skip to Main Content

I have the User Access Administrator role, so I can usually add users to a resource group through Access Control (IAM). However, today I encountered an issue where I can’t select a user in the members section. I get the following errors:

Authorization_RequestDenied

Insufficient privileges to complete the operation.
Blockquote

This error appears while using the graph.microsoft.com REST API.

/users?$filter=startsWith(displayName,%27john%27)%20OR%20startswith(givenName,%27john%27)%20OR%20startswith(surname,%27john%27)%20OR%20startsWith(mail,%27john%27)%20OR%20startsWith(userPrincipalName,%27john%27)&$top=100

/groups?$filter=securityEnabled%20eq%20true%20AND%20(startsWith(displayName,%27john%27)%20OR%20startsWith(mail,%27john%27))&$top=100

/servicePrincipals?$filter=startsWith(displayName,%27john%27)&$top=100

2

Answers


  1. User Access Administrator role only gives you rights to operations in the Azure Resource Management API.
    You would be able to create any assignment through a CLI or directly through the API by using the unique user object IDs directly.

    In the Portal however, it makes queries to Graph API.
    And for that, you need permissions in Entra ID (previously known as Azure AD).
    You’ll need to be a Member or be assigned a directory role that grants user enumeration rights.

    In some cases it is possible to enter a specific username in the Portal and have that work.
    This will work if your user does have access to read users but not enumerate them.

    Login or Signup to reply.
  2. There are two types of roles to distinguish:

    1. Azure Roles –> operate in azure resources, like virtual machine, virtula network, etc, And also inlcuding azure role assignment in each levels such as subscription, resource group, has the endpoint https://management.azure.com when using rest api.
    2. Microsoft Entra Roles –> operate in Microsoft Entra Id (formerly code Azure AD), such as get user or group details in Microsoft Entra Id. Has the endpoint https://graph.microsoft.com when using rest api

    User Access Administrator (links) is an Azure Role, which let you manage azure resources, but not the users in Microsoft Entra Id. So you need to add some roles(simply add user administrator) to your account in Microsoft Entra Id and go ahead.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search