Photo by Ralph (Ravi) Kayden / Unsplash

Remove-MgUser - Insufficient privileges to complete the operation

Microsoft 365 Apr 11, 2023

Encountering Insufficient Privileges Error in Microsoft Graph PowerShell

If you are using Microsoft Graph PowerShell to manage Microsoft 365 users, you may encounter the error message Insufficient privileges to complete the operation when trying to remove a user using the Remove-MgUser command.

For example, I would like to remove a former Azure AD Connect synchronization account :

Remove-MgUser -UserId sync_xxxx@domain.onmicrosoft.com

I get the following error:

Error deleting user sync_xxxx@domain.onmicrosoft.com. Insufficient privileges to complete the operation.

This error can occur even if the current user account has the correct permissions. The cause of the issue is that the user you are attempting to remove is part of an administrative role.

Solution - Adding specific Scope

Adding additional scopes can introduce security risks, so it's important to evaluate and manage the risks before adding any new scopes.

To remove a user that belongs to an administrative role, you must add the Directory.AccessAsUser.All scope to Microsoft Graph PowerShell.

Connect-MgGraph -Scopes Directory.AccessAsUser.All

You will be prompted to sign in and consent to the new permissions. Follow the prompts to complete the process.

This scope allows Microsoft Graph PowerShell to have the same access to information in Azure AD as the signed-in user.

Once the scope has been added, you should be able to successfully remove the user using the Remove-MgUser command without any issue.

Tags

Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace