none
"Insufficient Privileges" Error when try to create a new office365 "Unified" Group

    Question

  • Hi all, i'll try to introduce my problem.

    I have created a custom C# application, to create programmatically office365 "Unified" Groups, for authentication and the creation of Graph Client i used this sample: https://github.com/microsoftgraph/aspnet-snippets-sample.

    For the App registration i've create an application on this platform: https://apps.dev.microsoft.com/

    This is my situation: i log in with administrator account and grant the admin-only scopes with a grant access link like this

    https://login.microsoftonline.com/common/oauth2/v2.0/authorize?scope=Directory.AccessAsUser.All+User.ReadWrite.All+User.Read.All+Group.ReadWrite.All+Directory.Read.All+Directory.ReadWrite.All+openid+email+profile+offline_access&client_id=[****]&response_type=code&redirect_uri=[****]%2F&login_hint=[****]&x-client-SKU=MSAL.Desktop&x-client-Ver=1.0.0.0&x-client-CPU=x64&x-client-OS=Microsoft+Windows+NT+10.0.14393.0&state=AAEAAAD%2f%2f%2f%2f%2fAQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24GAAAICAkCAAAAAwAAAAMAAAARAgAAAAQAAAAGAwAAACQxNzBlNTJjMi1mMWQwLTRmODgtYjkzZi1mMTVkNTQ2ZjUxYjYGBAAAACNodHRwczovL2xvY2FsaG9zdDo0NDMwOC9BZG1pblNjb3BlcwYFAAAAekRpcmVjdG9yeS5BY2Nlc3NBc1VzZXIuQWxsLFVzZXIuUmVhZFdyaXRlLkFsbCxVc2VyLlJlYWQuQWxsLEdyb3VwLlJlYWRXcml0ZS5BbGwsRGlyZWN0b3J5LlJlYWQuQWxsLERpcmVjdG9yeS5SZWFkV3JpdGUuQWxsCgs%3d&domain_hint=organizations

    Then with this account "Admin" i can create Groups and use all Graph functionality.

    If i log in with a user account and try to create a group, the application give to me this error: "insufficient privileges to complete the operation", i need to create a "Unified" group with user accounts.

    I've tried a lot of solutions but no one solved my problem.

    Anyone can help me to solve this?

    Tuesday, March 14, 2017 11:32 AM

All replies

  • Giovanni,

    You will notice that one of the Permissions in your scope is "Directory.AccessAsUser.All" which means that the application will apply the permissions of the User Credentials passed. 

    Scope Permission Description
    Directory.AccessAsUser.All Access directory as the signed-in user

    Allows the app to have the same access to information in the directory as the signed-in user.

    Thus, when you access the App as the Admin, you have all the permissions to perform any task within the tenant.  When you access the App as a normal user, it will default to "Delegated Permissions" (App + User Authorization) specified for the Application.  Please review the following article:

    App-only vs. delegated permissions - https://developer.microsoft.com/en-us/graph/docs/authorization/permission_scopes

    Also, the Office 365 unified API exposes two permission scopes for unified groups:
    •Group.Read.All
    •Group.ReadWrite.All

    So, you will need to ensure that the user has these permission scopes defined within the Portal under "Delegated Permissions".

    This should resolve your issue. 

    Thank you in advance,

    ~MIMUSH (MSFTE)


    Wednesday, March 15, 2017 6:33 PM