Add Member to Directory Role in Microsoft Graph API - Insufficient Privileges

Question

One of the following scopes is required to execute this API: Directory.ReadWrite.All OR Directory.AccessAsUser.All

http://jwt.calebb.net/ confirms that Directory.ReadWrite.All is one of the roles for my token, however the following request:

POST https://graph.microsoft.com/v1.0/directoryRoles/{directoryRoleObjectId}/members/$ref
{
  "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{userObjectId}"
}

Returns:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "{id}",
      "date": "2016-11-25T15:18:07"
    }
  }
}

Running a GET on the directoryRole returns data, so the Read permissions seem to be working. What am I missing?

This should work (with those permissions). Checked Directory.AccessAsUser.All (using an Admin account) and this works (checked using Graph Explorer. Will need to check separately for application permissions. — Dan Kershaw - MSFT

Dan Kershaw - MSFT Dan Kershaw - MSFT · Accepted Answer · 2016-11-25T20:14:35

Directory.AccessAsUser.All (using an Admin account) allows you to add/remove users from a directory role. NOTE: this is a delegated permission. As far as I can tell, no other permissions allows this operation, and we'll need to fix our docs. I will need to check back with some of our development team on this.
Question for you: Is there a reason why you need to use Application Permissions, and can't use Delegated Permissions?

Hope this helps,

Add Member to Directory Role in Microsoft Graph API - Insufficient Privileges

1 Answers