Hi All,

We have a requirement to remove the user from all cloud groups (not on-premises AD managed groups) in the Azure Entra application account when the user leaves the organization.

We are using the direct Azure Active Directory connector to connect to Azure AD tenant.

When we try to remove these cloud groups, we are receiving the below 403 error:

Error: Response Code - 403 Error - Insufficient privileges to complete the operation

We are provided with all the permissions that are necessary to perform this action but still receiving the same error.

The permissions that are provided to our service account are:

Microsoft graph API permissions:-

GroupMember.ReadWrite.All (Application)

Group.ReadWrite.All (Application)

Service account’s permission:-

Groups Administrator

User Administrator

Can someone please check on this and let me know if any other permissions need to be assigned or something else can be done here.

Thanks & Regards,

Sayanth

Hi @SayanthBR2

Try assigning these below permissions to your service account.

• User.ReadWrite.All
• Group.ReadWrite.All

Hi Harshith,

Thanks for responding.

The mentioned permissions are already provided but we are still facing the issue.

Please let us know if we have to check something else here.

Regards,
Sayanth

were you able to figure out the solution?

The problem was there were dynamic groups in Azure which are auto assigned and removed based on a criterion and Sailpoint cannot remove them.

Identified that after research and wrote a small code in before provisioning rule to filter out that those dynamic groups from plan solved the issue.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.