Forum Discussion

ProgentCT's avatar
ProgentCT
Brass Contributor
Jul 22, 2024

Unable to disable SSPR for Administrators

According to this link I can disable SSPR for Administrators.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy?WT.mc_id=Portal-Microsoft_AAD_IAM#administrator-reset-policy-differences

However, upon attempting to do so I am met with the following error.

 

S C:\Windows\System32> Update-MgPolicyAuthorizationPolicy -AllowedToUseSspr:$false
Update-MgPolicyAuthorizationPolicy_UpdateExpanded: Insufficient privileges to complete the operation.

Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2024-07-22T16:28:11

  • MarPas's avatar
    MarPas
    Brass Contributor

    Hi ProgentCT ,

    I would request to try you to please provide "Policy.ReadWrite.Authorization" permission to user executing this command. This is documented in the equivalent Graph API article: Update authorizationPolicy.

     

     

    Connect-MgGraph -scopes "Policy.ReadWrite.Authorization"
    Update-MgPolicyAuthorizationPolicy -AllowedToUseSspr:$false

     

     

    • ProgentCT's avatar
      ProgentCT
      Brass Contributor
      Thanks. This works. Why doesn't this work in Entra?

Resources