Share via

Unable to create new group inside Administrative Unit using Graph API

Parth Shethia 5 Reputation points Microsoft Employee
2023-01-25T23:35:21.83+00:00

I intend to create a new group inside an Administrative Unit in AAD programmatically. I will run this under the context of a service principal.

I am facing 2 issues:

  1. Unable to find AddAsync() on Graph SDK version 4.52.0

await graphClient.Directory.AdministrativeUnits["{administrativeUnit-id}"].Members.Request().AddAsync(newGroupObject);

Error - AddAsync missing error

  1. GroupAdministrato role on AU: I assigned GroupAdministrator role to my service principal + Directory.Read.All graph API permission, however, I am still not able to create a new group inside AU and it says insufficient privileges.

Endpoint - https://graph.microsoft.com/v1.0/directory/administrativeUnits/40335129-6bd0-4190-a383-a42e3eae09dc/members/

If I assign AdministrativeUnit.ReadWrite.All permission to service principal, I am able to create the group inside AU.

Why is Group Administrator role not working as intended? Am I missing something?

For issue # 2, If I assign AdministrativeUnit.ReadWrite.All permission to service principal, I am able to create the group inside AU.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,447 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions