Microsoft graph api permissions for reading Birthday and Hire date

Question

I am trying to read and write Birthday and Hiredate user properties using Microsoft graph API. I configured below app and delegated permissions.

I am getting access denied error as a normal user but working for azure admin.

Delegate User.Read, User.ReadBasic.All, User.ReadWrite, Directory.AccessAsUser.All (admin only), Directory.Read.All (admin only), Directory.ReadWrite.All (admin only),User.Read.All (admin only),User.ReadWrite.All (admin only),

App Directory.Read.All,Directory.ReadWriteAll (admin only),User.Read.All (admin only),User.ReadWrite.All (admin only)

Please help me which permissions needed for the app to read and write birthday and hire day properties for normal users.

Answer 1

You cannot have both Application and Delegated scopes active within the same token. Which are used are entirely based on the OAuth Grant you've used to obtain the token. You might find this article helpful: Application vs Delegated Scopes.

You've also chosen several scopes that require Admin Consent before they can be used within a tenant. Until you've obtained this consent, normal user's will not be able to authenticate. You might find this article helpful: v2 Endpoint & Admin Consent.

In terms of scopes, in order to read a user's profile (which holds those properties), you should only need User.Read. You can, and should, remove all of the other scopes you're requesting. When it comes to permission scopes, more is never better.

Note: both of the articles I mentioned above were written by me. Also, while they deal with the v2 Endpoint, the concepts in them apply to both AAD v1 and v2 OAuth endpoints