I have the following code inside a Web API controller, some of it for debugging purposes:
public void Register([FromBody]AccountInfo accountInfo)
{
User user = new User();
user.accountEnabled = true;
user.displayName = accountInfo.UserName;
user.userPrincipalName = string.Format(CultureInfo.InvariantCulture, "{0}@{1}", user.displayName, ConfigurationManager.AppSettings["TenantDomainName"]);
user.mailNickname = accountInfo.UserName;
user.passwordProfile.password = accountInfo.Password;
user.passwordProfile.forceChangePasswordNextLogin = false;
DirectoryService.AddTousers(user);
DirectoryService.SaveChanges();
Group securityGroup = DirectoryService.groups.Where(u => u.displayName.Equals(accountInfo.SecurityGroup)).First();
User addedUser = DirectoryService.users.Where(u => u.objectId.Equals(user.objectId)).First();
DirectoryService.LoadProperty(addedUser, "memberOf");
DirectoryService.LoadProperty(securityGroup, "members");
DirectoryService.AddLink(securityGroup, "members", addedUser);
//securityGroup.members.Add(addedUser);
var users = securityGroup.members.ToList();
var links = DirectoryService.Links;
//DirectoryService.UpdateObject(securityGroup);
DirectoryService.SaveChanges();
}
The above code adds a user in Windows Azure Active Directory and then attempts to add that user to a group. The user gets added to WAAD without any glitches, but the code fails on the last line with a
"http://schemas.microsoft.com/ado/2007/08/dataservices/metadata\">Authorization_RequestDeniedInsufficient privileges to complete the operation."
error message. It doesn't let me add a user to a group. Since my Service Principal has enough privileges to add a user to AAD, why wouldn't it be able to add a user to an existing group?
