Microsoft Graph API: “Insufficient privileges to …” DELETE a Group

Recently, had a task to DELETE an Azure AD Group by using application client credentials.

  1. Custom application were registered in Azure AD.
  2. All possible permission were assigned to the application
  3. But the DELETE https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/group_delete request failed anyway with the error below
{ 
  "error": { 
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "fa1a14bf-6168-0000-b247-5ed17dafd08e",
      "date": "2016-12-22T19:53:59"
    }
  }
}

It turned out that you have to assign application principal object id to a “Company Administrator” role. Right now this is possible to do only trough PowerShell CMDlet https://docs.microsoft.com/en-us/powershell/msonline/v1/add-msolrolemember

Below is the the PowerShell script:

$tenantGuid = '4e4628a1-EXAM-PLE0-9064-44c1ab290b7f'
$user = 'admin@b940edadEXAMPLE093.onmicrosoft.com'
$password = 'YOUR PASSWORD'
$appID = '0bb0bda3-19b0-EXAM-PLE0-29d10a8cbecd'

$Creds = New-Object System.Management.Automation.PsCredential($user, (ConvertTo-SecureString $password -AsPlainText -Force))

Connect-MSOLSERVICE -Credential $Creds
$msSP = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantGuid

#ID of the Application's object (not the same as Application Id defined above)
$objectId = $msSP.ObjectId
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

 

Wait 3-5 minutes… It should work now.