msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

New-MgGroup : The requesting principal is not authorized to set group preferred data location

Open MSFT-klpinhac opened this issue 1 year ago • 3 comments

Hi, i'm using Version 2.11.1 of the Microsoft Graph PowerShell SDK and i'd like to create a Microsoft 365 group (unified group) using the cmdlet New-MgGroup with Application Permissions to create the group within a Preferred Data Location (PDL).

The Graph API documentation of 'Create group' does mention 'Directory.ReadWrite.All' as a 'Higher privileged permissions', but not when that permission might be required.

If i include the property 'preferredDataLocation' with a known value (e.g. 'DEU' ) in the body of the request, the creation of the group is successful - if the Application Permissions include 'Directory.ReadWrite.All'. But if the Application Permissions instead include 'Directory.Read.All', the response is 403 (Forbidden) with the following error: New-MgGroup : The requesting principal is not authorized to set group preferred data location.

This is confusing, since the property 'preferredDataLocation' is set to a known value - so why are 'Directory.Read.All' Application Permissions apparently not sufficient? Besides that, Application Permissions are usually not granted easily, but need to be justified ; so how come 'Directory.Read.All' is sufficient when no 'preferredDataLocation' is provided, but not if 'preferredDataLocation' is provided?

MSFT-klpinhac avatar May 31 '24 12:05 MSFT-klpinhac

Hi @MSFT-klpinhac ,

I see in the API docs: https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0

By default, the group inherits the group creator's preferred data location. To set this property, the calling app must be granted the Directory.ReadWrite.All permission and the user be assigned at least one of the following Microsoft Entra roles: User Account Administrator Directory Writer Exchange Administrator SharePoint Administrator

petrhollayms avatar Jun 03 '24 12:06 petrhollayms

Thanks, that helps if the group is created by a person. In this case, the group is created using Application Permissions, though; how / where can a preferred data location be set for Application Permissions ?

MSFT-klpinhac avatar Jun 03 '24 15:06 MSFT-klpinhac

@MSFT-klpinhac I think your issue will be best resolved/answered by the API owner. Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.

timayabi2020 avatar Jun 26 '24 07:06 timayabi2020