What licencing do we need to create groups via the graph?

Dee, Matthew TPC 156 Reputation points
2020-12-16T23:24:29.9+00:00

Hi, I'm trying to create groups in AD B2C via the graph SDK. So far I've been able to create applications via the graph with no issues, but creating a group results in the following: 

Microsoft.AspNetCore.Components.Server.Circuits.CircuitHost[111]
      Unhandled exception in circuit 'qXQW3GHjtM5v-OhOsYi83lIbG67FlVsBhjS2AygCShY'.
      Status Code: BadRequest
      Microsoft.Graph.ServiceException: Code: NoLicenseForOperation
      Message: Tenant does not have proper license.
      Inner error:
        AdditionalData:
        date: 2020-12-16T23:06:47
        request-id: 1330c157-48c4-4a95-ba62-7e7515a0588a
        client-request-id: 1330c157-48c4-4a95-ba62-7e7515a0588a
      ClientRequestId: 1330c157-48c4-4a95-ba62-7e7515a0588a

I've come across nothing in the documentation about license requirements for this operation - so is this user error, a bug in Azure or incomplete documentation? The code I'm using to create it is: 

var toCreate = new Group
{
 DisplayName = DisplayName(groupType, appName),
 MailEnabled = false,
 GroupTypes = new string[] { "Security" },
 MailNickname = "",
 MembershipRule = "Assigned"
};

var result = await graph
 .Groups
 .Request()
 .AddAsync(toCreate);

I'm using app based auth/delegation to connect to Graph - again, I've been able to create an Application with it just fine, so I'd have assumed that creating security groups to support it would require the same level of permissions - and yes, I've added Groups.Create to the list of API/Graph permissions used by my application.

Cheers,

Matt.

[UPDATE]
Talked to one of the oher devs here, and he was able to create groups via the graph SDK, but that was when he connected the app (still using app permissions, not user) to AD, not B2C. In fact, I just realised that if I want to create groups via the Azure Dashboard then I have to do it via the AD page; groups don't even show up in the B2C page.

So if this is the problem, is the solution to just have more than multiple ways of authenticating against azure for the app? The app itself needs B2C because that's what we're using to auth people, but I can create an AD connection as well for things like this if needed. That said, it would be nice to have a single piece of configuration! i.e. The app will need to auth against B2C to create an application via the graph, but then create another connection to create groups, but this time via AD?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,715 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,663 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,664 questions

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-12-17T09:52:49.337+00:00

    Hi @Dee, Matthew TPC · Thank you for reaching out.

    The error message seems misleading. There is no specific license required to create group via Graph or via Portal.

    The users and applications that you see under B2C blade are stored in Azure AD of the B2C tenant. Although there is no group option available under B2C, the groups created under Azure AD of B2C tenant, can be used by B2C. Now, to create a group, the token acquired under application context must include below permissions:

    Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All

    To test this out:

    • Below is a screenshot of the permissions configured on the application:

    49161-image.png

    • Here is how I requested for token under application context:

    49040-image.png

    • Here is the call to create group with the bearer token acquired using above request:

    49133-image.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Dee, Matthew TPC 156 Reputation points
    2020-12-17T22:43:32.037+00:00

    Nah, still the same message.

    Just to narrow this down, I've removed all auth, and am just using a direct application connection via a client secret.

    Graph is created/connected like so:

    public GraphServiceClient NewClientForApp()
{
    var clientApp = ConfidentialClientApplicationBuilder
       .Create(_config.GetValue<string>("ClientId"))
        .WithTenantId(_config.GetValue<string>("TenantId"))
        .WithClientSecret(_config.GetValue<string>("ClientSecret"))
        .Build();

    var auth = new ClientCredentialProvider(clientApp);
    return new GraphServiceClient(auth);
}

    I've triple checked the TenantID, and ClientId and the ClientSecret, and the code to create the group is still the same as above. Note that I can do things like retrieve applications, and have just updated an Application's DisplayName using the same credentials/application setup.

    I've checked the permissions in the App's API Permissions (the only one I didn't have was Directory.ReadWriteAll, so I've added that).

    Still the same error.

    One thing - apparently the license we have for B2C is "Azure AD for Office 365", and the app is registered under B2C. I have NO idea why it's 365, and the only person I can ask about that isn't in the office today. The corporate license that owns it isn't 365, could this be causing problems?

    0 comments