Reputation: 664
What API Permissions are needed for Remove-AzureADUser?
I need to delete AAD guest users using powershell - where the script authenticates using certificate credential corresponding to a registered app. What API permissions does the registered app need?
Connect-AzureAD -TenantId $TenantId -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint
Remove-AzureADUser -ObjectId $guestKey
Resulting error:
Remove-AzureADUser : Error occurred while executing RemoveUser
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: fa05248f-60be-48fa-8ef5-7a381f6e61dd
DateTimeStamp: Thu, 13 Jun 2019 18:15:52 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Scripts\disable-inactive-guests.ps1:116 char:9
+ Remove-AzureADUser -ObjectId $guestKey
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Remove-AzureADUser], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveUser
Permissions I've added so far... guessing my way through it:
Upvotes: 0
Views: 3444
Answers (2)
Reputation: 42043
The Directory.ReadWrite.All of Azure AD Graph API does not have permission to remove the user.
Solution:
To fix the issue, you need to assign your service principal to a directory role e.g. User administrator/ Global administrator.
Under the deleted reply, I see your comment:
You cannot grant directory roles to service principals. It has to be API permissions.
No, actually we can grant directory role to service principal.
Navigate to the Azure Active Directory in the Azure portal -> Roles and administrators -> click User administrator or Global administrator -> Add assignment -> search by your service principal name(must search) -> find it and select it -> click Select.
Upvotes: 2
Reputation: 664
I suspect i've found my answer int the Azure AD Graph and Microsoft Graph docs which both seem to go out of their way to state that the Directory.ReadWrite.All permission, which would seem to be the most potent, includes "No rights to delete entities (including users or groups)".
Sigh...
I think I'll have to do this with a service account (actual Azure AD user account) that has a suitable directory role and authenticate with user/password. I'd really prefer have my batch scripts use certificate auth...
Upvotes: 0
Related Questions
- Azure Remove User Consent to API
- Unable to revoke admin consent for added permissions: Powershell
- Deleting an Application's AppRole in Azure Active Directory
- Azure Devops remove specific user from specific organization using Powershell
- Remove-AzureAdUserExtension actual result
- api url to remove member from azure active directory security group
- add permissions to Azure RM AD application via powershell
- remove azure storage account with powershell
- How to remove Guest user on Azure Active Directory?
- How to programatically delete Azure Active Directory user?