Having rights issues adding user to group via API

daxm 6 Reputation points
2022-06-29T17:38:31.517+00:00

I have a user in my Azure AD that is our "API user". This user appears to have enough rights to add a user to a group BUT I'm still getting "403: Authorization_RequestDenied" when attempting to POST to the Graph API url = f"https://graph.microsoft.com/v1.0/groups/{group['id']}/members/$ref". I need help figuring out what I'm missing.

I will note that I am able to add this user to this group via the portal.azure.com page but not via the API.

I get the same/similar error when using the Graph Explorer... even when I change my user to the MOD Admin user! I've double and triple checked my Group and User IDs that I'm referring too.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,707 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CarlZhao-MSFT 37,296 Reputation points
    2022-06-30T03:07:36.837+00:00

    Hi @daxm

    Only the owner of the group or a user assigned the group administrator role can add new members to the group.

    216422-image.png

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. daxm 6 Reputation points
    2022-06-30T13:40:39.473+00:00

    Thank you for the quick answer. Your suggestion has gotten me closer! I am now able to add a user to a group via Graph Explorer.

    What I did was add my API user as an owner of the target group and then consent to some permissions. (Since I have no idea which consent I needed to do I just consented to as many things as I thought might be related to this issue and after 3-4 batches of consents it started working. So, alas, I have no idea which combination was the winning set.)

    Question: WIll I need to add my API user as owner to ALL my groups and consent to dozens of random permissions in order to all my API user to add users to groups??? (There has to be a more efficient way than this path.)

    However, I'm still unable to perform this task via my Python script. My Python script is currently able to add/view/remove users and view groups so I don't think it is an auth token issue.)

    group_id="blah"
    user_id="blah"
    url='https://graph.microsoft.com/v1.0/groups/{group_id}/members/$ref'
    data={'@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/{user_id}'}
    b'{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-06-30T13:35:53","request-id":"blah","client-request-id":"blah"}}}'

    Note: Using the correct group_id and user_id I literally copy/pasted the url and data values into Graph Explorer to get that to work so I don't think it is a malformed POST query either.

    0 comments
  3. daxm 6 Reputation points
    2022-06-30T19:32:28.11+00:00

    Update: I finally found what I was missing. My API user needed the RoleManagement.ReadWrite.Directory permission.

    As feedback, the 403 error could possibly be better in explaining what is wrong. Its taken me several days to needle out all the missing permissions and the returned error message did little in helping along that path.

    0 comments