Home > Mobile >  How to create Azure AD group via Graph API and set SP as owner?
How to create Azure AD group via Graph API and set SP as owner?

Time:09-29

what I want to achieve is using a service principal via Graph API to create a new AAD group where the creating SP is owner. My SP has permissions for Group.create. In my try I'm using Node SDK for Graph API.

client.api("/groups").post({
    displayName: "aad-mgmt-group",
    mailEnabled: false,
    mailNickname: "aad-mgmt-group",
    securityEnabled: true,
    "[email protected]": [
        "https://graph.microsoft.com/v1.0/users/<objectID-of-appregistration>"
    ]
}).then((x) => console.log(x))

I receive error:

GraphError: Insufficient privileges to complete the operation.
    at new GraphError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphError.js:32:28)
    at Function.GraphErrorHandler.constructErrorFromResponse (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:62:22)
    at Function.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:89:48)
    at step (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:143:27)
    at Object.next (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:124:57)
    at /Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:117:75
    at new Promise (<anonymous>)
    at Object.__awaiter (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:113:16)
    at Function.GraphErrorHandler.getError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:85:24)
    at GraphRequest.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphRequest.js:315:84) {
  statusCode: 403,
  code: 'Authorization_RequestDenied',
  requestId: '984562d5-5ebd-483b-b61c-9603bf57aade',
  date: 2021-09-27T07:41:19.000Z,
  body: '{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation.","innerError":{"date":"2021-09-27T09:41:19","request-id":"984562d5-5ebd-483b-171c-9603bf57eade","client-request-id":"23f8c6ce-fdc8-1a66-3403-8650fc884d90"}}'
}

If I change permission and grant Group.ReadWrite.All additionally, I get:

GraphError: Resource '<objectID-of-appregistration>' does not exist or one of its queried reference-property objects are not present.
    at new GraphError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphError.js:32:28)
    at Function.GraphErrorHandler.constructErrorFromResponse (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:62:22)
    at Function.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:89:48)
    at step (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:143:27)
    at Object.next (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:124:57)
    at /Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:117:75
    at new Promise (<anonymous>)
    at Object.__awaiter (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/node_modules/tslib/tslib.js:113:16)
    at Function.GraphErrorHandler.getError (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphErrorHandler.js:85:24)
    at GraphRequest.<anonymous> (/Users/x/Development/aad-test/node_modules/@microsoft/microsoft-graph-client/lib/src/GraphRequest.js:315:84) {
  statusCode: 404,
  code: 'Request_ResourceNotFound',
  requestId: 'c9fddfeb-955f-4dd2-8b22-56dcf73f303b',
  date: 2021-09-27T17:00:56.000Z,
  body: `{"code":"Request_ResourceNotFound","message":"Resource 'fd0f22f8-d107-4ab1-adcc-c171fecb4e89' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2021-09-27T19:00:56","request-id":"a9fddfeb-955f-4dd2-8b22-43dcf73f303b","client-request-id":"a1a0f14a-82b9-a02b-5f6c-485c4fbb869b"}}`
}

Why does it not work? Is ReadWrite.All necessary to assign owner while creation? Which ObjectID is the right one? Enterprise App or App registrations Object ID?

CodePudding user response:

Here are a couple of things to try -

  1. Make sure your Azure AD setup is in place. For your registered app, the important part is to grab its Application-ID & also to give it enough permission to create groups.
  2. Also check the same endpoint leveraging Graph Explorer/Postman to isolate issue from your code.

Thanks.

CodePudding user response:

Add the permission User.Read.All and User.ReadWrite.All and allows the service principal to read the user data for the owner.

Example:

enter image description here

Try with this Example from this enter image description here

I tried with this example in postman and output is:

enter image description here

Page link:https//www.codepudding.com/Mobile/131733.html

Prev:Use parameter in PowerShell in Azure DevOps pipeline
Next:Azure Managed Identity and Terraform not working in AzureUSGoverment
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding