Add members
Namespace: microsoft.graph
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Add a member to a security or Microsoft 365 group through the members navigation property.
The following table shows the types of members that can be added to either security groups or Microsoft 365 groups.
Object type | Member of security group | Member of Microsoft 365 group |
---|---|---|
User | ||
Security group | ||
Microsoft 365 group | ||
Device | ||
Service principal | ||
Organizational contact |
This API is available in the following national cloud deployments.
Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
---|---|---|---|
✅ | ✅ | ✅ | ✅ |
Permissions
The following table shows the least privileged permission that's required by each resource type when calling this API. To learn more, including how to choose permissions, see Permissions.
Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
---|---|---|---|
device | GroupMember.ReadWrite.All and Device.ReadWrite.All | Not supported. | GroupMember.ReadWrite.All and Device.ReadWrite.All |
group | GroupMember.ReadWrite.All | Not supported. | GroupMember.ReadWrite.All |
orgContact | GroupMember.ReadWrite.All and OrgContact.Read.All | Not supported. | GroupMember.ReadWrite.All and OrgContact.Read.All |
servicePrincipal | GroupMember.ReadWrite.All and Application.ReadWrite.All | Not supported. | GroupMember.ReadWrite.All and Application.ReadWrite.All |
user | GroupMember.ReadWrite.All | Not supported. | GroupMember.ReadWrite.All |
In delegated scenarios, the signed-in user must also be assigned a supported Microsoft Entra role or a custom role with the microsoft.directory/groups/members/update
role permission. The following roles are the least privileged roles that are supported for this operation, except for role-assignable groups:
- Group owners
- Directory Writers
- Groups Administrator
- Identity Governance Administrator
- User Administrator
- Exchange Administrator - only for Microsoft 365 groups
- SharePoint Administrator - only for Microsoft 365 groups
- Teams Administrator - only for Microsoft 365 groups
- Yammer Administrator - only for Microsoft 365 groups
- Intune Administrator - only for security groups
To add members to a role-assignable group, the app must also be assigned the RoleManagement.ReadWrite.Directory permission and the calling user must be assigned a supported Microsoft Entra role. Privileged Role Administrator is the least privileged role that is supported for this operation.
HTTP request
POST /groups/{group-id}/members/$ref
Request headers
Name | Description |
---|---|
Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
Request body
In the request body, supply a JSON representation of a directoryObject, user, or group object to be added.
Response
If successful, this method returns a 204 No Content
response code. It doesn't return anything in the response body. This method returns a 400 Bad Request
response code when the object is already a member of the group. This method returns a 404 Not Found
response code when the object being added doesn't exist.
Example
Request
The following example shows a request.
POST https://graph.microsoft.com/beta/groups/{group-id}/members/$ref
Content-type: application/json
{
"@odata.id": "https://graph.microsoft.com/beta/directoryObjects/{id}"
}
In the request body, supply a JSON representation of the id
of the directoryObject, user, or group object you want to add.
Response
The following example shows the response.
HTTP/1.1 204 No Content
Related content
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for