Redigera

Dela via


Add members

Namespace: microsoft.graph

Add a member to a security or Microsoft 365 group. When using the API to add multiple members in one request, you can add up to only 20 members.

The following table shows the types of members that can be added to either security groups or Microsoft 365 groups.

Object type Member of security group Member of Microsoft 365 group
User Can be group member Can be group member
Security group Can be group member Cannot be group member
Microsoft 365 group Cannot be group member Cannot be group member
Device Can be group member Cannot be group member
Service principal Can be group member Cannot be group member
Organizational contact Can be group member Cannot be group member

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

The following table shows the least privileged permission that's required by each resource type when calling this API. To learn more, including how to choose permissions, see Permissions.

Supported resource Delegated (work or school account) Delegated (personal Microsoft account) Application
device GroupMember.ReadWrite.All and Device.ReadWrite.All Not supported. GroupMember.ReadWrite.All and Device.ReadWrite.All
group GroupMember.ReadWrite.All Not supported. GroupMember.ReadWrite.All
orgContact GroupMember.ReadWrite.All and OrgContact.Read.All Not supported. GroupMember.ReadWrite.All and OrgContact.Read.All
servicePrincipal GroupMember.ReadWrite.All and Application.ReadWrite.All Not supported. GroupMember.ReadWrite.All and Application.ReadWrite.All
user GroupMember.ReadWrite.All Not supported. GroupMember.ReadWrite.All

In delegated scenarios, the signed-in user must also be assigned a supported Microsoft Entra role or a custom role with the microsoft.directory/groups/members/update role permission. The following least privileged roles are supported for this operation, except for role-assignable groups:

  • Group owners
  • Directory Writers
  • Groups Administrator
  • Identity Governance Administrator
  • User Administrator
  • Exchange Administrator - only for Microsoft 365 groups
  • SharePoint Administrator - only for Microsoft 365 groups
  • Teams Administrator - only for Microsoft 365 groups
  • Yammer Administrator - only for Microsoft 365 groups
  • Intune Administrator - only for security groups

To add members to a role-assignable group, the app must also be assigned the RoleManagement.ReadWrite.Directory permission and the calling user must be assigned a supported Microsoft Entra role. Privileged Role Administrator is the least privileged role that is supported for this operation.

HTTP request

POST /groups/{group-id}/members/$ref
POST /groups/{group-id}/members/

Request headers

Header Value
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-type application/json. Required.

Request body

When using the /groups/{group-id}/members/$ref syntax, supply a JSON object that contains an @odata.id property with a reference by ID to a supported group member object type.

When using the /groups/{group-id}/members syntax, supply a JSON object that contains a members@odata.bind property with one or more references by IDs to a supported group member object type.

If using the directoryObjects reference, that is, https://graph.microsoft.com/v1.0/directoryObjects/{id}, the object type must still be a supported group member object type.

Response

If successful, this method returns a 204 No Content response code. It returns a 400 Bad Request response code when the object is already a member of the group or is unsupported as a group member. It returns a 404 Not Found response code when the object being added doesn't exist.

Examples

Example 1: Add a member to a group

Request

The following example shows a request that uses the directoryObjects reference to add a member to a group.

POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref
Content-type: application/json

{
  "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{id}"
}

In the request body, supply a JSON representation of the id of the directoryObject, user, or group object you want to add.

Response

The following example shows the response.

HTTP/1.1 204 No Content

Example 2: Add multiple members to a group in a single request

This example shows how to add multiple members to a group with OData bind support in a PATCH operation. Up to 20 members can be added in a single request. The POST operation isn't supported. If an error condition exists in the request body, no members are added and the appropriate response code is returned.

Request

The following example shows a request.

PATCH https://graph.microsoft.com/v1.0/groups/{group-id}
Content-type: application/json

{
  "members@odata.bind": [
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}",
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}",
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}"
    ]
}

In the request body, supply a JSON representation of the id of the directoryObject, user, or group object you want to add.

Response

The following example shows the response.

HTTP/1.1 204 No Content