Calling User.setProxyAddresses() results in "Insufficient privileges to complete the operation" even with elevated permissions

[Chris-AdamsonQHR]

Expected behavior

Making a call to User.setProxyAddresses() succeeds when "User.ReadWrite.All" and "Directory.ReadWrite.All" application permissions are granted in the Azure portal with admin consent given.

Actual behavior

An exception is thrown:
com.microsoft.graph.beta.models.odataerrors.ODataError: Insufficient privileges to complete the operation.

Steps to reproduce the behavior

Using version 6.9.0 of the beta SDK:

• Create a new user (post)
• Attempt to update user (patch) with a call to setProxyAddresses() made first
• Observe the error

Here are the permission settings we tried using in the Azure Portal:

We also set the application in Azure to both User Administrator and then Global Administrator without succcess.

Related

Patch request to do the same operation is the suggested operation via graph explorer:
https://stackoverflow.com/questions/65198916/remove-old-proxyaddress-entry-for-user-in-azure-active-directory/71577425#71577425

[petrhollayms]

Hi @Chris-AdamsonQHR ,

Looking at the Graph API docs: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-beta#properties
proxyAddresses - Read-only in Microsoft Graph; you can update this property only through the Microsoft 365 admin center. Not nullable.

[Chris-AdamsonQHR]

Hi @petrhollayms.
Thank you for looking at this. In the non-beta version of the SDK when we attempted to change the proxy address it indeed resulted in an error stating that the property was read only. However in the beta version, the same call resulted in an exception of insufficient privileges (as reported here).

With this different error, I was hoping that this property was no longer read-only, but from your description of the underlying documentation, would seem that it is still read-only (at least in the Graph API) and just that the error has changed.

[Cpcrook]

I'm going to add on to this - if you update the Mail property and ProxyAddresses property in a single Patch call with the beta graph API it produces an error message saying they cannot be updated together, implying the latter is indeed possible to update.

This also raises an issue overall where changing a user's email address and addresses associated with their Identities, it does not "release" the former email address from proxyAddresses, meaning a user cannot re-use that email address in the future, which can be problematic.

[bperniciaro]

What I've found is that calling the beta version of the Graph API directly (to patch the proxyAddresses field) does in fact work, regardless of the documentation saying the property is read-only. However, it's important that you patch with an email address that matches an existing proxyAddresses entry exactly (must be case-sensitive).

For example, if your GraphAPI pulls this for a user:

{
            "mail": "[email protected]",
            "proxyAddresses": [
                "smtp:[email protected]",
                "SMTP:[email protected]",
                "smtp:[email protected]"
            ],
}

You should be able to issue this PATCH command to clear unused emails:

{
    "PROXYADDRESSES": [
        "SMTP:[email protected]"
    ]
}

This works because you're telling the Graph API to preserve [email protected], which is currently being used as the Mail property (you can tell this because it has the ALL CAPS SMTP prefix in the proxyAddresses property).

Both of the below PATCHES will result in receiving a 403, which is quite confusing (the first because the email doesn't exist, the second because it matches an email but is case-insensitive).

{
    "PROXYADDRESSES": [
        "SMTP:[email protected]"
    ]
}

{
    "PROXYADDRESSES": [
        "smtp:[email protected]"
    ]
}