Required permissions
Provisioning Workflow - Assign Azure Active Directory Group uses Microsoft Graph API. Calling this API requires one of the following permissions.
| Permission type | Permissions (in ascending order of privilege) |
|---|---|
| Delegated (work or school account) | GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| For application | GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All |
To add members to a role-assignable group, you must also assign the RoleManagement.ReadWrite.Directory permission to the calling user or application.