What API Permissions are needed for Remove-AzureADUser?

Question

I need to delete AAD guest users using powershell - where the script authenticates using certificate credential corresponding to a registered app. What API permissions does the registered app need?

Connect-AzureAD -TenantId $TenantId -ApplicationId $ApplicationId -CertificateThumbprint $CertificateThumbprint
Remove-AzureADUser -ObjectId $guestKey

Resulting error:

Remove-AzureADUser : Error occurred while executing RemoveUser
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId: fa05248f-60be-48fa-8ef5-7a381f6e61dd
DateTimeStamp: Thu, 13 Jun 2019 18:15:52 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Scripts\disable-inactive-guests.ps1:116 char:9
+         Remove-AzureADUser -ObjectId $guestKey
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-AzureADUser], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveUser

Permissions I've added so far... guessing my way through it:

https://learn.microsoft.com/en-us/graph/api/user-delete?view=graph-rest-1.0&tabs=cs#permissions — juunas, Jun 14 '19 at 13:17
@juunas - thanks for the reply. Unfortunately, that link documents the API permissions needed for the Microsoft Graph API rather than AAD Powershell. I figure AAD Powershell is using Graph under the covers, but as far as I can tell, it uses the legacy Azure AD Graph (not Microsoft Graph). I'll add a list (above) of all the permissions I've added so far. — Jaffadog, Jun 14 '19 at 13:34
Could it solve your issue? If my reply is helpful, please accept it to help others, thanks. — Joy Wang, Jun 21 '19 at 01:52

Joy Wang · Answer 1 · 2019-06-17T06:34:38.333

The Directory.ReadWrite.All of Azure AD Graph API does not have permission to remove the user.

Solution:

To fix the issue, you need to assign your service principal to a directory role e.g. User administrator/ Global administrator.

Under the deleted reply, I see your comment:

You cannot grant directory roles to service principals. It has to be API permissions.

No, actually we can grant directory role to service principal.

Navigate to the Azure Active Directory in the Azure portal -> Roles and administrators -> click User administrator or Global administrator -> Add assignment -> search by your service principal name(must search) -> find it and select it -> click Select.

score 0 · Answer 2 · answered Jun 14 '19 at 20:23

I suspect i've found my answer int the Azure AD Graph and Microsoft Graph docs which both seem to go out of their way to state that the Directory.ReadWrite.All permission, which would seem to be the most potent, includes "No rights to delete entities (including users or groups)".

Sigh...

I think I'll have to do this with a service account (actual Azure AD user account) that has a suitable directory role and authenticate with user/password. I'd really prefer have my batch scripts use certificate auth...

What API Permissions are needed for Remove-AzureADUser?

2 Answers2