Creating a user via Microsoft Graph API

Question

I am trying to perform this curl request

curl --location --request POST 'https://graph.microsoft.com/v1.0/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {BEARER_TOKEN}' \
--data-raw '{
  "accountEnabled": true,
  "displayName": "displayName-value",
  "mailNickname": "mailNickname-value",
  "userPrincipalName": "test666@mytennant.com",
  "passwordProfile" : {
    "forceChangePasswordNextSignIn": true,
    "password": "password"
  }
}'

I keep getting

{
    "error": {
        "code": "Authorization_RequestDenied",
        "message": "Insufficient privileges to complete the operation.",
        "innerError": {
            "date": "2020-10-23T14:01:06",
            "request-id": "caf9e0be-88fc-4a4e-a6eb-fed1ccedb90c",
            "client-request-id": "caf9e0be-88fc-4a4e-a6eb-fed1ccedb90c"
        }
    }
}

I have the following permissions set on the app registration

Can someone please help me figure out what's wrong here?

Answer 1

Based on the error you are provided it seems to be you are not having right permission to create the user.

In the token, you are missing the permissions, so before making the graph request you need to have the token with

User.ReadWrite.All, Directory.ReadWrite.All.

I made the below request, without having the required permission then I received the same error as you can see below

Then later I added the permissions and requested for the new token, then made the graph call. Now I was successfully able to create the user

Curl

curl --location --request POST 'https://graph.microsoft.com/v1.0/users' \
--header 'Authorization: Bearer token' \
--header 'Content-Type: application/json' \
--data-raw '{​​​​ "accountEnabled": true, "displayName": "displayName-value", "mailNickname": "mailNickname-value", "userPrincipalName": "upn-value1@xx.live", "passwordProfile" : {​​​​ "forceChangePasswordNextSignIn": true, "password": "xx@123" }​​​​ }​​​​'