Update SPO User Profile Properties with Azure AD AppOnly

%3CLINGO-SUB%20id%3D%22lingo-sub-62329%22%20slang%3D%22en-US%22%3EUpdate%20SPO%20User%20Profile%20Properties%20with%20Azure%20AD%20AppOnly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-62329%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20update%20user%20profile%20properties%20in%20SharePoint%20Online%20using%20an%20Azure%20AD%20app%20for%20authentication%2Fauthorization%3F%26nbsp%3BI%20am%20trying%20to%20authenticate%20to%20SharePoint%20using%20this%20PnP%20method%26nbsp%3BAuthenticationManager().GetAzureADAppOnlyAuthenticatedContext%2C%20but%20when%20I%20try%20to%20update%20a%20user's%20profile%20property%2C%20I%20receive%20an%26nbsp%3B%3C%2FP%3E%3CP%3E'Access%20denied.%20You%20do%20not%20have%20permission%20to%20perform%20this%20action%20or%20access%20this%20resource.'%20error.%26nbsp%3BDo%20all%20user%20profile%20property%20updates%20have%20to%20have%20a%20user%20context%20(similar%20to%20Search%20and%20Taxonomy%20updates)%3F%20Using%20a%20user's%20context%20works%20flawlessly%2C%20but%20does%20not%20work%20with%20app%20only.%20The%20Azure%20AD%20app%20was%20also%20granted%20every%20permission%20available%20to%20rule%20out%20the%20correct%20permission%20level%20being%20chosen.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-62740%22%20slang%3D%22en-US%22%3ERe%3A%20Update%20SPO%20User%20Profile%20Properties%20with%20Azure%20AD%20AppOnly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-62740%22%20slang%3D%22en-US%22%3EMy%20bad..%20remebered%20it%20wrong.%20But%20glad%20you%20figured%20it%20out%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-62684%22%20slang%3D%22en-US%22%3ERe%3A%20Update%20SPO%20User%20Profile%20Properties%20with%20Azure%20AD%20AppOnly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-62684%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20response!%3CBR%20%2F%3E%3CBR%20%2F%3EI%20found%20that%20the%20app%20only%20needs%20to%20have%20'Manage'%20rights%20to%20the%20user%20profile%20if%20using%20a%20SharePoint%20App.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CAPPPERMISSIONREQUESTS%20allowapponlypolicy%3D%22%26quot%3Btrue%26quot%3B%22%3E%3CBR%20%2F%3E%3CAPPPERMISSIONREQUEST%20scope%3D%22%26quot%3Bhttp%3A%2F%2Fsharepoint%2Fsocial%2Ftenant%26quot%3B%22%20right%3D%22%26quot%3BManage%26quot%3B%22%3E%3C%2FAPPPERMISSIONREQUEST%3E%3CBR%20%2F%3E%3C%2FAPPPERMISSIONREQUESTS%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20to%20use%20a%20service%20account%2C%20the%20user%20only%20needs%20to%20have%20the%20SharePoint%20Administrator%20role.%20They%20don't%20need%20to%20have%20any%20product%20licenses%20in%20SharePoint%20Online.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-62544%22%20slang%3D%22en-US%22%3ERe%3A%20Update%20SPO%20User%20Profile%20Properties%20with%20Azure%20AD%20AppOnly%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-62544%22%20slang%3D%22en-US%22%3EYou%20need%20an%20SP%20app%20with%20full%20tenant%20permissions%20%2B%20write%20to%20upa%20for%20this%20to%20work.%20Not%20possible%20with%20an%20AAD%20app%20today%2C%20at%20least%20last%20time%20I%20tried.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Is it possible to update user profile properties in SharePoint Online using an Azure AD app for authentication/authorization? I am trying to authenticate to SharePoint using this PnP method AuthenticationManager().GetAzureADAppOnlyAuthenticatedContext, but when I try to update a user's profile property, I receive an 

'Access denied. You do not have permission to perform this action or access this resource.' error. Do all user profile property updates have to have a user context (similar to Search and Taxonomy updates)? Using a user's context works flawlessly, but does not work with app only. The Azure AD app was also granted every permission available to rule out the correct permission level being chosen.

3 Replies
Highlighted
You need an SP app with full tenant permissions + write to upa for this to work. Not possible with an AAD app today, at least last time I tried.
Highlighted
Thanks for the response!

I found that the app only needs to have 'Manage' rights to the user profile if using a SharePoint App.

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/social/tenant" Right="Manage" />
</AppPermissionRequests>

And to use a service account, the user only needs to have the SharePoint Administrator role. They don't need to have any product licenses in SharePoint Online.
Highlighted
My bad.. remebered it wrong. But glad you figured it out :)