我的应用需要哪些权限才能将用户添加到群组？

Question

Scenario: admin user in the app (is in a particular group on AD) adds a new record to the app's database for a new service provider. This process sends an invitation to the email address of the person added and [should] adds that new guest user to a particular set of groups on the AD related to their function on the app and their geographic location.

So far pretty much everything gets done just fine, but when it gets to adding the new guest user to the groups, I get the following error:

Microsoft.Graph.ServiceException: 'Code: Authorization_RequestDenied
    Message: Insufficient privileges to complete the operation.
    Inner error:
    AdditionalData:
        date: 2021-12-13T10:50:05
        request-id: <redacted>
        client-request-id: <redacted>
ClientRequestId: <redacted>'

I've got the following permissions granted with admin consent:

• AdministrativeUnit.ReadWrite.All (Application)
• Directory.AccessAsUser.All (Delegated)
• Directory.ReadWrite.All (Application)
• Group.ReadWrite.All (Application)
• GroupMember.Read.All (Delegated)
• GroupMember.ReadWrite.All (Application)
• PrivilegedAccess.ReadWrite.AzureADGroup (Application)
• User.Invite.All (Application)
• User.ManageIdentities.All (Application)
• User.Read (Delegated)
• User.Read.All (Application)
• User.ReadWrite.All (Application)

Here's my code - I've removed sensitive info:

private async Task CreateUserInvitationAsync()
{
    // Send the invitation.
    var invitation = new Invitation
    {
        InvitedUserEmailAddress = Provider.Email,
        InviteRedirectUrl = $"{Request.Scheme}://{Request.Host}{this.Request.PathBase}/",
        SendInvitationMessage = true,
        InvitedUserType = "Guest"
    };
    var result = await graphClient.Invitations
        .Request()
        .AddAsync(invitation);

    // Update the provider to associate the Provider record with the new user id.
    var userId = result.InvitedUser.Id;
    var provider = await context.Providers.FindAsync(Provider.Id);
    provider.UserId = userId;

    // Add the user to groups so that role applications happen as necessary.
    var directoryObject = new DirectoryObject
    {
        Id = userId
    };

    string region = provider.Region switch
    {
        Region.Cpt => config["redacted"],
        Region.Dbn => config["redacted"],
        _ => config["redacted"]
    };

    var groups = new List<string>
    {
        region,
        config["redacted"]
    };

    foreach (var group in groups)
    {
        await graphClient.Groups[group].Members.References
            .Request()
            .AddAsync(directoryObject);
    }
}

Having built this initially with delegated permissions as indicated on the MS Docs page below, I updated my permissions more in line with another app (developed by someone else) on our Azure which works but neither the permissions set above nor the one indicated in the link below work - the error persists in both cases.

https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

So what permissions am I missing?

Answer 1

TL;DR set GroupMember.ReadWrite.All as an Application permission on your app and then add the app to the group where you're assigning members.

---

It isn't a permissions issue.

By the time I found this solution, I'd added GroupMember.ReadWrite.All as an Application permission to the app and granted consent by an admin but the error persisted.

Note the permission description for GroupMember.ReadWrite.All :

Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.

Of particular interest "of the groups this app has access to" .

My understanding of this turned out to be correct in that the app needed to be a member of the group in question so that it could add users to the group.