Issue with Microsoft Graph API: 403 Forbidden, 404 Not Found, and 501 Not Implemented Errors

Question

Hello,
I have integrated Azure AD services into my application and am encountering issues when retrieving user details using the Microsoft Graph API. Specifically, when selecting all user properties, I receive the following errors:

• 404 Not Found: Certain properties, such as aboutMe, birthday, hireDate, interests, mySite, pastProjects, preferredName, responsibilities, schools, and skills return a 404 error.
• 403 Forbidden: The deviceEnrollmentLimit property results in a 403 Forbidden error with an UnknownError. This issue has been reported in the following Microsoft Q&A discussions:
  • UnknownError from Graph API while fetching Intune data
  • Graph API endpoint for listing managed devices throwing errors
  • Despite having the necessary permissions (User.Read.All, DeviceManagementConfiguration.ReadWrite.All, etc.), the error persists.
• 501 Not Implemented: When selecting all the properties, the API returns an 501 Not Implemented error. I suspect this occurs due to a combination of 403 & 404 errors in the response.

Postman Curl:
curl --location 'https://graph.microsoft.com/v1.0/users?%24select=aboutMe%2CaccountEnabled%2CageGroup%2Cbirthday%2CbusinessPhones%2Ccity%2CcompanyName%2CconsentProvidedForMinor%2Ccountry%2CcreatedDateTime%2CcreationType%2CdeletedDateTime%2Cdepartment%2CdeviceEnrollmentLimit%2CdisplayName%2CemployeeHireDate%2CemployeeId%2CemployeeLeaveDateTime%2CemployeeType%2CexternalUserState%2CexternalUserStateChangeDateTime%2CfaxNumber%2CgivenName%2ChireDate%2Cid%2CimAddresses%2Cinterests%2CisManagementRestricted%2CisResourceAccount%2CjobTitle%2ClastPasswordChangeDateTime%2ClegalAgeGroupClassification%2Cmail%2CmailNickname%2CmobilePhone%2CmySite%2CofficeLocation%2ConPremisesDistinguishedName%2ConPremisesDomainName%2ConPremisesImmutableId%2ConPremisesLastSyncDateTime%2ConPremisesSamAccountName%2ConPremisesSecurityIdentifier%2ConPremisesSyncEnabled%2ConPremisesUserPrincipalName%2CotherMails%2CpasswordPolicies%2CpastProjects%2CpostalCode%2CpreferredDataLocation%2CpreferredLanguage%2CpreferredName%2CproxyAddresses%2Cresponsibilities%2Cschools%2CsecurityIdentifier%2CshowInAddressList%2CsignInSessionsValidFromDateTime%2Cskills%2Cstate%2CstreetAddress%2Csurname%2CusageLocation%2CuserPrincipalName%2CuserType' \

--header 'Authorization: Bearer Token'

Steps Taken:

• Tested the same request in Postman, and the errors persisted.
• Verified that all required permissions are correctly configured.
• The API request works only when excluding the problematic properties, such as (aboutMe, birthday, deviceEnrollmentLimit, etc.).

Questions:

1. Why do certain user properties return a 404 Not Found error?
2. Why does deviceEnrollmentLimit trigger a 403 Forbidden error despite having the required permissions?
3. Are there any additional permissions or settings required to access deviceEnrollmentLimit?
4. What is the best approach to retrieving all user fields without running into a 501 Not Implemented error?

Any guidance or insights would be greatly appreciated.

Thanks!

Answer 1

Hi @Ankit Kumar,

Thank you for posting your query on Microsoft Q&A.

Based on your query, I understand you would like to retrieve the user details and device enrollment using Graph API and facing the issue.

I see you would like to retrieve user details from Tenant using Microsoft Graph API. I would request you to login as Global Administrators to retrieve the details.

To retrieve the details of the user, please provide this permission to your admin account: User.ReadWrite.All

To retrieve the details of the Intune enrollment details, we need this permission: DeviceManagementServiceConfig.ReadWrite.All or DeviceManagementServiceConfig.Read.All

You can use this document of Graph API permissions for reference: Microsoft Graph permissions reference.

You will receive Error 404 when the requested resources are not available. You may need to check the user UPN or object entry you provided to retrieve the details. Please make sure to check the tenant you have signed in while retrieving the details. Please use the following document to query the Microsoft Graph API: Get a user

403 Forbidden Access is denied to the requested resource. This comes when there is no proper permission provided while retrieving the details. You can refer the permissions and documents provided to overcome the issue.

501 Not Implemented The requested feature isn’t implemented. This comes when the requested query or method might have correctly provided. If the query is not in proper format or the information requested is not yet supported from Graph API.

If you would like to retrieve the information using Graph API using Application, you can configure an application Microsoft Entra ID and provide the necessary permissions and use the client ID and secret to retrieve the information.

In order to register an application, please follow this document: Register an application

Under API permissions, you need to configure the required permissions taking the reference document: Microsoft Graph permissions reference.

You can retrieve the token using client credential flow using the following document: Microsoft identity platform and the OAuth 2.0 client credentials flow.

Note: If you are using on behalf of flow, application itself should have the required permissions to retrieve the details. That means you need to add only application permissions to the application to retrieve the information.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".