Skip to content

Commit

Permalink
Merge pull request #1594 from manicminer/docs/group-administrativeuni…
Browse files Browse the repository at this point in the history
…t-permissions

azuread_group: document all application permissions needed when creating groups inside administrative units
stephybun authored Jan 15, 2025

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
2 parents 3efdf65 + 0a52bb6 commit 119c833
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/resources/group.md
Original file line number Diff line number Diff line change
@@ -20,7 +20,7 @@ If specifying owners for a group, which are user principals, this resource addit

When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator`

When creating this resource in administrative units exclusively, the role `Groups Administrator` is required to be scoped on any administrative unit used.
When creating this resource in administrative units exclusively, the directory role `Groups Administrator` is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the `AdministrativeUnit.Read.All` or `Directory.Read.All` application roles.

The `external_senders_allowed`, `auto_subscribe_new_members`, `hide_from_address_lists` and `hide_from_outlook_clients` properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) official documentation.

0 comments on commit 119c833

Please sign in to comment.