Microsoft Azure AD Spoke Permissions - Add User to Group Error

Eric_Gauthier · ‎06-13-2022

Hello Community,

Hope one of you can assist. We are trying to set up the Microsoft Azure AD Spoke so that we can add & remove users from groups in Azure. Seems simple right?

Our Cybersecurity Team will not grant me Directory.ReadWrite.All as they feel it is over permissioned. I am setting up the Microsoft Azure AD Spoke and am testing the actions currently, and I am not able to do a couple of the actions. I have removed part of the ID#s.

I am able to run "Look up Group ID" supply it the group name. status: Group Found.

I am NOT able to "Add User to Group"

Add user to group:

Group id: fd7fd7fa-ee9c9d5094

User ID: 49238e68-cdd1fc4d57

Error message: Forbidden Request. Please Check Oauth Token and scope permission.

Method failed:

(/v1.0/groups/fd7fd7fa--7c6e9c9d5094/members/$ref)

with code: 403 - Forbidden username/password combo

{"error":{"code":"Authorization_RequestDenied","message":"Insufficient

privileges to complete theoperation.","innerError":{"date":"2022-06-13T17:52:35","request-id":"cfa69e98a8f-d7185eec9fac","client-request-id":"cfa69e9085eec9fac"}}}

{"Transfer-Encoding":["chunked"],"request-id":["cfa69e90eec9fac"],"Date":["Mon,

13 Jun 2022 17:52:34

GMT"],"Strict-Transport-Security":["max-age=31536000"],"Cache-Control":["no-cache"],"x-ms-ags-diagnostic":["{\"ServerInfo\":{\"DataCenter\":\"Canada

East\",\"Slice\":\"E\",\"Ring\":\"2\",\"ScaleUnit\":\"002\",\"RoleInstance\":\"QB1PEPF0000218D\"}}"],"client-request-id":["cfa69d7185eec9fac"],"x-ms-resource-unit":["1"],"Content-Type":["application/json"]}

Status code 403

{"error":{"code":"Authorization_RequestDenied","message":"Insufficient

privileges to complete theoperation.","innerError":{"date":"2022-06-13T17:52:35","request-id":"cfa6f-d7185eec9fac","client-request-id":"cfa69e90ec9fac"}}}

I am attaching the permissions that they have granted and was hoping that you could assist, as I have been going back and forth with them on this and not sure what else to do at this point. Any ideas would be greatly appreciated.

Thanks,

-Eric

Eric Gauthier, CSPO
BECU
ServiceNow Operations Engineer

Richard Hine · ‎06-14-2022

Eric,

You should not need Directory.ReadWrite.All unless the group you are trying to add to is a privileged group.

I am sure you have it, but here is the docs page for the API : https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

Suggest you go into 'Manage Tokens', find the relevant issued token, copy its content and paste into https://jwt.ms and check that the scope of the token you are retrieving matches the grants.

I've not seen a user principal such as this allocated both application and delegated permissions. Personally I would recommend for verification that you use application and remove the delegated.

Hope this is of some help,

Richard

pascalfrencken · ‎06-20-2022

Hello Eric,

We're getting the exact same concern from our security specialists on the use of Directory.ReadWrite.All and User.ReadWrite.All. And I agree with them, Azure AD is flexible enough to lock down permissions to what is really required.

Have you managed to find a solution for this? We're investigating it ourselves as well, will share if we find a working setup.

Best regards,

Pascal Frencken
Signify, The Netherlands

Jonathan Demeu1 · ‎05-12-2023

@pascalfrencken @Eric

Did you manage to get this working? I'm struggling with exactly the same issue when trying to add users to Administrative Units..

Ashwini_ Godala · ‎06-16-2023

@Eric_Gauthier @pascalfrencken @Jonathan Demeu1

Did you get the solution for this? I am getting same error message and struggling to find the root cause. We have all the permissions mentioned in ServiceNow documents to add users to Azure group.