Hello,

I'm setting up a "service" for managing regular (as opposed to administrative) Office 365 users; the goal being to integrate that management in our administrative workflow. According to the docs, the Graph REST APIs [1] should be the right tools, since they potentially allow to:

• create users
• list users and get info about them
• update users (including their password)
• delete users

So, I defined an application in the Azure management portal [2] and gave it the "Read directory data" and "Read and write directory data" application permissions (not sure whether both are needed, since R/W should include R/O, but...).

Using Service-to-Service Access Tokens [3], my application was then immediately able to:

• create users
• list users and get info about them
• update users (including their password)

But no joy with user deletion: Authorization_RequestDenied...

A bit strange, since my application already behaved as if it had received, by default, an "User account administrator" role.

To be sure, I explicitly assigned that "User account administrator" role to my application with the help of the MSOnline PowerShell cmdlets.

And, surprise, my application was now able to delete users as well!

I'm feeling a bit uncomfortable as how to interpret above results.

According to the various pieces of information I could find, only those two roles allow to create users: "User account administrator" and "Company Administrator".

On the other hand, according to the output of Get-MsolRoleMember, my application beared  upon its creation only the "Directory writers" role, yet was able to create users.

Does someone know how to explain that (seeming) contradiction?
I mean, I sure must have overlooked something. ;-)

Many thanks in advance,
Axel

[1] https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/api-catalog
[2] https://manage.windowsazure.com/usaintlouisbe.onmicrosoft.com
[3] https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx

• Edited by ALuttgens 14 hours 55 minutes ago
• Moved by Girish PrajwalMicrosoft contingent staff, Moderator 13 hours 6 minutes ago Related to Azure AD

Hello Alex,

Greetings!

Thank you for providing your query here. With regards to your query, both the User administrator and Global administrator will have difference in their rights.

Global administrator has access to all administrative features. The person who signs up for the Azure account becomes a global administrator. Only global administrators can assign other administrator roles. There can be more than one global administrator at your company.

User administrator can Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Some limitations apply to the permissions of a user management administrator. For example, they cannot delete a global administrator or create other administrators. Also, they cannot reset passwords for billing, global, and service administrators.

For more information you may refer administrator roles available in Azure Active Directory.

Hope this helps!
Best Regards
Kamalakar
_____________________________________________________________________________________
If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

Hello Kamalakar,

Thanks for replying.

If you allow, I'll try to rephrase my question.

As far as I can tell from the docs, only the "User account administrator" and "Company Administrator" roles give the power to create and delete user accounts.
Conversely, I would be tempted to say that if a user or a service succeeds at creating user accounts, then that user or service has one of those two roles; as a corollary, that user or service should then also be able to delete user accounts.

In the Azure management portal, create application "Myapp" and give it the "Read directory data" and "Read and write directory data" application permissions.
Making use of Get-MsolRoleMember, it appears that MyApp has the "Directory writers" role, and only that role.
According to the reasonings from the previous paragraph, MyApp should not be able to create nor delete user accounts.

But MyApp can create (and even update) user accounts!

As a result, MyApp should be able to delete user accounts as well.
But, as is, it can't...

It is required to explicitly provide MyApp with the "User account administrator" role for allowing it to delete (regular) user accounts.

Would all of this mean that  the "Directory writers" role includes the right to create user accounts?
Or that upon its creation, MyApp has somehow been given some "invisible", undocumented role?
Or that I'm just reasoning on the basis of incomplete information?
Or...

TIA,
Axel