Creating a AD Security group in Azure AD in Nodejs

Question

I am trying to create a security group in my azure AD directory and add b2c user (who has logged in) to that group.

msRestAzure.loginWithServicePrincipalSecret('72a3198b-', '-FvUZZ4G', tenantId, { tokenAudience: 'graph' }, function (err, credentials, subscriptions) {
    if (err) console.log("error: " + err);
    else {
        console.log(util.inspect(credentials));
    }
    var client = new graphRbacManagementClient(credentials, tenantId);
    client.groups.list({}, function(err, result){
        if(err){
            console.log('Could not list groups', err)
        }
        else {
            console.log("result: " + result);
        }
    })

I have enabled the API permission on Azure....

Although I authenticate using my SP successfully, i get a 403 back in response whether I try to create a new group or list the existing groups etc.

Any ideas on what I am doing wrong here?

UPDATE: I changed the code and used msRestAzure.loginWithUsernamePassword instead. The username and password I used was for a user with Admin privilege. After the change, the code worked and created/Listed the group. So my guess is, the SP needs some sort of a Access/API permission that I haven't enabled. I just don't know what..

Answer 1

graphRbacManagementClient is not supported to call MS graph api. It is used for Azure AD Graph API.

Here is a code sample that you can follow. It uses microsoft-graph-client for making calls to Microsoft Graph.

Get access token using client credentials flow:

const request = require("request");

const endpoint = "https://login.microsoftonline.com/[Tenant]/oauth2/v2.0/token";
const requestParams = {
    grant_type: "client_credentials",
    client_id: "[ApplicationID]",
    client_secret: "[Key]",
    scope: "https://graph.microsoft.com/.default"
};

request.post({ url:endpoint, form: requestParams }, function (err, response, body) {
    if (err) {
        console.log("error");
    }
    else {
        console.log("Body=" + body);
        let parsedBody = JSON.parse(body);         
        if (parsedBody.error_description) {
            console.log("Error=" + parsedBody.error_description);
        }
        else {
            console.log("Access Token=" + parsedBody.access_token);
        }
    }
});

Call MS Graph API:

// list groups
function testListGroupGraphAPI(accessToken) {
    request.get({
        url:"https://graph.microsoft.com/v1.0/groups",
        headers: {
          "Authorization": "Bearer " + accessToken
        }
    }, function(err, response, body) {
        console.log(body);
    });
}

// create group    
function testCreateGroupGraphAPI(accessToken) {
    request.post({
        url:"https://graph.microsoft.com/v1.0/groups",
        headers: {
           "Authorization": "Bearer " + accessToken
        },
        json: {
            "description": "Self help community for library",
            "displayName": "Library Assist",
            "groupTypes": [
                "Unified"
            ],
            "mailEnabled": true,
            "mailNickname": "library",
            "securityEnabled": false
            }
    }, function(err, response, body) {
        console.log(body);
    });
}

For more details, see here.

---

The permissions of Azure AD Graph are here: