0

I assigned an AAD Service Principal as an Owner of an AAD Group in order to allow this Service Principal to manage certain groups without having to provide him with the ability to manage all groups.

I would expect that this SP is now able to manage the membership but receive the following error message when using the MS Graph.

Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation.

The old AAD Graph API causes a similar error.

How can I provide a Service Principal with the means to only manage selected AAD Groups?

aboersch
  • 128
  • 10
  • What APIs are you trying to call and what permission scopes have you consented for your application? – Darrel Miller Feb 26 '19 at 18:04
  • @DarrelMiller No permission Scopes as this is a managed identity. The APIs are the standard ones for managing group memberships: https://learn.microsoft.com/en-gb/previous-versions/azure/ad/graph/api/groups-operations#AddGroupMembers & https://learn.microsoft.com/en-gb/graph/api/group-post-members?view=graph-rest-1.0 as well as the respective apis to remove members – aboersch Mar 26 '19 at 10:49
  • Apparently it is possible to allow a MSI to talk to Microsoft Graph https://stackoverflow.com/questions/48013011/msi-permissions-for-graph-api however, I'm not sure what the advantage of doing this over just creating an application with App-Only permissions and using ClientCredentials flow. – Darrel Miller Mar 26 '19 at 21:28

0 Answers0