Reputation: 10879
'Insufficient privileges to complete the operation' when trying to create group via Microsoft Graph
Desired Behaviour
Create a group via Microsoft Graph, using the JavaScript SDK and MSAL in a single tenant application with delegated API permissions.
Actual Behaviour
{
"statusCode": 403,
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"requestId": "6e865d96-ef8b-408e-a905-5393b4adcfdc",
"date": "2020-05-16T20:20:15.000Z",
"body": "{\"code\":\"Authorization_RequestDenied\",\"message\":\"Insufficient privileges to complete the operation.\",\"innerError\":{\"request-id\":\"6e865d96-ef8b-408e-a905-5393b4adcfdc\",\"date\":\"2020-05-17T06:20:15\"}}"
}
What I've Tried
To create the code, I used the following API reference instructions:
Sign-in/sign-out and all other API requests are working.
Subscription
Microsoft 365 Business Standard Trial
API Permissions
Directory.AccessAsUser.All +++
Directory.ReadWrite.All ***
Group.ReadWrite.All
GroupMember.ReadWrite.All ***
openid
profile
Sites.Read.All
Tasks.ReadWrite
User.Read
*** I added these after reading this answer, but still get the same error.
+++ I added this after suggestion in answer below.
I have clicked the 'Grant admin consent' button in Azure app registrations area.
index.html
<!-- msal -->
<!-- from: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core -->
<script type="text/javascript" src="https://alcdn.msauth.net/lib/1.3.0/js/msal.js" integrity="****" crossorigin="anonymous"></script>
<!-- javascript sdk -->
<!-- from: https://github.com/microsoftgraph/msgraph-sdk-javascript -->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/@microsoft/microsoft-graph-client/lib/graph-js-sdk.js"></script>
config.js
// msal options
const msalConfig = {
auth: {
clientId: "client-id-here",
redirectUri: "http://localhost:8080",
authority: "https://login.microsoftonline.com/tenant-id-here"
},
cache: {
cacheLocation: "sessionStorage",
storeAuthStateInCookie: false,
forceRefresh: false
}
};
// define application permissions
const scopes = ['directory.accessasuser.all', 'directory.readwrite.all', 'group.readwrite.all', 'groupmember.readwrite.all', 'openid', 'profile', 'sites.read.all', 'user.read', 'tasks.readwrite' ];
auth.js
const msalApplication = new Msal.UserAgentApplication(msalConfig);
const loginRequest = {
scopes: scopes
}
async function sign_in() {
try {
await msalApplication.loginPopup(loginRequest);
if (msalApplication.getAccount()) {
console.log("sign in success");
}
} catch (error) {
console.log("sign in error");
console.log(error);
}
}
function sign_out() {
msalApplication.logout();
}
graph.js
var path = "/groups";
var group = {
description: "Here is a description.",
displayName: "test_test_test",
groupTypes: [
"Unified",
"DynamicMembership"
],
mailEnabled: true,
mailNickname: "test_test_test",
securityEnabled: false, // initially i had this as true, doesn't seem to make a difference either way
visibility: "Hiddenmembership",
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
],
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
]
};
var response = await client.api(path)
.post(group);
Related reading:
Learn about Microsoft 365 Groups
Overview of Microsoft 365 Groups for administrators
Working with groups in Microsoft Graph
Create, edit, or delete a security group in the Microsoft 365 admin center
Creating teams and managing members using Microsoft Graph
Overview of Office 365 groups in Microsoft Graph
Other ideas about what could be causing error...
Visibility is supported only for unified groups; it is not supported for security groups.
Maybe the combination of securityEnabled: true and visibility:Hiddenmembership are not compatible?
I tried changing it to securityEnabled: false and got the same message.
Is there something wrong with the token?
I copied the Authorisation: Bearer value from Chrome dev tools console and pasted at https://jwt.io and there were two additional scopes provided in the token - but all other scopes are present:
Upvotes: 0
Views: 2253
Answers (3)
Reputation: 11
from your graph call, I saw you try to create the dynamic group and assign a member to this group, the dynamic group did not support to add members, that's the reason why you delete "dynamicMemberShip" under group type can fix this issue, below is the example to create dynamic groups via graph API call:
{
"description": "test1",
"displayName": "test1",
"groupTypes": [
"Unified",
"DynamicMembership"
],
"mailEnabled": true,
"membershipRule": "user.displayname -contains A",
"membershipRuleProcessingState":"On",
"mailNickname": "library",
"securityEnabled": false,
}
Upvotes: 1
Reputation: 10879
I was able to create a Group by changing the following in graph.js:
groupTypes: ["Unified","DynamicMembership"]
to
groupTypes: ["Unified"]`
I have no idea why DynamicMembership causes an error.
It is a valid property value of Group > groupTypes listed at the link below with no caveats:
https://learn.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0#properties
For reference, the code above creates:
- Group
- SharePoint 'Team Site'
- Outlook email group
It does not automatically create a corresponding:
- Team
- Plan
You can see the new group listed in the following locations:
https://admin.microsoft.com/AdminPortal/Home#/groups
https://outlook.office365.com/people
https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups
And you can see the group 'Team Site' listed at:
https://your_account-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/siteManagement
Upvotes: 0
Reputation: 783
I can see that you have not given Group.Create permission in your permission set. Give this permission to create a group.
For Application permission type, these all permissions are required:
- Group.Create
- Group.ReadWrite.All
- Directory.ReadWrite.All
And for Delegated user permission type:
- Group.ReadWrite.All
- Directory.ReadWrite.All
- Directory.AccessAsUser.All
Upvotes: 0
Related Questions
- Microsoft Graph API - Insufficient privileges to complete the operation
- Unable to create new group inside Administrative Unit using Graph API
- Graph API permissions for creating groups in Azure AD
- Microsoft Graph API Create Group Fails
- Permissions to add member to group via Graph API
- Insufficient privileges to list group members in Graph API
- Adding a group member fails with the application level "GroupMember.ReadWrite.All" permissions - works with "Group.ReadWrite.All"
- Unable to add members to O365 group with Group.ReadWrite.All permission
- Create a Group in Microsoft Graph API with a Owner
- error when adding a member to a group in Microsoft graph