Recently, had a task to DELETE an Azure AD Group by using application client credentials.
- Custom application were registered in Azure AD.
- All possible permission were assigned to the application
- But the DELETE https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/group_delete request failed anyway with the error below
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "fa1a14bf-6168-0000-b247-5ed17dafd08e",
"date": "2016-12-22T19:53:59"
}
}
}
It turned out that you have to assign application principal object id to a “Company Administrator” role. Right now this is possible to do only trough PowerShell CMDlet https://docs.microsoft.com/en-us/powershell/msonline/v1/add-msolrolemember
Below is the the PowerShell script:
$tenantGuid = '4e4628a1-EXAM-PLE0-9064-44c1ab290b7f'
$user = 'admin@b940edadEXAMPLE093.onmicrosoft.com'
$password = 'YOUR PASSWORD'
$appID = '0bb0bda3-19b0-EXAM-PLE0-29d10a8cbecd'
$Creds = New-Object System.Management.Automation.PsCredential($user, (ConvertTo-SecureString $password -AsPlainText -Force))
Connect-MSOLSERVICE -Credential $Creds
$msSP = Get-MsolServicePrincipal -AppPrincipalId $appID -TenantID $tenantGuid
#ID of the Application's object (not the same as Application Id defined above)
$objectId = $msSP.ObjectId
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId
Wait 3-5 minutes… It should work now.
Konstantin Vlasenko 
This helped me a lot, man! Thank you very much for sharing this solution!