Forum Discussion
Granting App ability to change group memberships by making it an owner?
Hello,
We'd like an app to be able to control memberships of only certain security groups using app-based authentication.
Today it is documented that a GroupMember.ReadWrite.All role is needed to do this on the app registration:
https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http
This, however, grants access to the app to make changes to any group.
However, we have noticed that API calls to change memberships work on groups owned by the Service Principal.
For example, if I make a call to the API below for memberships and the app is assigned as the owner of the group, it works.
https://graph.microsoft.com/v1.0/groups/{{group-id}}/members/
Is this a supported mechanism? I don't see it documented anywhere.
1 Reply
I don't recall ever seeing a mention in the documentation about any scenario in which the app/service principal is assigned as an owner of another object, say a group or another SP... as long as it works for your use case, go for it. The alternative would be to try to scope the permissions via Administrtive units, which is still subject to tons of limitations.
