question

ShaneMarsden avatar image
0 Votes"
ShaneMarsden asked ShaneMarsden commented

Issue updating user property

Hi,

We're trying to resolve an exception occurring when we attempt to update a user property.

Connection to graph client:

 var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(@"cert.pfx", "{password}");
 IConfidentialClientApplication clientApp = ConfidentialClientApplicationBuilder
                 .Create(appId)
                 .WithTenantId(tenantId)
                 .WithCertificate(cert)
                 .Build();
    
             var authProvider = new ClientCredentialProvider(clientApp);
      graphClient = new  MicrosoftGraphBeta.Microsoft.Graph.GraphServiceClient(authProvider);

This is the code being used to attempt to update a specific user account’s specific custom property using the SharePoint API via the PnP Framework package:

 string siteUrl = "https://xxxx.sharepoint.com";
 using (var clientContext = new PnP.Framework.AuthenticationManager(
     appId,
     @"cert.pfx",
     "{password}",
     "xxxx.onmicrosoft.com")
     .GetContext("https://xxxx.sharepoint.com")) {
                PeopleManager peopleManager = new PeopleManager(clientContext);
                string myAccount =
                 "i:0#.f|membership|xxxx.xxxx@xxxx.com";
                string[] depts = { "GroupOne", "GroupTwo" };
                peopleManager.SetMultiValuedProfileProperty(myAccount,
                   "CustomDepartment", depts);
                clientContext.ExecuteQuery();
 }

Packages (note we have tried older versions of these packages too):

  • Microsoft.Graph.Auth (v1.0.0-preview.7)

  • Microsoft.Graph.Beta (v4.5.0-preview)

  • Microsoft.Identity.Client (v.4.33.0)

  • PnP.Framework (v.1.5.15-nightly)

The above code fails with the following error:
Microsoft.Graph.ServiceException: 'Code: Request_ResourceNotFound
Message: Resource '' does not exist or one of its queried reference-property objects are not present.

Other attempts using previous versions of the packages has resulted in:
Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: 'Access denied. You do not have permission to perform this action or access this resource.'

These errors continue to occur when the following PowerShell command has been run to enable legacy authentication and waiting 24 hours:

    Set-SPOTenant -LegacyAuthProtocolsEnabled $True

The Azure App has been granted admin approval on the following permissions for the Graph API under both application and delegated contexts:

  • Directory.Read.All

  • Group.Read.All

  • GroupMember.Read.All

  • OrgContact.Read.All

  • Sites.FullControl.All

  • TermStore.Read.All

  • TermStore.ReadWrite.All

  • User.Read.All

  • User.ReadWrite.All

The Azure App has been granted admin approval on the following permissions for SharePoint under the delegated context:

  • AllSites.FullControl

  • AllSites.Manage

  • AllSites.Read

  • AllSites.Write

  • Sites.Search.All

  • TermStore.Read.All

  • TermStore.ReadWrite.All

  • User.Read.All

  • User.ReadWrite.All

The Azure App has been granted admin approval on the following permissions for SharePoint under the application context:

  • Sites.FullControl.All

  • Sites.Manage.All

  • Sites.Read.All

  • Sites.ReadWrite.All

  • TermStore.Read.All

  • TermStore.ReadWrite.All

  • User.Read.All

  • User.ReadWrite.All

Looking for assistance in how to resolve the error. Looks like there is a permission missing somewhere.

Thanks.


office-sharepoint-online
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MichaelHan-MSFT avatar image
0 Votes"
MichaelHan-MSFT answered ShaneMarsden commented

Hi @ShaneMarsden,

It's the limitation when using AAD app only access to SharePoint. Currently, User Profile CSOM write operations do not work with Azure AD application - read operations work.

If your solution needs write User Profile service access, your only option would be to use an Add-In registration (SharePoint App).

Reference: https://docs.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ShaneMarsden,
Is there anything update? I am willing to hear from you:)

0 Votes 0 ·

Hi,

We have tried with a Sharepoint App with the following code and we get a different error:

 public static void TagUsers() {
             string siteUrl = "https://xxxx.sharepoint.com";
             using (var cc = new OfficeDevPnP.Core.AuthenticationManager().GetAppOnlyAuthenticatedContext(siteUrl, GetRealmFromTargetUrl(new Uri(siteUrl)), "appid", "appsecret")) {
                 var web = cc.Web;
                 cc.Load(web);
                 var user = web.GetUserById(23); // user id 23 is my account
                 cc.Load(user, u => u.LoginName);
                 cc.ExecuteQuery();
                 PeopleManager peopleManager = new PeopleManager(cc);
                 List<string> departments = new List<string>();
                 departments.Add("GroupOne");
                 // Update the SPS-Skills property for the user using account name from the user's profile.
                 peopleManager.SetMultiValuedProfileProperty(user.LoginName, "CustomDepartment", departments);
                 cc.ExecuteQuery();
             };
         }

And this is the error: Microsoft.SharePoint.Client.ServerUnauthorizedAccessException: 'This operation requires you to be managing your own data or have administrator privileges.'

0 Votes 0 ·

@ShaneMarsden,

What permissons did you grant in permission request XML for SharePoint APP? You need to grant app permissons in the User Profile scope to access user profiles, scope URIs for user profile scope is http://sharepoint/social/tenant

Besides, only the profile picture can be changed by SharePoint app. All other user profile properties are read-only.

113692-image.png

Reference: https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/add-in-permissions-in-sharepoint

0 Votes 0 ·
image.png (69.7 KiB)
Show more comments