Hey everyone! I'm trying to set up the On-Behalf-Of (OBO) flow so that users can manage the groups they own. I've got the necessary delegated permissions requested, which include `Group.ReadWrite.All`, `GroupMember.ReadWrite.All`, `User.Read`, and `User.ReadBasic.All`. However, I'm hitting a snag. Even though users are group owners, I find that the following request fails unless they also have the `Global Reader` permission:
POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref
Assigning the `Global Reader` permission resolves the issue, but I'm confused as to why that's necessary. I thought being a group owner and having those other delegated roles would be sufficient. Any insights?
Just to note, this situation only seems to affect guest users—regular members can add without needing the Global Reader. Thanks for any help!
2 Answers
You nailed it! This behavior is because guest users hit extra restrictions that regular members don’t face. The API call itself doesn’t need `Global Reader`, but in a guest context, the system struggles to resolve user objects without that broad read access. You might consider these options:
- Try to elevate the guest to a member if that's feasible.
- Use an app with application permissions to manage group adds and go through that instead of directly through OBO.
- If security allows, create a custom role that includes directory read rights—this can sometimes be a good alternative to granting Global Reader.
It’s definitely a nuanced area, so it’s great that you’re digging into it!
It sounds like the requirement for `Global Reader` ties into permissions for guest users specifically. With Azure AD, guest accounts don't have the same directory read rights as members do, which creates this hassle for group owners trying to manage them. So, while it feels a bit unfair, `Global Reader` gives the broader visibility needed to get past these restrictions. It's a quirk of the way Azure handles permissions, especially for guests.
I get that it can seem heavy-handed! It's frustrating to need extra permissions just to manage a group. I guess Microsoft wants to keep the directory secure, but it does add an extra step for group owners.
Thanks for the tips! I’ll look into those workarounds. Seems like I'll need to rethink how I manage these permissions.