Tool: postman
- Created azure ad app, granted app-only permission
Group.ReadWrite.Allfor Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app. - Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
- Got token back
- Used the token and did a GET on a User OK
- Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,