bytewerk-lab
commented
2 months ago We have the same Problem
Closed Mike2607 closed 2 months ago
bytewerk-lab
commented
2 months ago We have the same Problem
AlexFilipin
commented
2 months ago @Timsto can you take a look at this given you have taken over maintaining the repo? There are few other issues too.
For this one , using role assignable groups was a workaround because nothing better was available a couple years ago. If I had to do this today I would create regular groups (not role assignable) and then add them to a restricted management admin unit to protect them
Timsto
commented
2 months ago will pulish a update over the weekend
Timsto
commented
2 months ago @Mike2607 do you run the script as a Service Principal or as an User? Additional i added a site with the required Permission.
New Update will be published this evening!
Timsto
commented
2 months ago declared the permission in the wiki. add new version where a mix of IsAssignableToRole True and False exist + Add a protection layer with a restricted management AU
In the updated version of the script, creating groups no longer works. The error message shown below appears with the command “New-MgBetaGroup -DisplayName $Name -SecurityEnabled:$true -MailEnabled:$false -MailNickname “NotSet” -Visibility Private -IsAssignableToRole:$true”. If we leave out the IsAssignableToRole:$true parameter, creating the group works.
Is there any information here about which permissions are missing here?
CategoryInfo : InvalidOperation: ({ Headers = , b...oftGraphGroup }:<>f__AnonymousType2
2) [New-MgBetaG roup_CreateExpanded], Exception FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaGroup_Creat eExpanded