Univention Bugzilla – Bug 55973
Global Administrators cannot be modified by the Microsoft365 Connector
Last modified: 2023-04-17 08:47:12 CEST
Some sensitive attributes cannot be modified by a usual Azure Application like our Microsoft365 connector, if the attributes belong to a administrative user, e.g. with the role "global administrator". This is documented here: https://learn.microsoft.com/en-us/graph/permissions-reference We have seen this error in a customer environment, where the modification worked for all other users. univention.office365.microsoft.exceptions.core_exceptions.GraphPermissionError: Forbidden Error. Your application may not have the correct permissions for the Microsoft Graph API. Please check https://help.univention.com/t/18453. HTTP response status: 403 HTTP response expected status: [204] > request url: https://graph.microsoft.com/v1.0/users/xxxxxxxxx > request header: { "User-Agent": "Univention Microsoft 365 Connector", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "keep-alive", "Content-Type": "application/json", "Authorization": "XXX", "Content-Length": "37" } > request body: { "businessPhones": [ "+49xxxxxxxxxx" ] } This is a security behaviour, which should not be changed per default. But some bug reports for azure mention the possibility to add certain roles like "helpdesk administrator" oder "company administrator" to the application to give it the rights to do so. E.g. https://github.com/microsoftgraph/microsoft-graph-docs/issues/3216
If we find a permission change for our app that allows us to modify these objects, we should document it.