Hello,
I'm setting up a "service" for managing regular (as opposed to administrative) Office 365 users; the goal being to integrate that management in our administrative workflow. According to the docs, the Graph REST APIs [1] should be the right tools,
since they potentially allow to:
- create users
- list users and get info about them
- update users (including their password)
- delete users
So, I defined an application in the Azure management portal [2] and gave it the "Read directory data" and "Read and write directory data" application permissions (not sure whether both are needed, since R/W should include R/O, but...).
Using Service-to-Service Access Tokens [3], my application was then immediately able to:
- create users
- list users and get info about them
- update users (including their password)
But no joy with user deletion: Authorization_RequestDenied...
A bit strange, since my application already behaved as if it had received, by default, an "User account administrator" role.
To be sure, I explicitly assigned that "User account administrator" role to my application with the help of the MSOnline PowerShell cmdlets.
And, surprise, my application was now able to delete users as well!
I'm feeling a bit uncomfortable as how to interpret above results.
According to the various pieces of information I could find, only those two roles allow to create users: "User account administrator" and "Company Administrator".
On the other hand, according to the output of Get-MsolRoleMember, my application beared upon its creation only the "Directory writers" role, yet was able to create users.
Does someone know how to explain that (seeming) contradiction?
I mean, I sure must have overlooked something. ;-)
Many thanks in advance,
Axel
[1] https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/api-catalog
[2] https://manage.windowsazure.com/usaintlouisbe.onmicrosoft.com
[3] https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx
- Edited by ALuttgens Thursday, August 20, 2015 4:26 PM
- Moved by Girish PrajwalMicrosoft contingent staff, Moderator Thursday, August 20, 2015 6:15 PM Related to Azure AD
Other recent topics
