Enabling User and Group Deletion with the Windows Azure Active Directory Graph API

January 2, 2014

no comments

If you are like me, and have tried the not-so-new Windows Azure Active Directory (AD) a couple of months ago, you probably wondered where is the groups management view. If you are like me, you probably googled (or binged) a bit and found the cool MVC sample that manages WAAD’s users and group with the help of the Graph API. If you are like me, you probably tried clicking every button in the Web app to see how it works, only to find out that the app cannot delete users and groups and instead returns an HTTP 403 response with request denied: Insufficient privileges to complete the operation

If you are like me, you probably googled (or binged) some more (a lot more) and finally found the reason and how to fix it. If so, congratulations, you can skip this post. If you haven’t found how to resolve this yet, keep on reading.

Step 1 – RTFM! Read the Windows Azure AD documentation for application integration. The following sentence popped up:

Single Sign-On, Read and Write Directory Data: Single sign-on plus the ability to read and write directory data using the Graph API. This allows querying and writing of company, user, and group information, but does not allow deleting users or groups.

What? Why? How come? WTF?

Step 2 – It’s not my fault, so I’m probably not the only one. Searching for other misfortunate people like me resulted in this forum thread:


Bottom line – there is an answer, but it requires PowerShell. No problemo, I love PowerShell Smile

Step 3 – Follow the WAAD PowerShell cmdlets documentation and try to work this out. (question to the Azure team – why is this a separate module from the “regular” Azure cmdlets?)

After installing the prerequisites, it’s time to do some scripting:


This cmdlet will open a credentials window where you need to enter the credentials of a global administrator for your AD directory. After logging in, you can start scripting against your directory.

Get-MsolServicePrincipal –AppPrincipalId YOUR_APP_CLIENT_ID

This cmdlet will return the service principal information for your AD application. Replace YOUR_APP_CLIENT_ID with the client id of your AD app:


The returned object contains a property named ObjectId, copy that value aside:


Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleName ‘User Account Administrator’ -RoleMemberObjectId YOUR_OBJECT_ID

The last cmdlet will add your AD application to the ‘User Account Administrator’ role, granting it permissions to delete both users and groups. Replace the YOUR_OBJECT_ID with the object id you found previously.


And that’s it! return to the cool MVC demo, try to delete a user or a group, and watch it work!

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>