Skip to content

Fix-6942-Added minimal permissions for 'entra m365group user' #6999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix-6942-Added minimal permissions for 'entra m365group user' #6999

wants to merge 3 commits into from
+82 −0

Conversation

@NishkalankBezawada
Copy link
Contributor

@NishkalankBezawada NishkalankBezawada commented Oct 13, 2025
edited
Loading

Added minimal permissions for 'entra m365group user' commands

Updated documentation for the below commands to adhere the required minimal permissions.

  • m365 entra m365group user add
  • m365 entra m365group user list
  • m365 entra m365group user remove
  • m365 entra m365group user set

Linked Issue #6918

Closes #6942

Screenshots

  • Add user as an Owner

m365 entra m365group user add --groupId 16765xxx-6xx5-xx14-b0xx-bfxxasdasxa24 --userNames '[email protected]' --role Owner

image
  • Add user as a Member

m365 entra m365group user add --groupId 16765xxx-6xx5-xx14-b0xx-bfxxasdasxa24 --userNames '[email protected]' --role Member

image
  • User list

m365 entra m365group user list --groupId 16765xxx-6xx5-xx14-b0xx-bfxxasdasxa24

image
  • Set User

m365 entra m365group user set --groupId 16765xxx-6xx5-xx14-b0xx-bfxxasdasxa24 --userNames '[email protected]' --role Member

image
  • Remove User

m365 entra m365group user remove --groupId 16765xxx-6xx5-xx14-b0xx-bfxxasdasxa24 --userNames '[email protected]'

image

Thanks,
Nish

@NishkalankBezawada NishkalankBezawada marked this pull request as draft October 13, 2025 15:28
@NishkalankBezawada NishkalankBezawada marked this pull request as ready for review October 13, 2025 16:37
Jwaegebaert
Jwaegebaert requested changes Oct 13, 2025
View reviewed changes
Copy link
Contributor

@Jwaegebaert Jwaegebaert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work already @NishkalankBezawada. Looks like the docs build is failing. From a quick look at the changed files, it seems you're missing the imports for Tabs.

@Jwaegebaert Jwaegebaert marked this pull request as draft October 13, 2025 19:19
@NishkalankBezawada NishkalankBezawada marked this pull request as ready for review October 14, 2025 06:59
@NishkalankBezawada
Copy link
Contributor Author

Nice work already @NishkalankBezawada. Looks like the docs build is failing. From a quick look at the changed files, it seems you're missing the imports for Tabs.

Thanks Jasey @Jwaegebaert for guiding. I have now corrected it 👍

//Nish

@Jwaegebaert Jwaegebaert self-assigned this Oct 23, 2025
Jwaegebaert
Jwaegebaert requested changes Oct 23, 2025
View reviewed changes
Copy link
Contributor

@Jwaegebaert Jwaegebaert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good start @NishkalankBezawada. I’ve added a few comments since the commands look a bit more complex than just requiring Group.ReadWrite.All. I also included some links to the Graph docs for reference.

docs/docs/cmd/entra/m365group/m365group-user-add.mdx
Comment on lines +50 to +65
<Tabs>
<TabItem value="Delegated">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | Group.ReadWrite.All |

</TabItem>
<TabItem value="Application">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | Group.ReadWrite.All |

</TabItem>
</Tabs>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We’ll also need permissions when fetching users by userNames. In that case, an extra call will be made to the v1.0/users endpoint: https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#permissions

Additionally, the docs mention that in delegated scenarios, the signed-in user must have at least a minimal role before being allowed to add new members (see the important admonition here: https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http#permissions).

We might want to include that information as well, though I’m not entirely sure what the cleanest way to handle it would be. @pnp/cli-for-microsoft-365-maintainers any thoughts?

docs/docs/cmd/entra/m365group/m365group-user-list.mdx
Comment on lines +38 to +53
<Tabs>
<TabItem value="Delegated">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | GroupMember.Read.All |

</TabItem>
<TabItem value="Application">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | GroupMember.Read.All |

</TabItem>
</Tabs>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This API appears to be a bit more complex. When an app only has GroupMember.Read.All permissions, it won’t return detailed user information, user objects will be null. I’d recommend including User.ReadBasic.All as the minimum permission for application-level access. (ref: https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http#limited-information-returned-for-inaccessible-member-objects)

The same applies to delegated scenarios, such as with m365group user add: https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http#permissions

docs/docs/cmd/entra/m365group/m365group-user-remove.mdx
Comment on lines +44 to +59
<Tabs>
<TabItem value="Delegated">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | Group.ReadWrite.All |

</TabItem>
<TabItem value="Application">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | Group.ReadWrite.All |

</TabItem>
</Tabs>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A simular suggestion as for m365group user add apply here. An extra call will be made to the v1.0/users endpoint: https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#permissions

docs/docs/cmd/entra/m365group/m365group-user-set.mdx
Comment on lines +44 to +59
<Tabs>
<TabItem value="Delegated">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | Group.ReadWrite.All |

</TabItem>
<TabItem value="Application">

| Resource | Permissions |
|-----------------|-----------------------------|
| Microsoft Graph | Group.ReadWrite.All |

</TabItem>
</Tabs>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same suggestions as for m365group user add apply here.

@Jwaegebaert Jwaegebaert marked this pull request as draft October 23, 2025 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jwaegebaert Jwaegebaert Jwaegebaert requested changes

Assignees

@Jwaegebaert Jwaegebaert

Labels

docs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Minimal permissions for 'entra m365group user' commands

3 participants

@NishkalankBezawada @Jwaegebaert @milanholemans