Azure Service Principal - permission to add members to an AD group

Question

I have created a Service Principal for Azure DevOps and trying to add a new member to AzureAD Group via DevOps Pipeline. The group contains only users until now. Here is what have already done:

I have establish the ARM service link connection in Azure DevOps.
I gave Service Principal the API permision to group.readwrite.all in Active Directory/App registration/SP_name/Microsoft-Graph
I have run the script in a Azure CLI Shell in Azure DevOps: az ad group member add --group XXX-YYY-groupname --member-id 111111-111-111-111-11111

The DevOps pipeline fails with message:ERROR: Insufficient privileges to complete the operation.

What am I missing in delegating DevOps Service Principal to add members to my group?

In azure ad you need to "Grant Admin Permission" , its should work after that — Rahul Shukla
@RahulShukla...granting admin permission will solve all the problems :P. — Gaurav Mantri

Gaurav Mantri Gaurav Mantri · Accepted Answer · 2021-04-30T12:32:33

I believe the permission you would need is GroupMember.ReadWrite.All. From this link:

Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.

Azure Service Principal - permission to add members to an AD group

2 Answers