minimal application permission to delete a group using MS Graph
I can delete and update Groups using the MS Graph API just fine. But when I try to remove one, I'm consistently getting this:
Authorization_RequestDenied - Insufficient privileges to complete the operation
Looking through the MS documentation, they say in an app-only scenario, I need this:
For app-only scenarios, the calling app must be the owner of the group or be assigned the RoleManagement.ReadWrite.Directory application permission or be assigned the Global Administrator or Privileged Role Administrator Azure AD role.
So, I assigned the RoleManagement.ReadWrite.Directory permission to my app registration, and granted admin consent. Waited 1 Microsoft, then tried again only to get the same error. Sure, I could just make my app Global Admin, but that ain't going to fly anywhere but on a dev environment. (note - I also have Group.ReadWrite.All - using it to create and update groups)
So, what am I missing here? I'm open to trying to setting my app registration as owner.. but the owner examples in the documentation only mentions users..
I created one role-assignable group named RAgroup like below:
Now, I registered one Azure AD application and granted below API permissions:
I generated access token using client credentials flow via Postman with below parameters:
POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
grant_type:client_credentials
client_id: appID
client_secret: secret
scope: https://graph.microsoft.com/.default
Response:
When I ran below graph query to delete that group, I got same error as you:
DELETE https://graph.microsoft.com/v1.0/groups/<groupID>
Response:
Note that,
Group.ReadWrite.Allpermission is required to delete groups. But if the group is role assignable, additional permission is required as mentioned in this MS Doc
To resolve the error, I assigned application as owner of the group like below:
After assigning application as group owner, it will be displayed like this after few minutes:
When I ran below graph query by generating token again, I got below response:
DELETE https://graph.microsoft.com/v1.0/groups/<groupID>
Response:
To confirm that, I checked the same in Portal by refreshing page where group deleted successfully like below:
In my case, assigning RoleManagement.ReadWrite.Directory permission of Application type also worked.
After adding above permission, generate the token again and decode it by pasting in jwt.ms to check permissions:
- Permission Request (WRITE_EXTERNAL_STORAGE) doesn't show up
- Creating/generating files in a mounted volume on docker container own to regular user and not to root
- github actions permissions to read an issue from a private repo within the same org
- Writing to `/Library/Preferences` on Mac OS X
- Can I control the owner of a bind-mounted volume in a docker image?
- Jekyll: Operation not permitted @ apply2files
- SQL Server query to find all permissions/access for all users in a database
- In Python, check if executed as root
- Check for environment variable in another process?
- CVS Error: failed to create lock directory... Permission denied
- Android 12, Kotlin: Why is my app is not listed as an installed app under ACESSIBILITY when ACESSIBLITY INTENT is displayed?
- ssh "permissions are too open"
- How to create app with additional permissions (use case) in Facebook
- Getting [Errno 1] Operation is not permitted error when trying to write to /storage/emulated/0 with Kivy and Python on Android
- Can the Unix list command 'ls' output numerical chmod permissions?
- Organisational Policy Permissions Google Cloud for Microsoft Migration
- Setting Inheritance and Propagation flags with set-acl and powershell
- pip install failing with: OSError: [Errno 13] Permission denied on directory
- How to ask multiple permissions from user in flutter?
- Error on `git push` to Bitbucket is `! [remote rejected] master -> master (pre-receive hook declined)`
- Sharepoint permissions to folders using powershell pnp
- How to tell if navigator.permissions.query with a certain permission is supported
- __CRASHING_DUE_TO_PRIVACY_VIOLATION__
- Set permissions for directories/subdirectories/files
- Elasticsearch Curl Command with Sudo Permission Works, But Without Sudo or Using Simple Curl Command Returns Empty Response
- Is there a way to effectively GRANT on either TRUNCATE or DROP TABLE in MySQL?
- Remove All Directory Permissions
- don't have permission to access / on this server. but i can access phpmyadmin
- Android M Permissions: onRequestPermissionsResult() not being called
- Location permission check and authorization