Symptoms
Update AAD User Workflow Error AAD > Update users properties wizard error with "Insufficient privileges to complete the operation"
Diagnoses
The initial Access issue was due to the app not having the following permission / consent
"Access the directory as the signed-in user"
We added this to the set of app permissions. After this we got 1 step further and still got issues updating a user's properties. Error "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration"
This doesn't seem possible using graph API like we do in the broker to update user object properties where the directory synchronization is enabled. https://social.msdn.microsoft.com/Forums/sqlserver/en-US/af9359ab-b269-455a-9a58-a2f21c37e9c6/getting-exception-when-updating-the-property-of-user-object-on-premise-ad-synced-with-waad?forum=WindowsAzureAD
Resolution
When you have directory sync setup to sync AD to AAD, the Graph API cannot change any properties on the AAD object due to sync being in control of it. The properties will have to be set in AD on premises and then it will sync to AAD and in Appit there is no AD integration unfortunately.