Having rights issues adding user to group via API

daxm 1 Reputation point
2022-06-29T17:38:31.517+00:00

I have a user in my Azure AD that is our "API user". This user appears to have enough rights to add a user to a group BUT I'm still getting "403: Authorization_RequestDenied" when attempting to POST to the Graph API url = f"https://graph.microsoft.com/v1.0/groups/{group['id']}/members/$ref". I need help figuring out what I'm missing.

I will note that I am able to add this user to this group via the portal.azure.com page but not via the API.

I get the same/similar error when using the Graph Explorer... even when I change my user to the MOD Admin user! I've double and triple checked my Group and User IDs that I'm referring too.

Microsoft Graph Azure AD API
Microsoft Graph Azure AD API
A Microsoft API that queries the user's profile, finds other users, manages organizational relationships, tracks assignments, or creates original solutions that incorporate existing organizational data.
190 questions
Microsoft Graph Explorer API
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Carl Zhao_MSFT 18,301 Reputation points
    2022-06-30T03:07:36.837+00:00

    Hi @daxm

    Only the owner of the group or a user assigned the group administrator role can add new members to the group.

    216422-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

  2. daxm 1 Reputation point
    2022-06-30T13:40:39.473+00:00

    Thank you for the quick answer. Your suggestion has gotten me closer! I am now able to add a user to a group via Graph Explorer.

    What I did was add my API user as an owner of the target group and then consent to some permissions. (Since I have no idea which consent I needed to do I just consented to as many things as I thought might be related to this issue and after 3-4 batches of consents it started working. So, alas, I have no idea which combination was the winning set.)

    Question: WIll I need to add my API user as owner to ALL my groups and consent to dozens of random permissions in order to all my API user to add users to groups??? (There has to be a more efficient way than this path.)

    However, I'm still unable to perform this task via my Python script. My Python script is currently able to add/view/remove users and view groups so I don't think it is an auth token issue.)

    group_id="blah"
    user_id="blah"
    url='https://graph.microsoft.com/v1.0/groups/{group_id}/members/$ref'
    data={'@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/{user_id}'}
    b'{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2022-06-30T13:35:53","request-id":"blah","client-request-id":"blah"}}}'

    Note: Using the correct group_id and user_id I literally copy/pasted the url and data values into Graph Explorer to get that to work so I don't think it is a malformed POST query either.

    No comments

  3. daxm 1 Reputation point
    2022-06-30T19:32:28.11+00:00

    Update: I finally found what I was missing. My API user needed the RoleManagement.ReadWrite.Directory permission.

    As feedback, the 403 error could possibly be better in explaining what is wrong. Its taken me several days to needle out all the missing permissions and the returned error message did little in helping along that path.

    No comments