Request Authorization failed error

When attempting to suspend a user in Entra ID (formerly Azure AD) who is a member of an Administrative Unit (AU) with restricted permissions, you may encounter an authorization error. This issue occurs even if the connection account used for the operation is a Global Administrator (GA) but is not explicitly listed as an admin for the specific Administrative Unit.

When attempting to suspend a user, the following error message is displayed:

Cause

The error occurs because the connection account has insufficient permissions within the specific Administrative Unit. Entra ID requires that the account performing the suspension be listed as an admin in the AU where the user is a member. Unless explicitly granted access to that AU, the Global Administrator role alone is insufficient for performing actions on users within restricted AUs.

Resolution

To resolve this issue, ensure that the connection account is added as an admin to the restricted Administrative Unit. Follow these steps:

1. Identify the restricted Administrative Unit:

   • Determine the specific AU where the user is a member.

2. Add the Connection Account as an Admin:

   1. Navigate to the Entra ID portal.

   2. Go to the Administrative Units section.

   3. Select the relevant AU.

   4. Add the connection account (used in Cayosoft Administrator) to the list of admins for that AU.

3. Retry the Suspend Operation.

4. Once the connection account is added as an admin to the AU, attempt to suspend the user again.

To learn more about the required rights and permissions for the connection account, review the following article: Cayosoft Administrator System Requirements.