Can't patch user identities despite permissions granted

Anna 26

I have an app registered on Azure AD and granted it
User.ManageIdentities.All permission.
I try to update the user's identities with patch request:

PATCH https://graph.microsoft.com/v1.0/<tenant-id>/users/<user-id>

added a Bearer token to the header.
I send a json request body:

{
"identities": [
{
"signInType": "emailAddress",
"issuer": "<my-domain-name>",
"issuerAssignedId": "<email-address>"
},
<other identities as received with GET request>

Despite the granted permissions, I keep getting

"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",

What am I missing?

Alistair Ross 7,391 Reputation points Microsoft Employee

2022-12-20T10:07:05.67+00:00

Hi @Anna

Have you granted Admin consent for the application permissions? https://learn.microsoft.com/EN-US/azure/active-directory/manage-apps/user-admin-consent-overview#admin-consent
Anna 26 Reputation points

2022-12-20T10:20:00.77+00:00

Hi @Alistair Ross , thank you for your answer.
Yes, I have the Admin consent granted.
Anna 26 Reputation points

2022-12-20T11:35:23.497+00:00

@Alistair Ross what else could I try to do?
JamesTran-MSFT 36,816 Reputation points Microsoft Employee

2022-12-27T19:25:43.92+00:00

@Anna
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

1 answer

Alistair Ross 7,391 Reputation points Microsoft Employee

2022-12-20T12:01:53.257+00:00
I am not an Azure AD expert, but I've been doing some digging and waiting for a colleague to ask him a question, but with my testing I can confirm in a normal azure AD tenant (not B2C)

Getting a users identities and updating them with the same details do not work when using the permission User.ManageIdentities.All

Getting a users identities and updating them with the same details dowork when using the permission User.ReadWrite.All

I did this test to see if it would still deny me, but it doesn't. I don't know what else needs to be done to make the permissions more restrictive at this time.

I think this is a bug and have raised it as such. In the meantime I would suggest you use the permission User.ReadWrite.All
Please sign in to rate this answer.

1 person found this answer helpful.
Anna 26 Reputation points

2022-12-20T12:29:21.733+00:00

Thank you for your support! I will try again with the updated permissions.

Btw it seems to be a bug... Is there a way to report it?

Alistair Ross 7,391 Reputation points Microsoft Employee

2022-12-20T13:12:22.087+00:00

I've raised one. If you need to raise bugs, contact Azure support https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request

JamesTran-MSFT 36,816 Reputation points Microsoft Employee

2022-12-21T22:12:05.107+00:00

@Anna
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Marc Rufer 45 Reputation points MVP

2025-03-07T13:34:30.49+00:00

@Alistair Ross what's the status of the Azure support request - this issue still persists (docs are saying least privilege permission is User.ManageIdentities.All)
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Can't patch user identities despite permissions granted

1 answer

Your answer