Authorization_RequestDenied error when you try to change a password using Graph API

This article provides information about troubleshooting a problem in which you receive Authorization_RequestDenied error when trying to change a password using Graph API.

Original product version:   Azure Active Directory
Original KB number:   3004133

Symptoms

If you try to change the password of a Microsoft Azure Active Directory (Azure AD) user, and if the Organizational Role setting for that user is set to any "Administrator" option, the process fails and generates the following error message:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation." }} }

When you give the Read and write directory data permission to your application or Application Service Principal, you enable the application to change the password of a typical Azure AD user by using Graph API. This setting is shown in the following screenshot.

screenshot of permissions.

You can delegate an Azure AD user as an administrator by changing the user's Organizational Role setting, as shown in the following screenshot.

screenshot of role.

Cause

This problem occurs because the users who have any of the Administrator organizational roles are not members of Company Administrator or User Account Administrator in the Office 365 administrative roles.

Resolution

To resolve this problem, add your application to Company Administrator in the Office 365 administrative roles. To do this, run all the following Azure AD Module for Windows PowerShell (MSOL) cmdlets:

Connect-MsolService

This will prompt you for your tenant's credential. You should be able to use your Azure AD administrative user name in the admin@tenant.onmicrosoft.com format.

$displayName = "Application Name" $objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId

Replace the "Application Name" with the name of your "Application Service Principal".

$roleName = "Company Administrator" Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

This will add your "Application Service Principal" to the Company Administrator role.

Also, you must add your application to User Account Administrator in the Office 365 administrative roles if the Azure AD user has any of the following Administrator organizational roles:

  • Global Administrator
  • Billing Administrator
  • Service Administrator

To do this, run all the following MSOL cmdlets:

Connect-MsolService
$displayName = "Application Name" $objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId
$roleName = "User Account Administrator" Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

After you run both sets of cmdlets, your application will be enabled to change the password of all Administrator organizational roles.

Note

It can take up to 30 minutes for the permissions to be applied to the Application Service Principal after you add the permissions to the Office 365 administrative roles.

More information

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.