Microsoft Graph API Update another user's photo?

Question

Using the Microsoft Graph API I was able to get a list of all users in our Azure Active Directory tenant and determine if they have a profile picture. I wanted to then take the list of users without a photo and upload one for them, but the API returns a 403 error even though the account I'm using has full access to all of the user accounts and the application is setup with full permissions to the Graph API.

using (HttpClient client = new HttpClient())
{
    client.BaseAddress = new Uri("https://graph.microsoft.com/");
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("image/jpeg"));
    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", oauthToken);

    // HTTP GET                
    HttpResponseMessage response = await client.PatchAsync($"v1.0/users/{emailAddress}/photo/$value", byteContent);
    if (!response.IsSuccessStatusCode)
    {
        throw new Exception("Error!");
    }
}

403 FORBIDDEN

Is it not possible to do this using the Graph API or am I missing a permission somewhere?

The SCP value is: Calendars.Read Calendars.ReadWrite Contacts.Read Contacts.ReadWrite Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All email Exchange.Manage Files.Read Files.Read.Selected Files.ReadWrite Files.ReadWrite.AppFolder Files.ReadWrite.Selected full_access_as_user Group.Read.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.ReadWrite Notes.Create Notes.Read Notes.Read.All Notes.ReadWrite Notes.ReadWrite.All Notes.ReadWrite.CreatedByApp offline_access openid People.Read People.ReadWrite profile Sites.Read.All Tasks.Read Tasks.ReadWrite User.Read User.Read.All User.ReadBasic.All User.ReadWrite User.ReadWrite.All

Answer 1

First of all, you should take a look at the new Microsoft Graph SDK, released during //Build 2016 Here is the Github of Microsoft Graph SDK : https://github.com/microsoftgraph
Here is a full sample I ve created, using it : https://github.com/Mimetis/NextMeetingsForGraphSample

For your question, here are two methods I've written, which worked for me : I assume, you have a method to get a valid access token.

using (HttpClient client = new HttpClient())
{
    var authResult = await AuthenticationHelper.Current.GetAccessTokenAsync();
    if (authResult.Status != AuthenticationStatus.Success)
        return;

    client.DefaultRequestHeaders.Add("Authorization", "Bearer " + authResult.AccessToken);

    Uri userPhotoEndpoint = new Uri(AuthenticationHelper.GraphEndpointId + "users/" + userIdentifier + "/Photo/$value");
    StreamContent content = new StreamContent(image);
    content.Headers.Add("Content-Type", "application/octet-stream");

    using (HttpResponseMessage response = await client.PutAsync(userPhotoEndpoint, content))
    {
        response.EnsureSuccessStatusCode();
    }
}

If you use the Microsoft Graph SDK, it will be really straightforward :)

GraphServiceClient graphService = new GraphServiceClient(AuthenticationHelper.Current);
var photoStream = await graphService.Users[userIdentifier].Photo.Content.Request().PutAsync(image); //users/{1}/photo/$value

Seb

Answer 2

The documentation is pretty clear about updating a photo of an other user.

To update the photo of any user in the organization, your app must have the User.ReadWrite.All application permission and call this API under its own identity, not on behalf of a user. To learn more, see get access without a signed-in user.

This means you'll need an access token for the application, and not the token you get if the user accesses your application. This page shows how to get an application access token. This also means you have to grant your application the application permissions, which is often forgotten.

Once you get the token you can check it on https://jwt.ms to see the claims in the token explained.

You're talking about the scp claim in the token. That is only there if you have a user token, not an application token.