Desired Behaviour
Create a group via Microsoft Graph, using the JavaScript SDK and MSAL in a single tenant application with delegated API permissions.
Actual Behaviour
{
"statusCode": 403,
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"requestId": "6e865d96-ef8b-408e-a905-5393b4adcfdc",
"date": "2020-05-16T20:20:15.000Z",
"body": "{\"code\":\"Authorization_RequestDenied\",\"message\":\"Insufficient privileges to complete the operation.\",\"innerError\":{\"request-id\":\"6e865d96-ef8b-408e-a905-5393b4adcfdc\",\"date\":\"2020-05-17T06:20:15\"}}"
}
What I've Tried
To create the code, I used the following API reference instructions:
Sign-in/sign-out and all other API requests are working.
Subscription
Microsoft 365 Business Standard Trial
API Permissions
Directory.AccessAsUser.All +++
Directory.ReadWrite.All ***
Group.ReadWrite.All
GroupMember.ReadWrite.All ***
openid
profile
Sites.Read.All
Tasks.ReadWrite
User.Read
*** I added these after reading this answer, but still get the same error.
+++ I added this after suggestion in answer below.
I have clicked the 'Grant admin consent' button in Azure app registrations area.
index.html
<!-- msal -->
<!-- from: https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-core -->
<script type="text/javascript" src="https://alcdn.msauth.net/lib/1.3.0/js/msal.js" integrity="****" crossorigin="anonymous"></script>
<!-- javascript sdk -->
<!-- from: https://github.com/microsoftgraph/msgraph-sdk-javascript -->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/@microsoft/microsoft-graph-client/lib/graph-js-sdk.js"></script>
config.js
// msal options
const msalConfig = {
auth: {
clientId: "client-id-here",
redirectUri: "http://localhost:8080",
authority: "https://login.microsoftonline.com/tenant-id-here"
},
cache: {
cacheLocation: "sessionStorage",
storeAuthStateInCookie: false,
forceRefresh: false
}
};
// define application permissions
const scopes = ['directory.accessasuser.all', 'directory.readwrite.all', 'group.readwrite.all', 'groupmember.readwrite.all', 'openid', 'profile', 'sites.read.all', 'user.read', 'tasks.readwrite' ];
auth.js
const msalApplication = new Msal.UserAgentApplication(msalConfig);
const loginRequest = {
scopes: scopes
}
async function sign_in() {
try {
await msalApplication.loginPopup(loginRequest);
if (msalApplication.getAccount()) {
console.log("sign in success");
}
} catch (error) {
console.log("sign in error");
console.log(error);
}
}
function sign_out() {
msalApplication.logout();
}
graph.js
var path = "/groups";
var group = {
description: "Here is a description.",
displayName: "test_test_test",
groupTypes: [
"Unified",
"DynamicMembership"
],
mailEnabled: true,
mailNickname: "test_test_test",
securityEnabled: false, // initially i had this as true, doesn't seem to make a difference either way
visibility: "Hiddenmembership",
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
],
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/my-user-id-here"
]
};
var response = await client.api(path)
.post(group);
Related reading:
Learn about Microsoft 365 Groups
Overview of Microsoft 365 Groups for administrators
Working with groups in Microsoft Graph
Create, edit, or delete a security group in the Microsoft 365 admin center
Creating teams and managing members using Microsoft Graph
Overview of Office 365 groups in Microsoft Graph
Other ideas about what could be causing error...
Visibility is supported only for unified groups; it is not supported for security groups.
Maybe the combination of securityEnabled: true and visibility:Hiddenmembership are not compatible?
I tried changing it to securityEnabled: false and got the same message.
Is there something wrong with the token?
I copied the Authorisation: Bearer value from Chrome dev tools console and pasted at https://jwt.io and there were two additional scopes provided in the token - but all other scopes are present:
