I realized that I was calling the Groups API rather than the Teams API. The URL should be
DELETE /teams/{team-id}/members/{membership-id}
Now it works.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I think MSGraph/Team API should not return HTTP 403 when removing an Owner from a Team, having the TeamMember.ReadWrite.All permission:
DELETE https://graph.microsoft.com/v1.0/groups/<teamId>/owners/<ownerUserObjectId>/$ref HTTP/1.1
User-Agent: Fiddler
Host: graph.microsoft.com
Content-Length: 0
Authorization: Bearer <REDACTED>
HTTP/1.1 403 Forbidden
Date: Tue, 13 Jul 2021 19:22:39 GMT
Content-Type: application/json
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000
request-id: 1230dd1f-744c-4e46-a619-f719adfed9c9
client-request-id: 1230dd1f-744c-4e46-a619-f719adfed9c9
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"AM2PEPF00005502"}}
x-ms-resource-unit: 1
Content-Length: 266
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2021-07-13T19:22:39","request-id":"1230dd1f-744c-4e46-a619-f719adfed9c9","client-request-id":"1230dd1f-744c-4e46-a619-f719adfed9c9"}}}
This is the description of relevant roles:
TeamMember.ReadWrite.All: Add and remove members from all teams
TeamMember.ReadWriteNonOwnerRole.All: Add and remove members with non-owner role for all teams
Shouldn't TeamMember.ReadWrite.All cover owner removal?
I realized that I was calling the Groups API rather than the Teams API. The URL should be
DELETE /teams/{team-id}/members/{membership-id}
Now it works.