What permissions are needed for an App Registration to add and remove group members?

Steve March 0 Reputation points
2023-04-21T12:57:45.98+00:00

I am trying to write an unattended PowerShell script that will use an App Registration and certificate for authentication that will update mail-enabled security groups as well as Security & Compliance Center Preservation Policies. The script can successfully execute the Get-DistributionGroupMember Exchange Online PowerShell command but I get a permissions error when I run Add-DistributionGroupMember and Remove-DistributionGroupMember commands. The command works for Distribution groups but not for Mail-enabled security groups. I receive a similar error when I run the Set-RetentionCompliancePolicy command. I selected all the API permissions and roles for the App registration that I can think of but I don't want to give the app registration global administrator rights. Here are the API permissions:
Microsoft Graph-
Directory.Read.All
Directory.ReadWrite.All
eDiscovery.ReadWrite.All
Group.Read.All
Group.ReadWrite.All
GroupMember.ReadWrite.All
User.Export.All
User.Read
User.Read.All
User.readWrite.All

Office 365 Exchange Online - Exchange.ManageAsApp It has the following roles:
Compliance Administrator
Exchange Administrator User Administrator Here is the error:

Write-ErrorMessage : ExB6FAB5|Microsoft.Exchange.Configuration.Tasks.OperationRequiresGroupManagerException|You don't
have sufficient permissions. This operation can only be performed by a manager of the group.
At C:\Users\semarch\AppData\Local\Temp\tmpEXO_u4tv14oy.vkd\tmpEXO_u4tv14oy.vkd.psm1:1120 char:13
+             Write-ErrorMessage $ErrorObject
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-DistributionGroupMember], OperationRequiresGroupManagerException
    + FullyQualifiedErrorId : [Server=SA1P110MB1534,RequestId=6e53446a-dbbb-57a8-e993-14f3cc0829f5,TimeStamp=Fri, 21 A
   pr 2023 12:28:18 GMT],Write-ErrorMessage
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,633 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,690 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Aholic Liang-MSFT 13,861 Reputation points Microsoft Vendor
    2023-04-24T03:22:19.42+00:00

    Hi Steve March

     

    You don't have sufficient permissions. This operation can only be performed by a manager of the group.

    This issue occurs if you're not a manager of the group. In this situation, you're not listed in the ManagedBy attribute.

    You must be an Exchange Online  administrator, , or a member of the Security Group Creation and Membership role in the  Exchange  admin center  to perform this procedure.

    For this issue, you can refer to the following two solutions:

    1.Add this script as this group manager:

    Set-DistributionGroup <NameOfGroup> -ManagedBy "Admin@contoso.com" -BypassSecurityGroupManagerCheck
    

    2.Use the Add-DistributionGroupMember / remove-DistributionGroupMember cmdlet together with the BypassSecurityGroupManagerCheck parameter to allow users who are not group owners to modify or delete the group.

    For more information about this error, please refer to this link:

    You don't have sufficient permissions when remove or change distribution group - Exchange | Microsoft Learn


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.