Private App scoped with App+Enterprise access throwing forbidden exception

I have a custom app registered/authorized by our Box admin with a permission scope of App+Enterprise , the C# client is using the Client Credentials Grant authentication method. I can get users in our Enterprise with the GetEnterpriseUsersAsync() method with no issue. However, it throws an exception of
Box.V2.Exceptions.BoxAPIException : The API returned an error [Forbidden | figvvzhkcgjuvsex.02c4ce4ec440d4ba759f146d40493582d] forbidden - Forbidden

when attempting to update a user via the .NET sdk UpdateUserInformationAsync method.

C# code is as follows:
_boxConfig = new BoxConfigBuilder(BOX_CLIENT_ID, boxClientSecret).SetEnterpriseId(BOX_ENTERPRISE_ID).Build();
_boxCCG = new BoxCCGAuth(_boxConfig);
_boxClient = _boxCCG.AdminClient();

to update the user is coded as follows:
public async Task UpdateUser(BoxUser user, string? setColleagueId = null)
var updates = new BoxUserRequest();
// pass the user properties into the updates object
updates.Address = user.Address;
updates.ExternalAppUserId = !string.IsNullOrEmpty(setColleagueId) ? setColleagueId : user.ExternalAppUserId;
updates.Id = user.Id;
updates.JobTitle = user.JobTitle;
updates.Role = user.Role;
updates.Phone = user.Phone;
updates.Login = user.Login;
return await _boxClient.UsersManager.UpdateUserInformationAsync(updates);

Any thoughts? I would have thought that having the app scoped as App+Enterprise would have sufficient permission given it states “Manage Enterprise settings, content and users”.

Welcome to the forum, @eparshall :slight_smile:

The error message we receive is :


It seems you have a Service Account, but you need to create a App User.
Can you please check this page :

App User

App users are only accessible via the API, meaning they do not have login credentials. They can be created by a Service Account and therefore are only applicable to applications leveraging server to server authentication. App Users are tied to the application used to create them, and while they can collaborate on content outside of the application, the user itself cannot be moved under another application.


App users are created using a Service Account access token to call the create user endpoint. The is_platform_access_only body parameter must be set to true or a managed user is created instead.

Since every Box account must have an email address, Box assigns one. The format will always be For example:

The numbers surrounded by underscores are also unique to the application and are called a Service ID. To locate a Service ID in the Developer Console, click on on the tile for an application and look at the URL. For example, . As you can see, this application corresponds to the App User in the example above.

My next issue is I cannot seem to get the ExternalAppUserId value to stick. Any suggestions or code samples?