Insufficient privileges to create group with Assingable to Role True

Manish Aery 1 Reputation point
2022-09-29T07:39:23.603+00:00

I am trying to create group with "isAssignableToRole" true but I was getting
403 error.
then I added the "RoleManagement.ReadWrite.Directory" permissions as mentioned in docs i.e
The following is an example of the request. The calling user must be assigned the RoleManagement.ReadWrite.Directory permission to set the isAssignableToRole property or update the membership of such groups.

after adding the permissions also I am getting the same error.
please help me to resolve the same.

"
{
"description": "M365 Group assignable to a role",
"displayName": "Test Role assignable group",
"groupTypes": [
],
"isAssignableToRole": true,
"mailEnabled": true,
"securityEnabled": true,
"mailNickname": "contosohelpdeskadministrators"
}

Response:

"error": {  
    "code": "Authorization_RequestDenied",  
    "message": "Insufficient privileges to complete the operation.",  
    "innerError": {  
        "date": "2022-09-29T07:33:16",  
        "request-id": "a2031734-bf7a-4b30-abc4-5c9452d851ac",  
        "client-request-id": "a2031734-bf7a-4b30-abc4-5c9452d851ac"  
    }  
}  

}

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,772 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
682 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,672 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sheena-MSFT 1,731 Reputation points
    2022-09-30T12:08:37.96+00:00

    Hi @Manish Aery ,

    As per my research the signed in user must be global admin/ privileged admin to do this operation. Along with Directory.ReadWrite.All/ Group.ReadWrite.All we should configure RoleManagement.ReadWrite.Directory permission also. Please find the below screenshot also 246377-roleq.png

    Could you please check the user role and permission and update mailEnabled property to false. If you are still facing this issue , I would advise you to raise a support case with Microsoft Graph, a specialized Support Engineer will be able to assist you better.

    You can raise technical support request from:
    https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview or https://admin.microsoft.com/#/support/requests.

    Hope this helps.
    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    0 comments No comments

  2. CarlZhao-MSFT 37,466 Reputation points
    2022-10-06T10:17:49.64+00:00

    Hi @Manish Aery

    The RoleManagement.ReadWrite.Directory permission is not enough, you must also be a Global Administrator or Privileged Role Administrator to create a group with "isAssignableToRole": true.

    248048-page4.png

    But even if you meet the above conditions will still get a 400 error, because your request body is trying to create mail-enabled security group. According to the official documentation, creating and managing mail-enabled security groups via the graph api is currently not supported, only create M365/security group.

    248092-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.