C# MS Graph add group member error "Insufficient privileges to complete the operation."

Joshua Lewis 20 Reputation points
2023-03-23T01:21:44.4533333+00:00

Following the documentation here: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=csharp

I have been trying to add users to a Security Group

The users are all members of the tenant wot O365 e3 liscences

There should be a problem with IDs as this works in Graph explorer

The app calls the graph api on behalf of the signed in user (Delegated)

All the other api calls in the app are working correctly including retrieving calenders, user profiles, group member lists and schedule information

using the code

var requestBody = new Microsoft.Graph.Models.ReferenceCreate()
                {
                    OdataId = "https://graph.microsoft.com/v1.0/directoryObjects/" + userId
                };
                try
                {
                    await graphClient.Groups[GROUP_ID].Members.Ref.PostAsync(requestBody);
                    bool test = false
                } 
                catch (ODataError e)
                {

                }

I get the error Insufficient privileges to complete the operation.

Permissions in the https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps

Permissions

have also tried with the group.ReadWrite.all permission

Permission in the resulting token

-Calendars.ReadWrite

-Group.Read.All

-GroupMember.ReadWrite.All

-MailboxSettings.Read

-openid

-profile

-User.Read

-User.ReadWrite.All

-email

Does anyone have an idea as to what is wrong? I don't want to grant the app more than the minimum permission necessary.

Thanks

Update: The Permission error doesnt occur if the user being added is an owner of the group. This isn't much use to me I need the app to add the signed in user to the group. Is there other permission I can grant or something I can do so that the api request can add the user to the group without them being an owner?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,555 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,222 questions
0 comments
Accepted answer
  1. CarlZhao-MSFT 36,891 Reputation points
    2023-03-23T07:28:54.2533333+00:00

    Hi @Joshua Lewis

    In a delegation context, only the owner of the group or a user with at least the Groups Administrator role can add members to a security group.

    36

    Hope this helps.

    If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shivam Dhiman 5,946 Reputation points
    2023-03-23T07:33:00.54+00:00

    Hi @Joshua Lewis

    As per the documentation, to add members to a role-assignable group, the calling user must also be assigned the RoleManagement.ReadWrite.Directory permission. After adding this permission I was able to get desired response
    1111

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.