Azure AD B2C: Mcrosoft Graph API: Assign User to Group

0
votes

I'm trying to add an Azure AD B2C user with the Microsoft Graph API to a group.

I've tried this documentation: https://docs.microsoft.com/de-de/graph/api/group-post-members?view=graph-rest-1.0&tabs=http

In Postman it looks like this: enter image description here

I have a valid token. The GUID of the group and the GUID of the user is correct. And I think, that I have given all the needed permissions to my client: enter image description here

But (if you look to the Postman screenshot) I get the error: "Insufficient privilleges to complete the operation."

Does someone know what I'm doing wrong?

Thank you in forward for your help

Best regards Matthias

2
microsoft-graph-apiazure-ad-b2c
Can you share us the correlation id and time stamp detailsRaghavendra beldona
Sorry, but what do you meen with the correlation ID? Do you meen the Error-Request-ID (923669c2-8c1d-4720-9993-001431764e66) and the Error-date (2020-09-09T14:04:15)? If yes, you can see it also on the bottom of the Postman screenshot.Matthias Wirth
Based on the error details the its seems that you dont have the right permissions to assign a user to a Group. Can you please check the permission details in the access token you are using to call Graph API. For quick check you can use Graph ExplorerRaghavendra beldona
If you post your token decoded (base64 decode) without signature element, it’ll be clear what the issue is.Jas Suri - MSFT

2 Answers

0
votes

In the same directory, we can add an Azure AD B2C user with the Microsoft Graph API to an AD group. You can see the directories to which you belong in the upper right corner of your AD and B2C portals. I reproduced your problem with two different directories. That is, the AD and B2C directories are different.

enter image description here

0
votes

Thank you to @JasSuri. Your hint to decode the token helped me. In this token the roles where this: "roles":["User.ReadWrite.All","User.Invite.All","User.Read.All","User.Export.All","User.ManageIdentities.All"]

But in the app registration in the Azure portal I had set more permissions. Then I have registered the app again - in my opinion with the same settings. And now I have more roles: "roles":["User.ReadWrite.All","Group.Read.All","Directory.ReadWrite.All","Group.ReadWrite.All","User.Invite.All","Directory.Read.All","User.Read.All","GroupMember.Read.All","User.ManageIdentities.All","GroupMember.ReadWrite.All"]

And now it's working. So I don't know what I've done wrong, but now with the new registered app it works.

Thank you to all for your help!

Best regards Matthias