Share via

What permissions are needed for an App Registration to add and remove group members?

Steve March 0 Reputation points
2023-04-21T12:57:45.98+00:00

I am trying to write an unattended PowerShell script that will use an App Registration and certificate for authentication that will update mail-enabled security groups as well as Security & Compliance Center Preservation Policies. The script can successfully execute the Get-DistributionGroupMember Exchange Online PowerShell command but I get a permissions error when I run Add-DistributionGroupMember and Remove-DistributionGroupMember commands. The command works for Distribution groups but not for Mail-enabled security groups. I receive a similar error when I run the Set-RetentionCompliancePolicy command. I selected all the API permissions and roles for the App registration that I can think of but I don't want to give the app registration global administrator rights. Here are the API permissions:
Microsoft Graph-
Directory.Read.All
Directory.ReadWrite.All
eDiscovery.ReadWrite.All
Group.Read.All
Group.ReadWrite.All
GroupMember.ReadWrite.All
User.Export.All
User.Read
User.Read.All
User.readWrite.All

Office 365 Exchange Online - Exchange.ManageAsApp It has the following roles:
Compliance Administrator
Exchange Administrator User Administrator Here is the error:

Write-ErrorMessage : ExB6FAB5|Microsoft.Exchange.Configuration.Tasks.OperationRequiresGroupManagerException|You don't
have sufficient permissions. This operation can only be performed by a manager of the group.
At C:\Users\semarch\AppData\Local\Temp\tmpEXO_u4tv14oy.vkd\tmpEXO_u4tv14oy.vkd.psm1:1120 char:13
+             Write-ErrorMessage $ErrorObject
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-DistributionGroupMember], OperationRequiresGroupManagerException
    + FullyQualifiedErrorId : [Server=SA1P110MB1534,RequestId=6e53446a-dbbb-57a8-e993-14f3cc0829f5,TimeStamp=Fri, 21 A
   pr 2023 12:28:18 GMT],Write-ErrorMessage
Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,183 questions
Windows for business | Windows Server | User experience | PowerShell

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff
    2023-04-24T03:22:19.42+00:00

    Hi Steve March

     

    You don't have sufficient permissions. This operation can only be performed by a manager of the group.

    This issue occurs if you're not a manager of the group. In this situation, you're not listed in the ManagedBy attribute.

    You must be an Exchange Online  administrator, , or a member of the Security Group Creation and Membership role in the  Exchange  admin center  to perform this procedure.

    For this issue, you can refer to the following two solutions:

    1.Add this script as this group manager:

    Set-DistributionGroup <NameOfGroup> -ManagedBy "******@contoso.com" -BypassSecurityGroupManagerCheck

    2.Use the Add-DistributionGroupMember / remove-DistributionGroupMember cmdlet together with the BypassSecurityGroupManagerCheck parameter to allow users who are not group owners to modify or delete the group.

    For more information about this error, please refer to this link:

    You don't have sufficient permissions when remove or change distribution group - Exchange | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.