Adding guest user to Azure AD group fails with correct permissions set

Question

I'm inviting users to my org through my web app and adding them to groups which will be used to determine which parts of the web app they can use because I've got the groups associated with my different roles.

The invite to the org goes out fine, but when I attempt to add the user to the group, I get a Microsoft.Graph.ServiceException as follows:

'Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

Insufficient privileges seems different from the application permissions I've got with admin consent granted on the app registration:

• Directory.ReadWrite.All, and
• GroupMember.ReadWrite.All

For the life of me I can't find anything relating to "privileges" in the azure portal as it would involve group management so I have to assume that permissions is what this refers to; only, I don't know what permissions it's looking for in addition to these two.

Per the permissions indicated on MS Docs article on adding members to groups, I'm initializing MS Graph with the permissions:

var initialScopes = new string[]
{
    // Directory.ReadWrite.All
    Constants.Graph.DirectoryReadWrite,
    // GroupMember.ReadWrite.All
    Constants.Graph.GroupMemberReadWrite,
    // Group.ReadWrite.All
    Constants.Graph.GroupReadWrite,
    // RoleManagement.ReadWrite.Directory
    Constants.Graph.RoleManagementReadWriteDirectory
};
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(options =>
    {
        // Redacted for brevity
    })
        .EnableTokenAcquisitionToCallDownstreamApi(options =>
            configuration.Bind("AzureAd", options), initialScopes)
        .AddMicrosoftGraph(configuration.GetSection("GraphAPI"))

GraphAPI section of my config looks like this:

"GraphAPI": {
    "BaseUrl": "https://graph.microsoft.com/v1.0",
    "Scopes": "GroupMember.ReadWrite.All Group.ReadWrite.All Directory.ReadWrite.All RoleManagement.ReadWrite.Directory"
},

I can't possibly be missing any of the required permissions (indicated per the doc). I've logged out and back in again several times (and also completely cleared all my browsing data for the site) to refresh the token auth token but still no luck.

My code to add the invited user to the groups:

// Determine the ID of the regional group to which the user should be added.
string region = this.Provider.Region switch
{
    Region.Redacted => config["Groups:redacted"],
    Region.Redacted => config["Groups:redacted"],
    _ => config["Groups:redacted"]
};

// Add the user to the regional group and to the group for the user's intended role.
var groups = new List<string>
{
    region,
    config["Groups:redacted"]
};

foreach (var group in groups)
{
    await graphClient.Groups[group].Members.References
        .Request()
        .AddAsync(directoryObject);
}

Are there any additional permissions I need here? If not, what does the error actual indicate is the problem and how do I correct it?

Answer 1

Given the delegated permissions you're requesting (which should cover all scenarios, including role-assignable groups), the most likely cause for this is that the signed-in user is not authorized to manage the membership of the group in question.

In general, whether a user is allowed to manage a group's membership depends on the type of group, and whether the user is owner of the group or not:

• Owned groups:
  • All member users
• Security groups, not role-assignable groups:
  • Intune Administrator
  • Knowledge Administrator
  • Knowledge Manager
  • Windows 365 Administrator
• Microsoft 365 groups, not role-assignable groups:
  • Exchange Administrator
  • SharePoint Administrator
  • Teams Administrator
• Security groups and Microsoft 365 groups, not role-assignable groups:
  • User Administrator
  • Groups Administrator
  • Identity Governance Administrator can manage
• Role-assignable groups, not security groups nor Microsoft 365 groups:
  • Privileged Role Administrator
• All groups, including role-assignable groups
  • Global Administrator

(This information is essentially a pivot on what's listed here: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference, which can also be retrieved from Microsoft Graph by querying GET .../roleManagement/directory/roleDefinitions.)