Azure Function Updating user profile using SharePoint Online and CSOM .NET Standard gives access denied

Question

I have Azure Function v3 and I want to update Sharepoint user profile properties with CSOM and .NET standard 2.0 by using global admin account credentials. Reading is working.

        var site = new Uri("https://domain-admin.sharepoint.com");
        using (var authenticationManager = new AuthenticationManager())
        using (var context = authenticationManager.GetContext(site, user, password))
        {
            var peopleManager = new PeopleManager(context);

            var personProperties = peopleManager.GetPropertiesFor(accountName);
            context.Load(personProperties, p => p.AccountName, p => p.UserProfileProperties);
            await context.ExecuteQueryAsync();
            Console.WriteLine(personProperties.UserProfileProperties["FirstName"]); //works
            peopleManager.SetSingleValueProfileProperty(personProperties.AccountName, "FirstName", "CSOMvalue");
            await context.ExecuteQueryAsync(); //error, access denied
        }

Exact Error message: System.Private.CoreLib: Exception while executing function: FunctionName. Microsoft.SharePoint.Client.Runtime: Access denied. You do not have permission to perform this action or access this resource.

AuthenticationManager class is taken from MS docs from here Im using Microsoft.SharePointOnline.CSOM v16.1.20518.12000 nuget package.

I made .NET Framework 4.7.2 web app and it worked using SharePointOnlineCredentials. But I want to know how to get it working on .NET Standard 2.0.

Answer 1

From my past experience and couple of hours research :

When you use Azure AD Application, you can read through the User Profiles - but not perform CSOM write operation.

reference :

Though the article says it is applicable for using app-only, this behavior has been observed Azure AD Application in general (user + app as well) - hence the reason why you are able to read but however not write.

As mentioned in the article you will have to the Sharepoint App only context and perform a read/write operation.

context = new AuthenticationManager().GetAppOnlyAuthenticatedContext(siteUrl, "[Your Client ID]", "[Your Client Secret]")

Here the authenticationmanager is of the SharepointPNPcoreOnline library.

This article details the same.

If you want the user context while performing the same (not usually required because you re performing at the UPA ) - you can create the app accordingly - but really not sure whether the SharepointPNPCOreOnline supports this.