User delete async result "Insufficient privileges to complete the operation."
Closed this issue · 5 comments
Hi I tried to example however i receive "Insufficient privileges to complete the operation."
I have set the the web application to have different type of permission even to have all of them(both read and write directory data). I can create user however can not delete the user. Any help is much appreciated. The code is original from the example
//*********************************************************************************************
// Delete the user that we just created
//*********************************************************************************************
if (userToBeAdded.ObjectId != null)
{
try
{
userToBeAdded.DeleteAsync().Wait();
Console.WriteLine("\nUser {0} was deleted", userToBeAdded.DisplayName);
}
catch (Exception e)
{
Console.WriteLine("Deleting User failed {0} {1}", e.Message,
e.InnerException != null ? e.InnerException.Message : "");
}
}
if (newUser.ObjectId != null)
{
try
{
newUser.DeleteAsync().Wait();
Console.WriteLine("\nUser {0} was deleted", newUser.DisplayName);
}
catch (Exception e)
{
Console.WriteLine("Deleting User failed {0} {1}", e.Message,
e.InnerException != null ? e.InnerException.Message : "");
}
}
Read/write directory data does not have permissions to delete the user. The sample will only be able to delete the user if
-
The app is added to “company administrators” role.
Or
-
App+User is used when logging in as a company admin. The app must be created as “Native app” with permissions as “Access to Directory”.
Thanks
Pavan
From: duongthaiha [mailto:notifications@github.com]
Sent: Sunday, November 2, 2014 7:50 PM
To: AzureADSamples/ConsoleApp-GraphAPI-DotNet
Subject: [ConsoleApp-GraphAPI-DotNet] User delete async result "Insufficient privileges to complete the operation." (#5)
Hi I tried to example however i receive "Insufficient privileges to complete the operation."
I have set the the web application to have different type of permission even to have all of them(both read and write directory data). I can create user however can not delete the user. Any help is much appropriated.
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/5.
Thank you very much. I tried the second options and that work. Quick question on option 1. I can not find the option to assign a role to an application via Azure Management Portal is that something you have to do via command line?
Right now this can be done only using Windows Azure ActiveDirectory Powershell module (you can find the service principal using Get-MsolServicePrincipal –AppPrincipalId and then use Add-MsolRoleMember to add it to “Company Administrator” role).
Thanks
Pavan
From: duongthaiha [mailto:notifications@github.com]
Sent: Monday, November 3, 2014 6:22 AM
To: AzureADSamples/ConsoleApp-GraphAPI-DotNet
Cc: Pavan Kompelli
Subject: Re: [ConsoleApp-GraphAPI-DotNet] User delete async result "Insufficient privileges to complete the operation." (#5)
Thank you very much. I tried the second options and that work. Quick question on option 1. I can not find the option to assign a role to an application via Azure Management Portal is that something you have to do via command line?
—
Reply to this email directly or view it on GitHubhttps://github.com//issues/5#issuecomment-61483534.
Thank you very much :)
first option (use Add-MsolRoleMember to add it to “Company Administrator” role) worked for me - specifically -
1. get clientid of your web application - can do it in azure web/configuration, or in PowerShell when run
# 1. list all principals, you web app probably will be last...
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize2. run in PowerShell
# 2. put your web app guid [this is ClientIdWebApp] and use it to get MsolServicePrincipal
$ClientIdWebApp = '5dc390de-1a63-4377-b16e-f4d0ddd9d921'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
# 3. use Add-MsolRoleMember to add it to “Company Administrator” role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId