Azure Logic app, AzureAD remove group members, insuficcient permission

Question

I'm creating a Azure Logic app to replace members of defined Azure AD group. I have used this blog (https://geekshangout.com/logic-app-remove-azure-ad-group-members/) as of base for my job, but so far remove-member fails with insufficient permissions.

Basically logic app does:

• Retrieve list of users from Azure SQL table with specific query: OK
• Get list of users from AzureAD group : OK
• For-each member:

  • remove member.objectID from azure group object ID:: Fails with following error:

    "body": {
        "error": {
            "code": "Authorization_RequestDenied",
            "message": "Insufficient privileges to complete the operation.",
            "innerError": {
                "date": "2022-02-10T07:32:44",
                "request-id": "--------------",
                "client-request-id": "------------"
            }
        }
    }
    

So far: I re-created the logic app and taking care of:

• Admin consent is given as described in the blog, by using the Global Admin account.
• I can see in the 'Enterprise Applications' blade this 'logic app' created
• permissions should be correct: API name: Microsoft graph, Claims: Directory.readwrite.all, group.readwrite.all, user.readwrite.all, offline_access , as of Microsoft documentation describes (https://docs.microsoft.com/en-us/connectors/azuread/)
• Awaited now about 24 hours, so no 'cloud-lag' should be problem.

Should this 'Enterprise Application' have an additional permissions? If so, what and where?

• Already tried to create a custom role with permissions described here: https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-group-permissions

"Life is not a problem to be solved, but a reality to be experienced" ~T