GroupMember.ReadWrite.All does not work for adding user to group with MSGraph API

Calderara Serge 46 Reputation points
2020-06-22T08:47:08.407+00:00

Dear all,

We are using MS graph API to add a member to a group and we would like to get confirmation of a permission used.$
In the docuementation :

https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

it is mentionned that the minimum permission required to add memeber to group are the following from least to most priviledges

GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All

If we use the permission GroupMember.ReadWrite.All it fails with permission access when adding user to group..

{
"error": {
"code": "Authorization_RequestDenied",
"message": "Guests users are not allowed to join this Unified Group due to policy setting. paramName: Members, paramValue: , objectType: Microsoft.Online.DirectoryServices.Group",
"innerError": {
"date": "2020-06-22T08:28:11",
"request-id": "f075e729-db6a-4f87-b333-9c9c2ad146d5"
}
}
}

So to make it work we have to use the permission Group.ReadWrite.All

In which case this permission GroupMember.ReadWrite.All is used then ? I was expected I could use it to add user to group ?

Thanks for clarification
regards

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,521 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Calderara Serge 46 Reputation points
    2020-06-23T07:41:33.833+00:00

    Thanks for your reply.

    For me it does not work. Here is below what I have :

    10469-chrome-ed3qarwiw3.png

    Then the URL that I am using is as below :

    10480-589ol5srbo.png

    Here is what I found out :
    IN our customer case we are using the Invite User to add member to customer AD, using INvite member does not work with GroupMember.ReadWriteAll permission

    In case we add normal user and try to add it to group in same way, then it works.

    Conclusion :
    Does it means that for INvite User we cannot use the GroupMember.ReadWriteAll but instead Group.ReadWriteAll ?

    I try to setup the minimum permission for security reason

    Thanks for help
    regards

    1 person found this answer helpful.

  2. Saurabh Sharma 23,791 Reputation points Microsoft Employee
    2020-06-22T20:33:25.377+00:00

    @CalderaraSerge-8943 I have tried adding member to a group using Postman and it worked for me with GroupMember.ReadWrite.All permissions. Only additional permissions is required for adding members to a group is User.Read.All. I have used the work account for API call.
    Please find the screenshots below -

    10521-graphpermissions.png

    Graph API call

    10389-addmemberapirequest.png

    Please try if this works for you.

    0 comments No comments

  3. Calderara Serge 46 Reputation points
    2020-06-23T07:41:33.697+00:00

    Thanks for your reply.

    For me it does not work. Here is below what I have :

    10469-chrome-ed3qarwiw3.png

    Then the URL that I am using is as below :

    10480-589ol5srbo.png

    Any idea what could be wrong ?
    PLease note that if I add the Group.ReadWrite.All it works fine

    Thanks for help
    regards

    0 comments No comments

  4. sergecal 21 Reputation points
    2020-07-01T12:28:24.273+00:00

    Dear @SaurabhSharma-msft , any update on this issue ?

    regards
    Serge


  5. Saurabh Sharma 23,791 Reputation points Microsoft Employee
    2020-07-27T17:12:21.537+00:00

    @Calderara Serge @sergecal Sorry for the delay. The product team has confirmed that they have added this issue in their backlog and the fix will be scheduled in future release.