issue: https://github.com/microsoftgraph/microsoft-graph-docs/issues/14731
Thanks @Vasil Michev
Ok so this is not going to work then? I need to have an account that is a Global Admin in order to change this property for users with admin roles.
Simply adding this permission as delegated to the Enterprise App is not going to work (as I have just tested).
How are you supposed to automate the disabling of admin users not signed in for x amount of days without using an account that has the GA assigned to it. We use PIM to elevate to GA when required on occasion and only use GA permanently for break glass situations.
You need to run it in the context of a user, with the necessary admin role and delegated permissions. Adding the delegate permissions while running in the application context will not work, as you have already tested.
As for automation, you can do this via PowerShell, and I suppose the Azure CLI will also work. If you are looking for Graph-only solution, I'd suggest trying the on behalf of flow.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 74%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
It is 9/21/2023 (US date and time).
Is this still true?
Total automation should be available via app permissions for spns.
Using PowerShell with azureAD will be deprecated in may of 2024.
So why is current functionality not available in Graph 1.0?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 43%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Fixed it for me by adding Privileged Authentication Administrator role to managed identity which was used to disable privileged account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Thanks Gregory. I've just revisited this and added that role and working for me also. This was not possible when I originally posted this question.
If anyone comes across this in the future, you need to include the scope "User.EnableDisableAccount.All" when starting a new session.
Hello Son-3712,
Since the question is related to scripting of Microsoft Graph I would recommend you to get in touch with the specific community for that product at:
https:// techcommunity.microsoft.com/t5/microsoft-graph/bd-p/OfficeGraph
This way, the community will be more experience and able to provide expert advice of your question.
------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
Thanks! Posting in there now :)