I intend to create a new group inside an Administrative Unit in AAD programmatically. I will run this under the context of a service principal.
I am facing 2 issues:
Unable to find AddAsync() on Graph SDK version 4.52.0
await graphClient.Directory.AdministrativeUnits["{administrativeUnit-id}"].Members.Request().AddAsync(newGroupObject);
Error -
I assigned GroupAdministrator role to my service principal + Directory.Read.All
graph API permission, however, I am still not able to create a new group inside AU and it says insufficient privileges.
Endpoint - https://graph.microsoft.com/v1.0/directory/administrativeUnits/40335129-6bd0-4190-a383-a42e3eae09dc/members/
If I assign AdministrativeUnit.ReadWrite.All
permission to service principal, I am able to create the group inside AU.
Why is Group Administrator role not working as intended? Am I missing something?
For issue # 2, If I assign AdministrativeUnit.ReadWrite.All
permission to service principal, I am able to create the group inside AU.
Issue one, let's the API document , it should be code below to add group.
await graphClient.Directory.AdministrativeUnits["{administrativeUnit-id}"].Members.References
.Request()
.AddAsync(directoryObject);
For Issue 2, let see the API permission section, you need group ReadWrite
permission and Directory ReadWrite
permission to add group to Administrative Units. That's why you get insufficient privileges
error with Directory.Read.All
. You only have Read permission
.
Then you mentioned you add GroupAdministrator role
to your service principal. It only allow to create Group, but not add group to Administrative Units.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.