1

I have a Logic App that is calling the Graph API to create lots of O365 Groups. For the creation, I am using Application permissions with a registered Azure app which works great.

However, I am now trying to hide O365 groups from the GAL.
I need to set these parameters: 

{
  "hideFromAddressLists": true,
  "hideFromOutlookClients": true
}

I am having the same issue described here. But I can't figure out how to call the Graph API on behalf of a user, with Delegated permissions. I've tried setting up an Azure Managed Identity and setting it's permissions as per these instructions, but I am getting error: 

"code": "ErrorGroupsAccessDenied"    
"message": "User does not have permissions to execute this action.",

Can anyone help?

These are the App permissions I have set, but I am still getting "ErrorGroupsAccessDenied" "User does not have permissions to execute this action." enter image description here

Tech Guy
  • 13
  • 3
  • Hi may I know which permissions did you add for the app registered in Azure AD ? – Hury Shen May 21 '20 at 06:47
  • If you just add `Group.Create` permission for the app when you request the create group api, please add the other two permissions `Group.ReadWrite.All, Directory.ReadWrite.All` before you request the update group api because the document shows us the update group graph api supports "application permission". If it still doesn't work, you can refer to the solution provided below to get the access token with delegated permission and then request the update group api. – Hury Shen May 21 '20 at 07:08

1 Answers1

0

As your mentioned it requires to be called with delegated permission, so you can't get the access token just by MSI. According to the page you provided about MSI, it seems just use the service principal to verify the permissions. It still use application permission but not delegated permission. So please refer to the steps below to get the access token and then request the graph api.

1. Create an "HTTP" action to get the access token(we need to use username/password grant flow in this http request).

enter image description here

2. Use "Parse JSON" action to parse the response data from the HTTP action above. enter image description here

3. Request the graph api to update the group(with the access token from "Parse JSON" action).

enter image description here

Please notice there is a space between "Bearer" and "access_token".

Hury Shen
  • 14,948
  • 1
  • 9
  • 18
  • Hi @Hury Schen - thanks a lot, that worked! I had to add the client secret into the auth request FYI. I also had to make sure the account I'm using is an owner of the group. – Tech Guy May 22 '20 at 02:16
  • I spoke to soon - it's intermittently failing with"code": "ErrorGroupsAccessDenied", "message": "User does not have permissions to execute this action." (despite successfully getting the access token!) – Tech Guy May 22 '20 at 05:02
  • @TechGuy Could you please share a screenshot of the permissions which you added to the app in azure ad (go to your app in azure ad and share the screenshot of "API permissions" tab)? – Hury Shen May 22 '20 at 05:33
  • Hi @Hury Shen, sorry I am only just getting back to this. I have posted an image of the permissions, and the error I am getting. – Tech Guy Jun 11 '20 at 00:01
  • @TechGuy Could you please delete other permissions(also delete the application `Group.ReadWrite.All` permission), just keep one permission(delegated `Group.ReadWrite.All` permission). The access sometimes could be affected by adding too many permissions in your ad app. – Hury Shen Jun 11 '20 at 01:58
  • I need those permissions for other items that the Logic App is doing. – Tech Guy Jun 11 '20 at 03:38
  • @TechGuy Could you please remove them temporarily or register another app in ad just with one permission to test. – Hury Shen Jun 11 '20 at 05:01