This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 20%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I'm trying to post to https://graph.microsoft.com/v1.0/groups
{
"displayName":"First group",
"isAssignableToRole":true,
"mailEnabled":false,
"mailNickname":"1b40e607-d220-41ae-8f7c-11c8290ad2a2",
"securityEnabled":true,
"uniqueName":"first-group"
}
Consent is as follows:
Group.ReadWrite.All and Directory.ReadWrite.All are granted.
Event though I have the consent, I get an error:
Forbidden - 403 - 193 ms Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab
The same request does work for another tenant. Did something change for new tenants?
Since you are running this query in Graph explorer, i.e. via delegate permissions, you need to check the admin role assigned to the user. At the very least, you need Privileged Role Administrator. The permissions granted on the Graph explorer itself are not enough.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello DaKi,
I understand you're trying to create a security group using the Microsoft Graph API and encountering a 403 Forbidden error, even though the necessary permissions are granted.
This might be due to a tenant-level setting in Microsoft Entra ID that controls whether users or apps can create security groups.
To review this setting, go to the Azure portal, open Microsoft Entra ID, and navigate to Groups > General. Look for the option "Users can create security groups in Azure portals, API or PowerShell". If it’s set to "No", that could be preventing group creation via API.
Here’s what the setting looks like:
I too got same error when I tried to create group through Graph API when above setting is disabled:
To resolve this, a user with Global Administrator rights can change the setting to "Yes" like shown below:
These settings can take up to 15 minutes to take effect. Once the setting is enabled, the API request to create the group should go through successfully:
Let me know if you have any further questions. Happy to assist.
Hope this helps!
If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.
If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.
Hello DaKi,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions. If you have any further query do let us know.
Hello DaKi,
Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click Accept Answer and Yes , which may help members with similar questions.