Application permissions Group.ReadWrite.All or Directory.ReadWrite.All are not sufficient for Group deletion

[plamber]

Describe the bug Hello, we are using the GRAPH SDK to perform a deletion of a Microsoft Group connected team. We are performing the actions using an application with app permissions Group.ReadWrite.All and Directory.ReadWrite.All.

We execute the operation using following lines of code: graphClient.Directory.DeletedItems[objectId].Request().DeleteAsync();

The endpoint returns the error: Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. Inner error: AdditionalData: date: 2020-10-13T09:29:18 request-id: 9ac3cfd1-016b-4d47-adbd-039a77b6b8b7 client-request-id: 9ac3cfd1-016b-4d47-adbd-039a77b6b8b7 ClientRequestId: 9ac3cfd1-016b-4d47-adbd-039a77b6b8b7

To Reproduce

• Create an Azure AD app with application permissions Group.ReadWrite.All and Directory.ReadWrite.All
• Create several groups with Teams. Delete them so they are in the recycle bin (we have more than 2500 groups in the recycle bin)
• retrieve the graph token by using https://graph.microsoft.com/.default
• retrieve all groups from the recycle bin

• loop over the groups and execute graphClient.Directory.DeletedItems[objectId].Request().DeleteAsync();. It should immediately fail with the error message

  Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. Inner error: AdditionalData: date: 2020-10-13T09:29:18 request-id: 9ac3cfd1-016b-4d47-adbd-039a77b6b8b7 client-request-id: 9ac3cfd1-016b-4d47-adbd-039a77b6b8b7 ClientRequestId: 9ac3cfd1-016b-4d47-adbd-039a77b6b8b7

Tried the same also with the Graph explorer:

Expected behavior No failure as suggested here: https://docs.microsoft.com/en-us/graph/api/directory-deleteditems-delete?view=graph-rest-1.0&tabs=http

[MIchaelMainer]

Can you check your permissions in the application registration and make sure the permissions align with the entities you are deleting? Specifically, that you have Group.ReadWrite.All permissions selected. Also, verify that your token has the correct scopes. Crack it with jwt.ms or base64 decode the second part of the token.

I see expected behavior in your Graph Explorer screen capture as Application.ReadWrite.All hasn't received consent.

retrieve all groups from the recycle bin What call did you make to get all these groups in the recycle bin?

[plamber]

Hi, just recognized that the Example in the Graph explorer is wrong. I missed the permission there. With the Graph SDK, however, I am using following token:

Verified with jwt.ms: { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/6d456013-c428-45bd-b889-9847da9e3ca6/", "appid": "4d0bc38d-b482-4806-b2ca-3ad8dea31684", "idp": "https://sts.windows.net/6d456013-c428-45bd-b889-9847da9e3ca6/", "idtyp": "app", "roles": [ "Directory.ReadWrite.All", "Sites.ReadWrite.All", "Group.ReadWrite.All", "User.Read.All", "AuditLog.Read.All", "Reports.Read.All" ], "sub": "27c13d96-7007-4a29-9c29-a3667606693a", "tenant_region_scope": "EU", "tid": "6d456013-c428-45bd-b889-9847da9e3ca6", ... }.[Signature]

As you can see I have the Group.ReadWrite.All application permission. Based on the documentation this should suffice to delete MS Group objects.

I tried with following group types:

• With dynamic membership: {[groupTypes, {[ "DynamicMembership", "Unified" ]}]}
• One without dynamic membership {[groupTypes, {[ "Unified" ]}]}

All are Teams connected resources.

I am retrieving all Groups using this call in the SDK: `List groups = new List(); var url = GraphClient.Directory.DeletedItems.AppendSegmentToRequestUrl("microsoft.graph.group");

var groupItems = await (new DirectoryDeletedItemsCollectionRequestBuilder(url, GraphClient)).Request().GetAsync(); groups.AddRange(groupItems.CurrentPage);

while (groupItems.NextPageRequest != null) { groupItems = await groupItems.NextPageRequest.GetAsync(); groups.AddRange(groupItems.CurrentPage); } return groups; `

The deletion is performed with: await GraphClient.Directory.DeletedItems["idReturnedFromPreviousQuery"].Request().DeleteAsync();

Just a sidenote not related to this issue. Should Directory.ReadWrite.All not be a superset of all the permissions required to run this command?

[petrhollayms]

Thank you for reporting this issue. This appears to be an issue or limitation with the service APIs. Unfortunately, as the Microsoft Graph SDK team, we do not have ownership of the APIs that are causing you issues. We invite you to create a question about the service API to Microsoft Q&A and tagged with one of the [microsoft-graph-*] tags, that way it will get routed to the appropriate team for them to triage:

https://aka.ms/msgraphsupport or directly https://aka.ms/askgraph

For now, we will close the issue on our side but feel free to open it in the relevant repository if you think the issue is specific to SDK. Please let us know if this helps!

Note: We will close this repository on April 19, 2024.