Microsoft Graph API: Delete a group and permissions

What I am trying to do

Delete a group via graph REST API.

Issue

I am getting insufficient rights to perform the operations

Rights for my app

My App is a Web api app. For the applications that can be integrated with my app, I have given Microsoft graph api delegated rights to read and write all groups. No application rights is given.

What I tried

I gave all delegated rights to Microsoft graph, clicked grant permissions. Still no change, could not delete groups.

Possible solutions

Msft info says that Group.ReadWrite does not give rights to delete entities. The Msft info is really unclear on what one should do wrt to the delete of entities, what I got from the info is that a lot depends on the rights of the person calling the app, so the app would act on behalf of the person who may be an admin. But people write apps which will act as independent entities or a service.

Several people have encountered this error and the recommended solution is to give the app id “company administrator” role. I did that and it worked, but that is an overkill just to delete a group.

What worked with least privilege

Removed the “company admin” role. Went back to the app permission page and gave the Microsoft graph api

  1. application permission to read/write all groups in addition to the
  2. delegated rights to read/write all groups and read all groups.

Applied the grant permissions button. Waited a little while for permissions to propagate and then ran my delete group function. It works!

Advertisements