Add invited guest user to group in Azure AD

Question

I'm trying to send a fresh user an Azure AD invite and then add them to a specific security group using the Microsoft Graph API.

The invitation sends perfectly and in the response body, I get the ID of the new user. When I try to add that user to the security group, though, I get the following 403 error message:

Insufficient privileges to complete the operation

I should have the correct API Permissions granted for the app because I have Group.ReadWrite.All set from the Azure portal.

According to this, I should be able to add the invited user to the group without issue but I'm worried that maybe a guest user would be considered a "personal Microsoft account" and adding them to the group from the Graph API is unsupported:

Here's my request:

POST /v1.0/groups/dXXXXXXX-cXXX-4XXX-9XXX-7XXXXXXXXXXX/members/$ref HTTP/1.1
Authorization: Bearer {my token}
Content-Length: 102
Host: graph.microsoft.com
Content-Type: application/json

{"@odata.id":"https://graph.microsoft.com/v1.0/directoryObjects/9XXXXXXX-9XXX-4XXX-9XXX-9XXXXXXXXXXX"}

How do I add a freshly invited guest to a group?

Update:

I'm getting the same insufficient privileges error when using the API to put a user from my tenant into the group so it looks like the issue isn't specific to guest users.

Update 2:

As requested, here's the full token request:

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Content-Length: 979
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id={clientID}&scope=user.read%20email%20openid%20profile%20offline_access&code={code}&redirect_uri={mywebsite}&client_secret={secret}

Update 3:

Screenshot of my permissions:

And the scope from my decoded access_token:

"scp": "Directory.AccessAsUser.All Directory.ReadWrite.All email Group.Read.All 
    Group.ReadWrite.All openid profile User.Invite.All User.Read User.ReadWrite 
    User.ReadWrite.All"

Answer 1

As per my understanding, first you need to invite your guest user like below:

Request Url: https://graph.microsoft.com/v1.0/invitations

Method Type: POST

Body Format:

{
  "invitedUserEmailAddress": "example@anydomain.com",
  "inviteRedirectUrl": "https://myapp.com",
  "userType":"member"
}

Permission Required: Dedicated User.Invite.All

Post Man Example:

Once you have successfully add it. after that you have to add that user in a group like below:

Add Guest User To Group:

Request Url: https://graph.microsoft.com/v1.0/groups/b4699e9c_GroupId_cee27b53/members/$ref

Method Type: POST

Body Format:

{
  "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/Guest_User_Id"
}

Permission Required: Dedicated Directory.ReadWrite.All

Post Man Example:

Note: Would you kindly add User.Invite.All and also Directory.ReadWrite.All permission and try again. I have successfully done all the steps and got success.

Point To Remember:

Once you have Directory.ReadWrite.All you need not to add Group.ReadWrite.All separately.

Update

Make sure you have click on Grant Admin Consent Button after adding permission See the screen shot below:

Update: 2 As Per Authorization Code Flow

Since you are using authorization code grant. You need to add dedicated permission on azure portal. Then try to get authorization code like below

Get Authorization Code:

https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id={ClientId}&response_type=code&redirect_uri={redirectURI}&response_mode=query&scope=https://graph.microsoft.com/.default

Request Token oauth2/V2.0/token:

Request URL: https://login.microsoftonline.com/common/oauth2/V2.0/token Or https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/V2.0/token

Method: POST

Request Body Format

client_id:Your_Clinet_Id
scope:https://graph.microsoft.com/.default
redirect_uri:Your_Portal_Redirect_URI
grant_type:authorization_code
client_secret:Your_Client_Secret
code: Paste Code Here

Decode Token:

You could decode your token on https://jwt.io/

your permission should look like this: