Reputation: 11
Creating a Security Group with Owner doesn't work using Service Principal in PowerShell
I'm trying to create an Azure security group across PowerShell and connected with a service principal.
My service principal has a Custom Role with microsoft.directory/groups/create permission allowing me to create Security Groups and Microsoft 365 groups, excluding role-assignable groups.
I'm using Microsoft.Graph.Groups module in PowerShell and I gave my service principal good rights to use Graph API.
When I create an empty security group with the command
New-MgGroup -BodyParameter $params
with
$params = @{
>> description = "Group with designated owner DJER0105"
>> displayName = "Group Test 20-07"
>> mailEnabled = $false
>> mailNickname = "GroupTest20-07"
>> securityEnabled = $true
>> }
My request pass without problems, BUT when I try to put an Owner I got a 403 error "Insufficient privileges to complete the operation."
$params = @{
>> description = "Group with designated owner DJER0105"
>> displayName = "Group Test 20-07"
>> mailEnabled = $false
>> mailNickname = "GroupTest20-07"
>> securityEnabled = $true
>> **"[email protected]" = @(
>> "https://graph.microsoft.com/v1.0/users/47f89f36-2ad7-45ee-a1ac-3cd0b0e021df"**
>> )
>> }
Does someone have any idea why I can't perform this action (security group creation with owner) using the service principal?
I already tried to do the same but with a nominative account (user account) which works well in both cases.
I tried to add the owner after creation like this:
$params = @{ "@odata.id" = "graph.microsoft.com/v1.0/users{id}" }
New-MgGroupOwnerByRef -GroupId $groupId -BodyParameter $params
And I got same error 403 "Insufficient privileges to complete the operation."
For information I don't need to be the owner of the security group, I want to create a security group and put another user as owner.
Upvotes: 0
Views: 529
Answers (1)
Reputation: 10455
Creating a Security Group with Owner doesn't work using Service Principal in PowerShell
I tried in my environment and got the below results:
I created an application with API permission Directory.AccessAsUser.All with granted admin consent.
Now, I tried with the below command it created the group with the owner.
Command:
$tenantId ="your-tenant-id"
$appId = "your-client-id"
$ownerObjectId = "user object id"
$groupName = "Testvenkatgrp"
$groupDescription = "Group with designated owner DJER0105"
Connect-MgGraph -ClientId $appId -TenantId $tenantId -CertificateThumbprint "your certificate thumbprint"
# Create the security group
$params = @{
description = $groupDescription
displayName = $groupName
mailEnabled = $false
mailNickname = $groupName.Replace(" ", "")
securityEnabled = $true
}
$group = New-MgGroup -BodyParameter $params
# Assign the owner to the security group
$ownerUrl = "https://graph.microsoft.com/v1.0/users/$ownerObjectId"
$ownerRef = @{
"@odata.id" = $ownerUrl
}
$ownerParams = @{
"[email protected]" = @($ownerRef["@odata.id"])
}
Invoke-MgGraphRequest -Method PATCH "https://graph.microsoft.com/v1.0/groups/$($group.Id)" -Body $ownerParams
Output:
Reference:
Using Microsoft Graph PowerShell authentication commands | Microsoft Learn
Upvotes: 0
Related Questions
- Insufficient privileges to complete the operation with listing service principals using az ad sp list
- Unable to deploy Azure Resource Group from Devops using ARM template and Powershell
- Power BI REST API request error 403 when querying the dataset
- Can't find Serviceprincipal in the List of Azure AD Roleassignements
- Azure AD App Registration secret manipulation
- how I can make an service principal as an App Registration Owner with azure portal or PowerShell?
- How to reset credentials of an Azure service principal using an automation account PowerShell runbook?
- How can I find resource group associated with service principal?
- Creating hard and soft links using PowerShell
- Execute Get-AzureRmRoleAssignment as Service Principal in Azure Powershell