none
Deleting user with Azure Graph API returns "Insufficient privileges" RRS feed

  • Question

  • Hi There,

    I am trying to delete a user using the Azure graph API.

    HTTP Delete

    https://graph.windows.net/559ab4b0-9a51-499e-9782-cb0382bfd6fa/users/09372327-265c-4b05-bf13-d602fe71ea23?api-version=1.0

    It returns an HTTP status code of 403 (Forbidden) and this error message:

    <?xml version="1.0" encoding="utf-8"?><m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata"><m:code>Authorization_RequestDenied</m:code><m:message xml:lang="en">Insufficient privileges to complete the operation.</m:message></m:error>

    I am using OAuth with client credentials. The client application was created in Azure with read/write access to directory data.

    Anyone has any idea about what I have missed here, please ?

    Thanks!

     JP

    Wednesday, October 30, 2013 1:22 AM

All replies

  • If you read the info about Applications very carefully, you'll see that object deletion is not allowed.

    http://msdn.microsoft.com/en-us/library/windowsazure/b08d91fa-6a64-4deb-92f4-f5857add9ed8.aspx#BKMK_AccessLevels

    Quote:

    Single Sign-On, Read and Write Directory Data

    Single sign-on plus the ability to read and write directory data using the Graph API. This allows querying and writing of company, user, and group information, but does not allow deleting users or groups.

    You still need service principals for this.

    Chris


    Christoph Wille - Glengamoi Alumni - Realnamen sind ein Gebot der Höflichkeit in der Community

    Wednesday, October 30, 2013 6:24 AM
  • Thanks Chris for your quick reply.

    Not sure why I did not notice that when I read that article some time ago.

    I used powershell to add the service principal of my app to the role "User Account Administrator" and it works now.

    Thanks again.

    JP

    Thursday, October 31, 2013 3:24 AM
  • Huh? ? 

    Reading the docs for the Graph API's Delete User page, you should be able to delete a user no problem.....yet I am getting the exact same error message the original poster is....

    "Insufficient privileges to complete the operation."

    Also I don't see anything on the referenced BKMK_AccessLevels page that says "but does not allow deleting users or groups."

    So how exactly do we give an application the permissions to DELETE a user it created?

    Wednesday, July 23, 2014 8:01 PM
  • You must be a member of one of the administrator roles to delete objects.  Directory Reader or Directory Writer roles do not have the privileges to delete objects.

    Currently, the only way to add a service principal or application to one of these roles is to use the powershell cmdlets designed for that purpose.  The following blog post provides information on how to use the powershell cmdlets to add a service principal to these roles:
    How to create a service principal using the MSOL CMDLETS for use with the WAAD Graph API

    The Graph API does not currently provide a way to update a role to add a service principal or application.  See this link.

    Hope you find this information useful.

    Regards,
    MaxV (MSFT)

    Tuesday, June 30, 2015 5:24 PM
  • Hi ,

    i have provided the following highlighted permission and trying to delete the users from AD. But still i'm facing the above permission issue.

    Token Properties.

    {
        "token_type": "Bearer",
        "expires_in": "3599",
        "scope": "Directory.Write Files.ReadWrite Files.ReadWrite.AppFolder offline_access Tasks.ReadWrite User.Read User.ReadWrite User.ReadWrite.All",
        "expires_on": "1448438984",
        "not_before": "1448435084",
        "resource": "https://graph.windows.net",

        "access_token": "********************"

    }

    Error while delete request

    {
        "odata.error": {
            "code": "Authorization_RequestDenied",
            "message": {
                "lang": "en",
                "value": "Insufficient privileges to complete the operation."
            }
        }
    }

    So, what all additional application permission should be given to remove user from AD.

    Regards,

    Bharamagouda.

    Wednesday, November 25, 2015 8:12 AM
  • hi Bharamagouda. did you find a solution to this issue?
    Tuesday, October 18, 2016 9:13 AM
  • Tuesday, November 15, 2016 2:31 PM