Delete or update user in Azure AD suddenly doesn't work for my application token

   2018-09-13 05:09

Vote count: 0

I’m running an application for some weeks where I can CRUD users within an Azure Active Directory. For this purpose I have a registered application at https://apps.dev.microsoft.com/#/application with Microsoft Graph application permission User.ReadWrite.All, which should be sufficient according to the documentation. For the target Azure AD I got the admin consent. And everything worked as expected till today (just yesterday I used it to delete / change some users).

But today when I try to delete a user:



DELETE https://graph.microsoft.com:443/v1.0/users/cb4b831d-d199-46f6-b605-7f740db43f77

I’m getting a Microsoft.Graph.ServiceException:

Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
StatusCode: Forbidden

The JWT token I’m using is this:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/3e6b8333-c708-4fa9-85d5-b38544125dc5/",
  "iat": 1536736865,
  "nbf": 1536736865,
  "exp": 1536740765,
  "aio": "42BgYCg959At7uqtzRE+cZPzsk52AA==",
  "app_displayname": "My Application",
  "appid": "5c02d1d6-a978-4139-a183-df9c40a5ea63",
  "appidacr": "1",
  "idp": "https://sts.windows.net/3e6b8333-c708-4fa9-85d5-b38544125dc5/",
  "oid": "461e08f0-4f2d-4965-81b2-6fa25bab4b9a",
  "roles": [
    "User.ReadWrite.All",
    ... // Some more roles
  ],
  "sub": "461e08f0-4f2d-4965-81b1-6fa25bab4b9a",
  "tid": "3e6b8333-c708-4fa9-85d5-b38544125dc5",
  "uti": "MjEZIJffRk61f--eTphYAA",
  "ver": "1.0"
}

If I’m going to delete a user by using the user token of an admin, it works as expected. So the request itself and parameters seem to be okay, just the token of the application doesn’t work anymore.

So someone any idea or an explanation, why from today my application isn’t able to delete / change users?

edited 22 hours ago
Joy Wang

asked 23 hours ago
Oliver

1 Answer

Vote count: 0

Out of a sudden, today everything works again as expected without any code change on my site.

Delete and change of a user just works as expected. This is very strange and I don’t delete this question/answer, just to make everybody aware that sometimes the graph interface behaves awkward.


Original Source