@Calderara Serge @sergecal Sorry for the delay. The product team has confirmed that they have added this issue in their backlog and the fix will be scheduled in future release.
GroupMember.ReadWrite.All does not work for adding user to group with MSGraph API
Dear all,
We are using MS graph API to add a member to a group and we would like to get confirmation of a permission used.$
In the docuementation :
https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
it is mentionned that the minimum permission required to add memeber to group are the following from least to most priviledges
GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All
If we use the permission GroupMember.ReadWrite.All it fails with permission access when adding user to group..
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Guests users are not allowed to join this Unified Group due to policy setting. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group",
"innerError": {
"date": "2020-06-22T08:28:11",
"request-id": "f075e729-db6a-4f87-b333-9c9c2ad146d5"
}
}
}
So to make it work we have to use the permission Group.ReadWrite.All
In which case this permission GroupMember.ReadWrite.All is used then ? I was expected I could use it to add user to group ?
Thanks for clarification
regards
5 answers
Sort by: Newest
-
Saurabh Sharma 23,676 Reputation points Microsoft Employee
2020-07-27T17:12:21.537+00:00 -
sergecal 21 Reputation points
2020-07-01T12:28:24.273+00:00 Dear @SaurabhSharma-msft , any update on this issue ?
regards
Serge -
Calderara Serge 46 Reputation points
2020-06-23T07:41:33.833+00:00 Thanks for your reply.
For me it does not work. Here is below what I have :
Then the URL that I am using is as below :
Here is what I found out :
IN our customer case we are using the Invite User to add member to customer AD, using INvite member does not work with GroupMember.ReadWriteAll permissionIn case we add normal user and try to add it to group in same way, then it works.
Conclusion :
Does it means that for INvite User we cannot use the GroupMember.ReadWriteAll but instead Group.ReadWriteAll ?I try to setup the minimum permission for security reason
Thanks for help
regards -
Calderara Serge 46 Reputation points
2020-06-23T07:41:33.697+00:00 Thanks for your reply.
For me it does not work. Here is below what I have :
Then the URL that I am using is as below :
Any idea what could be wrong ?
PLease note that if I add the Group.ReadWrite.All it works fineThanks for help
regards -
Saurabh Sharma 23,676 Reputation points Microsoft Employee
2020-06-22T20:33:25.377+00:00 @CalderaraSerge-8943 I have tried adding member to a group using Postman and it worked for me with GroupMember.ReadWrite.All permissions. Only additional permissions is required for adding members to a group is User.Read.All. I have used the work account for API call.
Please find the screenshots below -Graph API call
Please try if this works for you.