Search code examples
azure-active-directorymicrosoft-graph-api

Add AAD application as an owner of AAD group programmatically

I have an application in Azure Active Directory.

enter image description here

What permission is required to add this application as an owner of a (M365) group in Azure Active Directory programmatically?

enter image description here

Solution

  • I tried to reproduce the same in my environment and got below results:

    I have M365 group named Sri Team with properties like below:

    enter image description here

    I registered one Azure AD application named test-user-app as below:

    enter image description here

    To add this application as an owner of a (M365) group in Azure Active Directory via Graph API, you need Group.ReadWrite.All permission.

    You can get the Object ID of above service principal from Enterprise Applications like below:

    enter image description here

    I ran below query in Graph Explorer and got response like this:

    POST https://graph.microsoft.com/v1.0/groups/<groupID>/owners/$ref/

{
    "@odata.id": "https://graph.microsoft.com/v1.0/serviceprincipals/<objectID>"
}

    Response:

    enter image description here

    I granted consent to Group.ReadWrite.All permission under Modify permissions before running query like this:

    enter image description here

    When I checked in Portal, application added successfully as owner of M365 group like below:

    enter image description here

    To do the same from PowerShell, you can make use of below script:

    Connect-MgGraph -Scopes "Group.ReadWrite.All"

Import-Module Microsoft.Graph.Groups

$groupId = "b70fc9f0-2c7e-4e8a-b4cd-xxxxxxxxxx"
$params = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/serviceprincipals/ObjectID"
}

New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params

    Response:

    enter image description here

    UPDATE:

    To do the same in React/TypeScript application, modify your MsGraphApiCall.ts file by changing graph API query and including request body with POST method like below:

    export async function callMsGraph() {
    const account = msalInstance.getActiveAccount();
    if (!account) {
        throw Error("No active account! Verify a user has been signed in and setActiveAccount has been called.");
    }

    const response = await msalInstance.acquireTokenSilent({
        ...loginRequest,
        account: account
    });

    const headers = new Headers();
    const requestBody = {'@odata.id':'https://graph.microsoft.com/v1.0/serviceprincipals/ObjectID'};
    
    const bearer = `Bearer ${response.accessToken}`;
    headers.append("Authorization", bearer);

    const options = {
        method: "POST",
        headers: headers,
        body: JSON.stringify(requestBody)
    };

    return fetch("https://graph.microsoft.com/v1.0/groups/<groupID>/owners/$ref/", options)
        .then(response => response.json())
        .catch(error => console.log(error));
}