cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SP Admin role cannot modify O365 groups programmatically

ErkanCh
Copper Contributor

‎Sep 30 2019 02:14 PM

‎Sep 30 2019 02:14 PM

SP Admin role cannot modify O365 groups programmatically

I have a customer where we only have SP Admin role. We don't have global admin rights. Recently MS granted SP Admin role the privileges to create/modify/delete O365 groups and add/remove their owners and members. I can use the Admin Center UI to create/delete/etc. O365 groups. If I try to use the Exchange Online powershell, I can create/import a session and run Get-UnifiedGroup successfully to view a list of O365 groups. However, when I try to run Set-UnifiedGroup or Add-UnifiedGroupLinks, I get "The term '...Unifiedgroup...' is not recognized as the name of a cmdlet...". These cmdlets aren't made available when you import the session. If the SP Admin role can do this thru the UI, shouldn't it be able to do the same thru Powershell?

 

PS: I also tried the PnP version but that's another issue with the scopes. 

1,611 Views
0 Likes
5 Replies
Reply
5 Replies
Vasil Michev

‎Oct 01 2019 12:26 AM

‎Oct 01 2019 12:26 AM

Re: SP Admin role cannot modify O365 groups programmatically

Why would you expect a SharePoint role to get access to additional Exchange cmdlets? The way I understand it, they've granted permissions on Azure AD and possibly the Graph API, which is what's executed from the O365 Admin center anyway. If you want to perform those tasks with the Exchange cmdlets, add the relevant roles (Mail Recipients is sufficient).

0 Likes
Reply
ErkanCh

‎Oct 01 2019 05:59 AM

‎Oct 01 2019 05:59 AM

Re: SP Admin role cannot modify O365 groups programmatically

It does have the privilege to do that. If it can do it using the UI, it should be able to do it thru the APIs as well. This might have been overlooked when SP Admin role was given additional privileges for O365 groups recently.
0 Likes
Reply
Vasil Michev

‎Oct 01 2019 09:46 AM

‎Oct 01 2019 09:46 AM

Re: SP Admin role cannot modify O365 groups programmatically

The O365 Admin center UI does NOT use Exchange PowerShell cmdlets to execute group-related tasks though, and having permissions in one tool/API doesn't necessarily mean you should get the corresponding permissions across all. You can always open an uservoice item or leave feedback on the documentation, or just add the relevant permissions yourself.

0 Likes
Reply
ErkanCh

‎Oct 03 2019 08:47 AM

‎Oct 03 2019 08:47 AM

Re: SP Admin role cannot modify O365 groups programmatically

@Vasil Michev Thanks. Obviously the UI doesn't use the Powershell but both the UI and Powershell are probably hitting the same backend APIs, probably Graph. Unfortunately, we're limited to SP Admin role and can't be granted additional permissions at this time. Ideally, the New-PnPSite or New-PnpTenantSite could take in an Owners parameter and make them O365 Group Owners if the new site is an O365 Group connected site. 

0 Likes
Reply
Vasil Michev

‎Oct 03 2019 09:32 AM

‎Oct 03 2019 09:32 AM

Re: SP Admin role cannot modify O365 groups programmatically

They aren't hitting the same APIs. Don't expect the different teams at Microsoft to talk to each other :)

 

Eventually all should be moved to the Graph, but currently we have zero support for any Exchange-related cmdlet there. So if you want to leverage Exchange cmdlets, make sure you have the necessary permissions in Exchange Online.

 

I'm not sure about the PnP cmdlets, as I'm more of an Exchange guy.

0 Likes
Reply