Reputation: 538
Programatically Add users to group in AzureAD as group owner
Is there an API for AzureAD which allows group owners to add users to their owned groups?
Using the Graph api's looks to require admin consent (granting admin permissions) and so provides access to more than the user's owned groups. I don't want to grant this.
I also don't want to use delegated access - an admin shouldn't need to be present for a group owner (perhaps a service principal?) to add users to their own group?
Upvotes: 1
Views: 1231
Answers (2)
Reputation: 5549
I have some interesting findings.
A) If you set a service principal as the owner of a group, and want to manage the group with the service principal, you have to add and grant necessary permission for Azure AD Graph API.
B) If you set a user as the owner of a group, then you can use the public client (1b730954-1685-4b74-9bfd-dac224a7b894) and user credential to acquire token, and then call the AAD graph API as the user to manage the group.
Here, I use PowerShell to make http requests. You can use other program languages.
# Get token for Azure AD Graph
$uri = "https://login.microsoftonline.com/{tenant_name_or_id, for example: hanxia.onmicrosoft.com}/oauth2/token"
$body = @{grant_type='password';resource='https://graph.windows.net';client_id='1b730954-1685-4b74-9bfd-dac224a7b894';username='[email protected]';password='a*******7'}
$result = Invoke-RestMethod -Method Post -Uri $uri -Body $body
$accessToken = $result.access_token
# Azure AD Graph. Get group information
$tenantId = "e4c9ab4e-bd27-40d5-8459-230ba2a757fb"
$groupId = "f37d06f2-e26f-45f9-b9b1-da13d0b79ea7"
$apiVersion = "1.6"
$result = Invoke-WebRequest -Method Get `
-Uri ("https://graph.windows.net/" + $tenantId + "/groups/" + $groupId +"?api-version=" + $apiVersion) `
-Headers @{ "Authorization" = "Bearer " + $accessToken }
$result.Content | ConvertFrom-Json | ConvertTo-Json
# Azure AD Graph. Get users in group
$result = Invoke-WebRequest -Method Get `
-Uri ("https://graph.windows.net/" + $tenantId + "/groups/" + $groupId +"/`$links/members" +"?api-version=" + $apiVersion) `
-Headers @{ "Authorization" = "Bearer " + $accessToken }
$result.Content | ConvertFrom-Json | ConvertTo-Json
# Azure AD Graph. Add user to group
$userObject = @{"url" = "https://graph.windows.net/e4c9ab4e-bd27-40d5-8459-230ba2a757fb/directoryObjects/3f43b292-adac-48f9-a623-ee76ca9c7174"} | ConvertTo-Json
$result = Invoke-WebRequest -Method Post `
-Uri ("https://graph.windows.net/" + $tenantId + "/groups/" + $groupId +"/`$links/members" +"?api-version=" + $apiVersion) `
-Headers @{ "Authorization" = "Bearer " + $accessToken; "Content-Type" = "application/json" } `
-Body $userObject
if($result.StatusCode -eq 204){ Write-Host "User added" }
Note:
1b730954-1685-4b74-9bfd-dac224a7b894 is a common application from Microsoft for every tenant.
API Reference: Operations on groups | AAD Graph API reference
Upvotes: 2
Reputation: 58898
The reason that consent is needed is that while the group owner has rights to add users to a group, an app by default does not. The delegated permissions give the app rights to modify groups on behalf of the user, depending on the user's rights as well. It's usually the better approach. App permissions give the app itself permissions to act without a user. Which is often too much, but has its use cases.
You need to grant the delegated permission at least to the app so it can do the modification on behalf of the user.
Upvotes: -1
Related Questions
- How to add members, in bulk, to a group with only userprincipalname?
- Add User as owner of Azure AD Group through REST API
- Add Azure AD users to Azure AD groups
- Azure AD add delta group members to another group
- Add AzureAD users to AzureAD group
- Azure ad add member from one group to another
- Add Azure group member from on perm AD powershell script
- Unable to add a group as a owner to another group in Azure AD
- Adding members to a Group as a Group Owner in Azure Portal for an Azure AD tenant
- How to add Azure AD group to SharePoint programmatically using c#