Cannot modify autoSubscribeNewMembers of Group via MS Graph
I can successfully create a group in MS Graph. I am trying to update the autoSubscribeNewMembers property, but when I do I receive an error which states:
"User does not have permissions to execute this action."
Here's the code I'm using:
$groupData = @{
displayName = 'TESTGROUPNAME'
mailNickname = 'TESTGROUPNAME'
description = 'TESTGROUPNAME'
visibility = 'Private'
groupTypes = @('Unified')
mailEnabled = $true
securityEnabled = $true
"resourceBehaviorOptions" = @("WelcomeEmailDisabled")
"owners@odata.bind" = @('https://graph.microsoft.com/beta/users/<USERID>')
$newGroup = Invoke-MgGraphRequest `
-Uri 'https://graph.microsoft.com/beta/groups' `
-Body $groupData `
-Method POST
$updatePayload = @{autoSubscribeNewMembers=$true}
$response = Invoke-MgGraphRequest `
-Uri ('https://graph.microsoft.com/v1.0/groups/{0}' -f $newGroup.Id) `
-Method PATCH `
-Body $updatePayload `
-OutputType HttpResponseMessage
At this point I get the error described.
I've confirmed that the app does have the required permissions:
Does anybody have any suggestions how I can make this work? Thank you all for your time.
As mentioned in this MS Document, updating autoSubscribeNewMembers support only
Delegatedpermissions.
When you use certificate-based authentication while connecting with MS Graph, it uses Application type permissions (app-only access) that won't work for updating autoSubscribeNewMembers .
I registered one Azure AD application and granted similar API permissions as below:
When I ran your code in my environment by connecting MS Graph with certificate, new group created but updating autoSubscribeNewMembers property failed with same error as below:
Connect-MgGraph -TenantId "tenantId" -ClientId "appId" -CertificateThumbprint "xxxxxxxxxxxxxx" -NoWelcome
$groupData = @{
displayName = 'SRITESTGROUP'
mailNickname = 'SRITESTGROUP'
description = 'SRITESTGROUP'
visibility = 'Private'
groupTypes = @('Unified')
mailEnabled = $true
securityEnabled = $true
"resourceBehaviorOptions" = @("WelcomeEmailDisabled")
"owners@odata.bind" = @('https://graph.microsoft.com/beta/users/userId')
}
$newGroup = Invoke-MgGraphRequest `
-Uri 'https://graph.microsoft.com/beta/groups' `
-Body $groupData `
-Method POST
Start-Sleep -Seconds 30
$updatePayload = @{autoSubscribeNewMembers=$true}
$response = Invoke-MgGraphRequest `
-Uri ('https://graph.microsoft.com/v1.0/groups/{0}' -f $newGroup.Id) `
-Method PATCH `
-Body $updatePayload `
-OutputType HttpResponseMessage
Response:
To resolve the error, you need to use interactive flows to connect with MS Graph that uses
Delegatedpermissions.
In my case, I ran below commands and connected to MS Graph with delegated access as a user:
Disconnect-MgGraph
Connect-MgGraph -Scopes Group.ReadWrite.All
When I ran the code again now, new group created and updated autoSubscribeNewMembers property successfully as below:
$groupData = @{
displayName = 'TESTGROUPSRI'
mailNickname = 'TESTGROUPSRI'
description = 'TESTGROUPSRI'
visibility = 'Private'
groupTypes = @('Unified')
mailEnabled = $true
securityEnabled = $true
"resourceBehaviorOptions" = @("WelcomeEmailDisabled")
"owners@odata.bind" = @('https://graph.microsoft.com/beta/users/userId')
}
$newGroup = Invoke-MgGraphRequest `
-Uri 'https://graph.microsoft.com/beta/groups' `
-Body $groupData `
-Method POST
Start-Sleep -Seconds 30
$updatePayload = @{autoSubscribeNewMembers=$true}
$response = Invoke-MgGraphRequest `
-Uri ('https://graph.microsoft.com/v1.0/groups/{0}' -f $newGroup.Id) `
-Method PATCH `
-Body $updatePayload `
-OutputType HttpResponseMessage
Response:
To confirm that, I ran below command where autoSubscribeNewMembers property is true like this:
Import-Module Microsoft.Graph.Groups
Get-MgGroup -GroupId $newGroup.Id -Property "displayName,autoSubscribeNewMembers" | Select-Object displayName,autoSubscribeNewMembers
Response:
