Merge pull request #26093 from microsoftgraph/group-post-members-403error-scenarios

Add 403 Unauthorized scenarios for group POST members

Author: Danielabom

.vscode/settings.json

@@ -1,5 +1,6 @@
 {
     "githubPullRequests.ignoredPullRequestBranches": [
+        "main",
         "main",
         "main",
         "main"

api-reference/beta/api/group-post-members.md

@@ -33,20 +33,21 @@ The following table shows the least privileged permission that's required by eac
 | [servicePrincipal](../resources/group.md) | GroupMember.ReadWrite.All and Application.ReadWrite.All | Not supported.                         | GroupMember.ReadWrite.All and Application.ReadWrite.All |
 | [user](../resources/user.md)              | GroupMember.ReadWrite.All                               | Not supported.                         | GroupMember.ReadWrite.All                               |
 
-In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following roles are the least privileged roles that are supported for this operation, except for role-assignable groups:
-
-- Group owners
-- Directory Writers
-- Groups Administrator
-- Identity Governance Administrator
-- User Administrator
-- Exchange Administrator - only for Microsoft 365 groups
-- SharePoint Administrator - only for Microsoft 365 groups
-- Teams Administrator - only for Microsoft 365 groups
-- Yammer Administrator - only for Microsoft 365 groups
-- Intune Administrator - only for security groups
-
-To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
+> [!IMPORTANT]
+> In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following roles are the least privileged roles that are supported for this operation, except for role-assignable groups:
+> 
+> - Group owners
+> - Directory Writers
+> - Groups Administrator
+> - Identity Governance Administrator
+> - User Administrator
+> - Exchange Administrator - only for Microsoft 365 groups
+> - SharePoint Administrator - only for Microsoft 365 groups
+> - Teams Administrator - only for Microsoft 365 groups
+> - Yammer Administrator - only for Microsoft 365 groups
+> - Intune Administrator - only for security groups
+> 
+> To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
 
 ## HTTP request
 
@@ -74,7 +75,10 @@ If using the **directoryObjects** reference, that is, `https://graph.microsoft.c
 
 ## Response
 
-If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist.
+If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist. It returns `403 Unauthorized` in one of the following scenarios:
+- You're attempting to add a member to a [group that can't be managed through Microsoft Graph](../resources/groups-overview.md#group-types-in-microsoft-entra-id-and-microsoft-graph). This API supports only security and Microsoft 365 groups.
+- You're attempting to add a member you don't have permissions to add. Refer to the preceding [Permissions](#permissions) section for the permissions required to add different member types.
+- You're attempting to add a member to a role-assignable group and you don't have the required permissions.
 
 ## Example
 

api-reference/v1.0/api/group-post-members.md

@@ -31,20 +31,21 @@ The following table shows the least privileged permission that's required by eac
 | [servicePrincipal](../resources/group.md) | GroupMember.ReadWrite.All and Application.ReadWrite.All | Not supported.                         | GroupMember.ReadWrite.All and Application.ReadWrite.All |
 | [user](../resources/user.md)              | GroupMember.ReadWrite.All                               | Not supported.                         | GroupMember.ReadWrite.All                               |
 
-In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following least privileged roles are supported for this operation, except for role-assignable groups:
-
-- Group owners
-- Directory Writers
-- Groups Administrator
-- Identity Governance Administrator
-- User Administrator
-- Exchange Administrator - only for Microsoft 365 groups
-- SharePoint Administrator - only for Microsoft 365 groups
-- Teams Administrator - only for Microsoft 365 groups
-- Yammer Administrator - only for Microsoft 365 groups
-- Intune Administrator - only for security groups
-
-To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
+> [!IMPORTANT]
+> In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following roles are the least privileged roles that are supported for this operation, except for role-assignable groups:
+> 
+> - Group owners
+> - Directory Writers
+> - Groups Administrator
+> - Identity Governance Administrator
+> - User Administrator
+> - Exchange Administrator - only for Microsoft 365 groups
+> - SharePoint Administrator - only for Microsoft 365 groups
+> - Teams Administrator - only for Microsoft 365 groups
+> - Yammer Administrator - only for Microsoft 365 groups
+> - Intune Administrator - only for security groups
+> 
+> To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
 
 ## HTTP request
 
@@ -72,7 +73,10 @@ If using the **directoryObjects** reference, that is, `https://graph.microsoft.c
 
 ## Response
 
-If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist.
+If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist. It returns `403 Unauthorized` in one of the following scenarios:
+- You're attempting to add a member to a [group that can't be managed through Microsoft Graph](../resources/groups-overview.md#group-types-in-microsoft-entra-id-and-microsoft-graph). This API supports only security and Microsoft 365 groups.
+- You're attempting to add a member you don't have permissions to add. Refer to the preceding [Permissions](#permissions) section for the permissions required to add different member types.
+- You're attempting to add a member to a role-assignable group and you don't have the required permissions.
 
 ## Examples