Reputation: 25
How to update user's hireDate attribute in Azure AD using Graph REST API?
I searched for similar questions but did not find answer I was looking for.
My goal is to update all users in AAD with hireDate.
At first I tried to do so using client credentials flow.
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:client_credentials
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
After I got access code I called:
PATCH https://graph.microsoft.com/v1.0/users/[user1]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
Second try was using password flow (client and user credentials). I used my global admin [user1] credentials and called same HTTP request. Response was HTTP 204 (everything OK).
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:password
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
username:{{user1_upn}}
password:{{user1_password}}
Unfortunately, when I tried to update other [user2] it went like this:
PATCH https://graph.microsoft.com/v1.0/users/[user2]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
If I am using [user2] credentials to get access token then I can update [user2] hireDate, but can not update [user1].
Application permissions: Application permissions
UPDATED: Decoded access token has these permissions:
"scp": "Directory.AccessAsUser.All Directory.ReadWrite.All User.ManageIdentities.All User.ReadWrite User.ReadWrite.All"
UPDATED[2]: both [user1] and [user2] has Office 365 E1 licences assigned (including SharePoint Online (Plan 1))
Am I doing something wrong? If anyone has a solution to share, it would be much appreciated.
Upvotes: 0
Views: 2200
Answers (1)
Reputation: 268
Apart from the office licenses, the global admin user should have Sites.ReadWrite.All scope permission in the token to update the "hireDate" property for other users.
Upvotes: 2
Related Questions
- How to access Employee Id from Azure AD using Microsoft graph
- How to update azure ad b2c custom user attribute using graph api
- How do I update the extensionAttributes for a cloud user using Microsoft Graph API
- Add user in Azure AD using Microsoft Graph API
- Update User info using Graph API
- How to update User Attributes in Azure AD B2C from ASP.NET Core?
- How to update existing user in Azure AD using Microsoft Graph API
- How to update a users properties in Azure AD B2C programmatically?
- Microsoft Graph Client Update user onPremisesExtensionAttributes.extensionAttributeXX
- Updating user using azure-graphapi module for Node js