msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

New-MgGroupMember fails with "Insufficient privileges to complete the operation"

Open aaron-asdf opened this issue 3 years ago • 2 comments
trafficstars

Referencing this post that I just noticed is closed so opening a new issue: https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1052

I am also experiencing an issue with this Powershell Graph API with other Powershell Graph APIs working. Turning on Azure AD Graph permissions is now disabled for service principals so with this not working it appears there is no way to add users and devices to groups via powershell (I.e. the Az.Resources and AzureAD modules aren't useful in my use case given that I can no longer grant permission to use them).

Example below with lots of permissions added for testing:

PS C:\Windows\system32> (Get-MgContext).Scopes DeviceManagementServiceConfig.ReadWrite.All Device.Read.All Device.ReadWrite.All Group.Read.All Directory.ReadWrite.All Group.ReadWrite.All Directory.Read.All GroupMember.Read.All RoleManagement.ReadWrite.Directory GroupMember.ReadWrite.All

PS C:\Windows\system32> New-MgGroupMember -GroupId $az_group.id -DirectoryObjectId $aad_dev.Id New-MgGroupMember : Insufficient privileges to complete the operation.

Edit:

For context these are application permissions, not delegated.

I didn't see anything else in the documentation about what I might be missing here. Is this a Powershell Graph API issue or something I'm missing?

Based on the documentation here (https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http) for the API it looks like the required permissions are: GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, and RoleManagement.ReadWrite.Directory. As you can see the Application service principal has been granted the relevant permissions but still an issue unfortunately.

Thanks!

aaron-asdf avatar Aug 09 '22 13:08 aaron-asdf

I also am having this issue.

brian975 avatar Aug 10 '22 03:08 brian975

Thanks for following up on this.

As this repository is intended for issues related to the functionality of the SDK, we may not be the best placed to answer some queries that are tied to the functionality of the API.

Please open a question/ticket at https://developer.microsoft.com/en-us/graph/support to get an answer from the API owners since you have all the permissions needed to add a member to the group. As pointed in comment https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/1052#issuecomment-1191452261, the issue also affects regular REST calls to the API.

peombwa avatar Aug 12 '22 18:08 peombwa

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

ghost avatar Aug 16 '22 19:08 ghost