Unable to create new group inside Administrative Unit using Graph API
Question
I intend to create a new group inside an Administrative Unit in AAD programmatically. I will run this under the context of a service principal.
I am facing 2 issues:
Unable to find AddAsync() on Graph SDK version 4.52.0
await graphClient.Directory.AdministrativeUnits["{administrativeUnit-id}"].Members.Request().AddAsync(newGroupObject);
Error -
- GroupAdministrato role on AU:
I assigned GroupAdministrator role to my service principal + Directory.Read.All graph API permission, however, I am still not able to create a new group inside AU and it says insufficient privileges.
Endpoint - https://graph.microsoft.com/v1.0/directory/administrativeUnits/40335129-6bd0-4190-a383-a42e3eae09dc/members/
If I assign AdministrativeUnit.ReadWrite.All permission to service principal, I am able to create the group inside AU.
Why is Group Administrator role not working as intended? Am I missing something?
For issue # 2, If I assign AdministrativeUnit.ReadWrite.All permission to service principal, I am able to create the group inside AU.
1 answers
solution1
1 2023-01-26 03:31:02
Issue one, let's the API document , it should be code below to add group.
await graphClient.Directory.AdministrativeUnits["{administrativeUnit-id}"].Members.References
.Request()
.AddAsync(directoryObject);
For Issue 2, let see the API permission section, you need group ReadWrite permission and Directory ReadWrite permission to add group to Administrative Units. That's why you get insufficient privileges error with Directory.Read.All . You only have Read permission .
Then you mentioned you add GroupAdministrator role to your service principal. It only allow to create Group, but not add group to Administrative Units.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.