One may receive the following 403 error when using Microsoft Graph API to add a user to a group:
MS Graph Request:
POST https://graph.microsoft.com/v1.0/groups/<Group Object ID>/members/$ref
Request body:
{
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/<User Object ID>"
}
Response:
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"date": "2024-05-07T15:39:39",
"request-id": "aa324f0f-b4a3-4af6-9c4f-996e195xxxx",
"client-request-id": "aa324f0f-b4a3-4af6-9c4f-996e1959074e"
}
}
}
Below are some guidelines for resolving the error
Check group type:
There are different types of groups and not every group type can be managed by Microsoft Graph. Check this documentation to see if the group you are working with can be managed by Microsoft Graph. You can use MS Graph Explorer tool to check these group attributes: groupTypes, mailEnabled, and securityEnabled
Note:
1) you cannot change the group type after creation. See https://learn.microsoft.com/en-us/entra/fundamentals/how-to-manage-groups#edit-group-settings for more information.
2) You cannot use Microsoft Graph to manage Dynamic group (groupTypes has value "DynamicMembership") membership.
Check required permission
Different group member types require different Microsoft Graph permissions. Check Add members – Microsoft Graph v1.0 | Microsoft Learn for more information. For user type the required permission is GroupMember.ReadWrite.All
Check if the group is a role-assignable group
Role-assignable group requires an additional permission RoleManagement.ReadWrite.Directory as documented in Add members – Microsoft Graph v1.0 | Microsoft Learn. You can check if the group is role-assignable by using the Azure portal or MS Graph Explorer
Azure Portal:
MS Graph Explorer:
GET https://graph.microsoft.com/beta/groups/<Group OID>?$select=displayName,groupTypes,mailEnabled,securityEnabled,isAssignableToRole
