Group.ReadWrite.All is the graph API permission which is required for a service principal to allow creating groups in Azure AD. However, it would allow SPN to modify/delete any groups in the directory.
Could you please help to know how can we restrict the scope so the Service principal should only modify groups which it has created at the first place.
Unfortunately, I don't believe this is possible, since there is no such permissions for a service principal to only access groups that it creates. If this is an absolute requirement, then the only way that I can think of where you can limit the editing to the groups it owns is not to use the client credential flow, and to basically create a service account (regular user), use the ROPC flow (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) add Delegated permissions for group.readwrite.all. then the app will use that user which only has access to create groups and edit groups that it owns.
Adding the service principal as owner of the group worked for me also.
You just need to know that when you are logged with the service principal, you can do
az ad group member add -g myGroupObjectId --member-id myMemberObjectId
But you can't search your group by name, it will give you a permission denied
az ad group show --group myGroupName
