Microsoft Azure AD Spoke Permissions - Add User to Group Error

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-13-2022 01:41 PM
Hello Community,
Hope one of you can assist. We are trying to set up the Microsoft Azure AD Spoke so that we can add & remove users from groups in Azure. Seems simple right?
Our Cybersecurity Team will not grant me Directory.ReadWrite.All as they feel it is over permissioned. I am setting up the Microsoft Azure AD Spoke and am testing the actions currently, and I am not able to do a couple of the actions. I have removed part of the ID#s.
I am able to run "Look up Group ID" supply it the group name. status: Group Found.
I am NOT able to "Add User to Group"
Add user to group:
Group id: fd7fd7fa-ee9c9d5094
User ID: 49238e68-cdd1fc4d57
Error message: Forbidden Request. Please Check Oauth Token and scope permission.
Method failed:
(/v1.0/groups/fd7fd7fa--7c6e9c9d5094/members/$ref)
with code: 403 - Forbidden username/password combo
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient
privileges to complete theoperation.","innerError":{"date":"2022-06-13T17:52:35","request-id":"cfa69e98a8f-d7185eec9fac","client-request-id":"cfa69e9085eec9fac"}}}
{"Transfer-Encoding":["chunked"],"request-id":["cfa69e90eec9fac"],"Date":["Mon,
13 Jun 2022 17:52:34
GMT"],"Strict-Transport-Security":["max-age=31536000"],"Cache-Control":["no-cache"],"x-ms-ags-diagnostic":["{\"ServerInfo\":{\"DataCenter\":\"Canada
East\",\"Slice\":\"E\",\"Ring\":\"2\",\"ScaleUnit\":\"002\",\"RoleInstance\":\"QB1PEPF0000218D\"}}"],"client-request-id":["cfa69d7185eec9fac"],"x-ms-resource-unit":["1"],"Content-Type":["application/json"]}
Status code 403
{"error":{"code":"Authorization_RequestDenied","message":"Insufficient
privileges to complete theoperation.","innerError":{"date":"2022-06-13T17:52:35","request-id":"cfa6f-d7185eec9fac","client-request-id":"cfa69e90ec9fac"}}}
I am attaching the permissions that they have granted and was hoping that you could assist, as I have been going back and forth with them on this and not sure what else to do at this point. Any ideas would be greatly appreciated.
Thanks,
-Eric
BECU
ServiceNow Operations Engineer
- Labels:
-
IntegrationHub
-
Multiple Versions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-14-2022 01:26 AM
Eric,
You should not need Directory.ReadWrite.All unless the group you are trying to add to is a privileged group.
I am sure you have it, but here is the docs page for the API : https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
Suggest you go into 'Manage Tokens', find the relevant issued token, copy its content and paste into https://jwt.ms and check that the scope of the token you are retrieving matches the grants.
I've not seen a user principal such as this allocated both application and delegated permissions. Personally I would recommend for verification that you use application and remove the delegated.
Hope this is of some help,
Richard
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2022 10:51 PM
Hello Eric,
We're getting the exact same concern from our security specialists on the use of Directory.ReadWrite.All and User.ReadWrite.All. And I agree with them, Azure AD is flexible enough to lock down permissions to what is really required.
Have you managed to find a solution for this? We're investigating it ourselves as well, will share if we find a working setup.
Best regards,
Pascal Frencken
Signify, The Netherlands
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2023 06:10 AM
Did you manage to get this working? I'm struggling with exactly the same issue when trying to add users to Administrative Units..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2023 11:37 PM
@Eric_Gauthier @pascalfrencken @Jonathan Demeu1
Did you get the solution for this? I am getting same error message and struggling to find the root cause. We have all the permissions mentioned in ServiceNow documents to add users to Azure group.