Microsoft Graph API: “Insufficient privileges to …” DELETE a Group

Recently, had a task to DELETE an Azure AD Group by using application client credentials.

  1. Custom application were registered in Azure AD.
  2. All possible permission were assigned to the application
  3. But the DELETE https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/group_delete request failed anyway with the error below
{ 
  "error": { 
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "fa1a14bf-6168-0000-b247-5ed17dafd08e",
      "date": "2016-12-22T19:53:59"
    }
  }
}

It turned out that you have to assign application principal object id to a “Company Administrator” role. Right now this is possible to do only trough PowerShell CMDlet https://docs.microsoft.com/en-us/powershell/msonline/v1/add-msolrolemember

Below is the the PowerShell script:

$tenantGuid = '4e4628a1-EXAM-PLE0-9064-44c1ab290b7f'
$user = 'admin@b940edadEXAMPLE093.onmicrosoft.com'
$password = 'YOUR PASSWORD'
$appID = '0bb0bda3-19b0-EXAM-PLE0-29d10a8cbecd'

$Creds = New-Object System.Management.Automation.PsCredential($user, (ConvertTo-SecureString $password -AsPlainText -Force))

Connect-MSOLSERVICE -Credential $Creds
$msSP = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantGuid

#ID of the Application's object (not the same as Application Id defined above)
$objectId = $msSP.ObjectId
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

 

Wait 3-5 minutes… It should work now.

Advertisements

PowerSlim on codeplex

We have lanched the PowerSlim project on codeplex.

Q: Why CodePlex? Why not GitHub or LaunchPad?

A: This project is intended to bring the Microsoft Windows PowerShell scripting language to the acceptance testing world. The current implementation is built on top of IronPython2.6. So it looks like the all ways lead us to Microsoft 🙂