ErrorGroupsAccessDenied when setting hideFromAddressLists or hideFromOutlookClients

Question

I have been trying to set the following values on a group using graph using the beta API:

{
  "hideFromOutlookClients":  true,
  "hideFromAddressLists":  true
}

However, I get the following error:

{ 
  "code": "ErrorGroupsAccessDenied", 
  "message": "User does not have permissions to execute this action."
}

The application does have the required permissions for updating a Group, in fact, updating a group's description works just fine. These two properties were added a few months back but they seem to require different permission. I cannot find any other "group" related permission to assign.

Has anyone used these properties before that could shed some light on the subject?

I am making a patch request to ```https://graph.microsoft.com/beta/groups/{GroupID}``` — HardCoded, Dec 04 '19 at 10:10
If you're getting `roles` rather than `scp`, that tells me you're using Application rather than Delegated scopes. You may want to try using Graph Explorer (it uses Delegated scopes). I don't have access to the schema at the moment but it is possible these properties require an authenticated user. — Marc LaFleur, Dec 06 '19 at 17:48

Allen Wu · Answer 1 · 2019-12-09T02:38:57.337

4

I have tested your scene.

To update "hideFromOutlookClients" and "hideFromAddressLists", we have to assign Group.ReadWrite.All Delegated Permission.

The other two Delegated Permissions Directory.ReadWrite.All and Directory.AccessAsUser.All don't work. (But these two permissions work for updating "description")

The beta version of Microsoft Graph API is continuously improving, so there may be some unexpected issues.

UPDATE:

You are using Application permissions rather than Delegated permissions. Unfortunately, Application permissions are not supported currently based on my test. You need to assign Group.ReadWrite.All Delegated Permission and call this API on behalf of a user.

edited Dec 09 '19 at 02:38

answered Dec 04 '19 at 02:07

Allen Wu

15,529
1
9
20

Hi Allen, thanks for the response. The application already has both Delegated & Application permissions for ```Group.ReadWrite.All```. I gave it access to the ```Directory.ReadWrite.All``` and ```Directory.AccessAsUser.All``` as per the documentation like you said but I still recieve the ErrorGroupsAccessDenied error response which is why I am so baffled. – HardCoded Dec 04 '19 at 10:12
@HardCoded, after getting the access token, put it to https://jwt.io to see if it has the required permission Directory.ReadWrite.All. – Allen Wu Dec 05 '19 at 01:33
Useful site! thanks for the link, as you can see it does have the correct role: (apologies still trying to get used to the markup here) ```"roles": [ "User.ReadWrite.All", "Directory.ReadWrite.All", "Group.Create", "Group.ReadWrite.All", "Directory.Read.All", "User.Read.All", "GroupMember.Read.All", "MailboxSettings.ReadWrite", "GroupMember.ReadWrite.All", "Group.Selected" ]``` – HardCoded Dec 05 '19 at 09:19

ErrorGroupsAccessDenied when setting hideFromAddressLists or hideFromOutlookClients

1 Answers1

Linked