If you are like me, and have tried the not-so-new Windows Azure Active Directory (AD) a couple of months ago, you probably wondered where is the groups management view. If you are like me, you probably googled (or binged) a bit and found the cool MVC sample that manages WAAD’s users and group with the help of the Graph API. If you are like me, you probably tried clicking every button in the Web app to see how it works, only to find out that the app cannot delete users and groups and instead returns an HTTP 403 response with request denied: Insufficient privileges to complete the operation.
If you are like me, you probably googled (or binged) some more (a lot more) and finally found the reason and how to fix it. If so, congratulations, you can skip this post. If you haven’t found how to resolve this yet, keep on reading.
Step 1 – RTFM! Read the Windows Azure AD documentation for application integration. The following sentence popped up:
Single Sign-On, Read and Write Directory Data: Single sign-on plus the ability to read and write directory data using the Graph API. This allows querying and writing of company, user, and group information, but does not allow deleting users or groups.
What? Why? How come? WTF?
Step 2 – It’s not my fault, so I’m probably not the only one. Searching for other misfortunate people like me resulted in this forum thread:
Bottom line – there is an answer, but it requires PowerShell. No problemo, I love PowerShell
Step 3 – Follow the WAAD PowerShell cmdlets documentation and try to work this out. (question to the Azure team – why is this a separate module from the “regular” Azure cmdlets?)
After installing the prerequisites, it’s time to do some scripting:
This cmdlet will open a credentials window where you need to enter the credentials of a global administrator for your AD directory. After logging in, you can start scripting against your directory.
Get-MsolServicePrincipal –AppPrincipalId YOUR_APP_CLIENT_ID
This cmdlet will return the service principal information for your AD application. Replace YOUR_APP_CLIENT_ID with the client id of your AD app:
The returned object contains a property named ObjectId, copy that value aside:
Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName ‘User Account Administrator’ -RoleMemberObjectId YOUR_OBJECT_ID
The last cmdlet will add your AD application to the ‘User Account Administrator’ role, granting it permissions to delete both users and groups. Replace the YOUR_OBJECT_ID with the object id you found previously.