Microsoft Graph API: “Insufficient privileges to …” DELETE a Group

Recently, had a task to DELETE an Azure AD Group by using application client credentials.

  1. Custom application were registered in Azure AD.
  2. All possible permission were assigned to the application
  3. But the DELETE request failed anyway with the error below
  "error": { 
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "fa1a14bf-6168-0000-b247-5ed17dafd08e",
      "date": "2016-12-22T19:53:59"

It turned out that you have to assign application principal object id to a “Company Administrator” role. Right now this is possible to do only trough PowerShell CMDlet

Below is the the PowerShell script:

$tenantGuid = '4e4628a1-EXAM-PLE0-9064-44c1ab290b7f'
$user = ''
$password = 'YOUR PASSWORD'
$appID = '0bb0bda3-19b0-EXAM-PLE0-29d10a8cbecd'

$Creds = New-Object System.Management.Automation.PsCredential($user, (ConvertTo-SecureString $password -AsPlainText -Force))

Connect-MSOLSERVICE -Credential $Creds
$msSP = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantGuid

#ID of the Application's object (not the same as Application Id defined above)
$objectId = $msSP.ObjectId
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId


Wait 3-5 minutes… It should work now.

2 thoughts on “Microsoft Graph API: “Insufficient privileges to …” DELETE a Group

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: