Graph API permissions for creating groups in Azure AD

Question

Group.ReadWrite.All is the graph API permission which is required for a service principal to allow creating groups in Azure AD. However, it would allow SPN to modify/delete any groups in the directory.

Could you please help to know how can we restrict the scope so the Service principal should only modify groups which it has created at the first place.

Answer 1

Adding the service principal as owner of the group worked for me also.

You just need to know that when you are logged with the service principal, you can do

az ad group member add -g myGroupObjectId --member-id myMemberObjectId

But you can't search your group by name, it will give you a permission denied

az ad group show --group myGroupName

Answer 2

Try to set your Service Principal as the owner of the group you created, so that your Service Principal can modify/delete the group you created without any permissions, but cannot modify/delete other groups (remember to delete Group.ReadWrite. All permissions).

Answer 3

Unfortunately, I don't believe this is possible, since there is no such permissions for a service principal to only access groups that it creates. If this is an absolute requirement, then the only way that I can think of where you can limit the editing to the groups it owns is not to use the client credential flow, and to basically create a service account (regular user), use the ROPC flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) add Delegated permissions for group.readwrite.all. then the app will use that user which only has access to create groups and edit groups that it owns.