Can't PUT /photo/$value in Beta endpoint with User.ReadWrite.All permission

Question

We are trying to use the graph API to update user photos but it is failing.

We have an app (client) ID with User.ReadWrite.All scope granted.

Here are the scopes returned in the access token we get after authentication:

"scp": "Mail.Read User.Read User.Read.All User.ReadWrite User.ReadWrite.All"

Then we are able to GET users photos without issue via:

https://graph.microsoft.com/beta/users/{User ID}/photo/$value

However, we are not able to update photos via PUT:

PUT /beta/users/{User ID}/photo/$value HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer eyJ0eXAiOiJKV1Q...iLCJhbGciOiJHJSA
Content-Type: image/jpeg
Cache-Control: no-cache

Response: 403 Forbidden

{
    "error": {
        "code": "ErrorAccessDenied",
        "message": "AccessDeniedException",
        "innerError": {
            "request-id": "35d88f98-78cd-42de-973e-0c0c1414da83",
            "date": "2016-09-02T23:45:27"
        }
    }
}

We believe this should work as per the documentation: http://graph.microsoft.io/en-us/docs/api-reference/beta/api/profilephoto_update

Where it states:

One of the following scopes is required to execute this API for:

Profile photo of any user in the tenant including the signed-in user - User.ReadWrite.All

Answer 1

User profile photo update is currently only supported with User.ReadWrite scope. There is https://github.com/OfficeDev/microsoft-graph-docs/issues/442 for correcting this documentation issue - User.ReadWrite.All is not supported.