Microsoft Azure AD Spoke Permissions - Add User to Group Error

Eric_Gauthier
Tera Contributor

Hello Community, 

Hope one of you can assist.  We are trying to set up the Microsoft Azure AD Spoke so that we can add & remove users from groups in Azure.  Seems simple right? 

Our Cybersecurity Team will not grant me Directory.ReadWrite.All as they feel it is over permissioned. I am setting up the Microsoft Azure AD Spoke and am testing the actions currently, and I am not able to do a couple of the actions.  I have removed part of the ID#s.  

I am able to run "Look up Group ID" supply it the group name.  status: Group Found.

I am NOT able to "Add User to Group"

Add user to group:

Group id: fd7fd7fa-ee9c9d5094

User ID: 49238e68-cdd1fc4d57

 Error message: Forbidden Request. Please Check Oauth Token and scope permission.

 Method failed:

(/v1.0/groups/fd7fd7fa--7c6e9c9d5094/members/$ref)

with code: 403 - Forbidden username/password combo

 {"error":{"code":"Authorization_RequestDenied","message":"Insufficient

privileges to complete theoperation.","innerError":{"date":"2022-06-13T17:52:35","request-id":"cfa69e98a8f-d7185eec9fac","client-request-id":"cfa69e9085eec9fac"}}}

 {"Transfer-Encoding":["chunked"],"request-id":["cfa69e90eec9fac"],"Date":["Mon,

13 Jun 2022 17:52:34

GMT"],"Strict-Transport-Security":["max-age=31536000"],"Cache-Control":["no-cache"],"x-ms-ags-diagnostic":["{\"ServerInfo\":{\"DataCenter\":\"Canada

East\",\"Slice\":\"E\",\"Ring\":\"2\",\"ScaleUnit\":\"002\",\"RoleInstance\":\"QB1PEPF0000218D\"}}"],"client-request-id":["cfa69d7185eec9fac"],"x-ms-resource-unit":["1"],"Content-Type":["application/json"]}

 Status code 403

 {"error":{"code":"Authorization_RequestDenied","message":"Insufficient

privileges to complete theoperation.","innerError":{"date":"2022-06-13T17:52:35","request-id":"cfa6f-d7185eec9fac","client-request-id":"cfa69e90ec9fac"}}}

 I am attaching the permissions that they have granted and was hoping that you could assist, as I have been going back and forth with them on this and not sure what else to do at this point. Any ideas would be greatly appreciated. 

Thanks,

-Eric 

Eric Gauthier, CSPO
BECU
ServiceNow Operations Engineer
8 REPLIES 8

Richard Hine
Tera Guru
Tera Guru

Eric,

You should not need Directory.ReadWrite.All unless the group you are trying to add to is a privileged group.

I am sure you have it, but here is the docs page for the API : https://docs.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

Suggest you go into 'Manage Tokens', find the relevant issued token, copy its content and paste into https://jwt.ms and check that the scope of the token you are retrieving matches the grants.

I've not seen a user principal such as this allocated both application and delegated permissions. Personally I would recommend for verification that you use application and remove the delegated.

Hope this is of some help,

Richard

pascalfrencken
Mega Sage

Hello Eric,

We're getting the exact same concern from our security specialists on the use of Directory.ReadWrite.All and User.ReadWrite.All. And I agree with them, Azure AD is flexible enough to lock down permissions to what is really required.

Have you managed to find a solution for this? We're investigating it ourselves as well, will share if we find a working setup.

Best regards,

Pascal Frencken
Signify, The Netherlands

Jonathan Demeu1
Tera Expert

@pascalfrencken @Eric 

 

Did you manage to get this working? I'm struggling with exactly the same issue when trying to add users to Administrative Units..

Ashwini_ Godala
Tera Contributor

@Eric_Gauthier @pascalfrencken @Jonathan Demeu1 

 

Did you get the solution for this? I am getting same error message and struggling to find the root cause. We have all the permissions mentioned in ServiceNow documents to add users to Azure group.