{"id":4337,"date":"2018-10-17T21:51:26","date_gmt":"2018-10-17T21:51:26","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/aaddevsup\/?p=3945"},"modified":"2018-10-17T21:51:26","modified_gmt":"2018-10-17T21:51:26","slug":"unable-to-modify-user-email-phone-number-password-or-other-personal-information-for-azure-active-directory-users","status":"publish","type":"post","link":"https:\/\/blogs.aaddevsup.xyz\/2018\/10\/unable-to-modify-user-email-phone-number-password-or-other-personal-information-for-azure-active-directory-users\/","title":{"rendered":"Unable to Modify User Email, Phone Number, Password or Other Personal Information for Azure Active Directory Users"},"content":{"rendered":"

Introduction<\/h1>\n

This post is in regards to the issues in regards to users having issues modifying Azure Active Directory User attributes such as mail, phone number, resetting passwords, or other personal attributes in user accounts. This will review the reason behind these changes and how to resolve the issue. For many users this was something that was working before and only recently stopped working properly.<\/p>\n

 <\/p>\n

Reason Behind Change<\/h2>\n

There was a recent change to three different attributes that made changing the attributes require the same elevated privileges that password reset requires. The only properties that are being affected are the attributes : mobilePhone, businessPhones\/telephoneNumber, and otherMails attributes.\u00a0U<\/span>ser profile changes can be made with User.ReadWrite.All except for the 3 aforementioned properties. <\/span><\/p>\n

 <\/p>\n

Fix\/Resolution<\/h1>\n

In order to resolve this issue you will need to set the Service Principal or User that is trying to make the change to a\u00a0Helpdesk Admins, User Account Admins and Company Admins depending on the user you are trying to modifies role is. Only these three admins can make changes to these three attributes in Azure Active Directory now.<\/p>\n

Please note the level of power you are giving the service principal by setting the service principal or user to one of the aforementioned roles, realize that you are giving the user\/service principal the ability to perform tasks at that level. This should be done with caution.<\/p><\/blockquote>\n

 <\/p>\n

Microsoft Graph Scenario<\/h2>\n

Most users experiencing this issue are Microsoft Graph or Azure Active Directory users that are utilizing the Grant Type Client Credentials in order to make modifications to the three mentioned User Attributes. Having the Directory.readwrite.all permission is now not sufficient to make modifications to these user attributes anymore.<\/strong> You will get a 403 error saying insufficient permissions. In order to resolve this issue you can set the Service Principal\/Enterprise Application as one of the admin roles in the resolution stated in the last paragraph.<\/p>\n

For help on giving a Service Principal an Admin Role please go through this post :\u00a0https:\/\/blogs.msdn.microsoft.com\/aaddevsup\/2018\/08\/29\/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal\/<\/a><\/p>\n

 <\/p>\n

Conclusion<\/h1>\n

Here we have gone over the User Attribute change’s reasoning, how to resolve the issue, the Microsoft\/AAD Graph Scenario, and a link explaining how to give a Service Principal\/Enterprise Application an Admin role. If you have anymore questions in regards to this issue, feel free to comment below on this issue and I will try to get back to you as soon as possible. If you have any dire issues feel free to open a support ticket for Azure Active Directory Developer, and one of our support engineers will reach out to you to resolve the issue as soon as possible.<\/p>\n","protected":false},"excerpt":{"rendered":"

Introduction This post is in regards to the issues in regards to users having issues modifying Azure Active Directory User attributes such as mail, phone number, resetting passwords, or other personal attributes in user accounts. This will review the reason behind these changes and how to resolve the issue. For many users this was something that was working before and only recently stopped working properly.   Reason Behind Change There…<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,5,6,10],"tags":[16,21,40,41,92,101,104,105,110,130],"class_list":["post-4337","post","type-post","status-publish","format-standard","hentry","category-app-registration","category-azure-ad","category-azure-ad-graph","category-microsoftgraph","tag-16","tag-aadsts","tag-azure-active-directory","tag-businessphone","tag-insufficient-permissions","tag-microsoft-graph-api","tag-mobilephone","tag-modify","tag-othermails","tag-telephonenumber"],"_links":{"self":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/4337"}],"collection":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/comments?post=4337"}],"version-history":[{"count":0,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/4337\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/media?parent=4337"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/categories?post=4337"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/tags?post=4337"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}