Getting 403: "Insufficient privileges to complete the operation.

Copper Contributor

Hello Team,

 

When I try to access '' user properties '' for one of the customers I have a relationship with, I get the error message of '' Getting 403: "Insufficient privileges to complete the operation. '' 

 

I already have a  GDAP relationship with them and an active security group, and i'm a member of that security group, and also my profile is global admin.

 

I can access user properties for all other tenants except for me.

 

any help please.

7 Replies

Good Day John,

I also have the same issue and opened a case with Microsoft Partner center but got no response yet.

Have you been able to resolve this? @JohnWites 

@sansbacher would you know anything about this by chance? Moving this to our Partner-led tech topic discussion board in hopes someone can help there. :)

@Jill_Armour_Microsoft and @JohnWites,

 

I don't know off the top of my head, but you'd likely need to provide more info. Access "User Properties" where/how? In the Partner Center? Or in AzureAD/Entra via the web GUI? Or via API or PowerShell? (using Graph or AzureAD or ?) Is it just you or is anyone else in your Org able to access Users in this Customer? Is it all users for this one Customer, or just a certain user? And other Users with other Customers are just fine? Are your a Tier1/Direct or Tier2/Indirect Partner?

 

If it's just the Partner Center, I don't think that has to do with GDAP, that's for delegated privileges, as in accessing their AzureAD, ExO, SP, etc. Partner Center is your portal, permissions in there are via the AdminAgents, HelpdeskAgents, and SalesAgents groups. You would need to be a member of AdminAgents or Helpdeskagents to do anything with the Customer's users (such as assign Licenses).  Global Admin is for your Tenant. This would be the same for using the website or the ParnerCenter PowerShell module.

 

If it's the website I'd also strongly suggest trying Incognito/Private mode in your browser [and try Chrome, Edge, and Firefox] to see if that makes a different -- I HAVE seen weird issues go away when using Incognito mode, which means you need to clear your Cookies and Site Data/Storage for the Partner Center website.

 

You may also have to remove and recreate the whole relationship, through if you are already reselling them products I would contact MS or your Tier1 first.

 

If it's an issue with the Customer's AzureAD, ExO, etc (using Delegated Permissions) then it does rely on GDAP: what group are in you and and AAD Roles are mapped to that Group? Is it Active? I'd try recreating the GDAP relationship (Terminate the old one after) and see if that helps. Don't add Global Admin or you won't be able to auto-renew.

 

I hope some of that helps or at least provides some avenues to try and narrow it down. But I've never seen that error, though to be honest: I don't use the Partner Center that much myself, most of what I do I do using PowerShell and APIs using the Secure App Model.

   --Saul

Extra information;

- Functions that don't work when in a customer tenant through a partner account
1. User search from Users tab or Dashboard search boxes
2. Users properties opening
note; Partner account for these tests has every role BUT Global Admin

From EDGE/Chrome Dev Tools it looks like API is requesting wrong access scope(s) from Graph (i think). Compared to admin account from the tenant itself the scope items differ in the request.

What is tried (and didn't work):
- Using different accounts
- With and without PIM Assignment on users roles (activated AND Static assignment)
- Creating NEW GDAP relationship
- inPrivate / other physical machine(s)
I had the same issue, and support fixed it immediatly:
- Do NOT assign Guest Inviter right to support specialists that should also edit/update Users account.
This role have some undocumented limitation (and most of the task are already under User Administrator pureview) that juste break the user management pane.
Hi TimilFr,

I can confirm that removing (only!) "Guest Inviter" from the GDAP role assignments fixes the issues.

Thanks for the tip!
Same here! that fixed the issue, thank you so much TimilFr!