add new article

Author: genlin

support/entra/entra-id/app-integration/error-code-aadsts7500514-supported-type-saml-response-not-found.md

@@ -38,7 +38,7 @@ The error typically occurs in the following environment:
 
 Since [ADAL has been deprecated](/entra/identity/monitoring-health/recommendation-migrate-from-adal-to-msal), this article focuses on the MSAL.
 
-This issue occurs if the SAML response from PingFederate does not contain the SAML version or uses a format that MSAL cannot recognize. This typically results from a misconfiguration on the PingFederate side for Microsoft Entra ID.
+This issue occurs if the SAML response from PingFederate doesn't contain the SAML version or uses a format that MSAL can't recognize. This typically results from a misconfiguration on the PingFederate side for Microsoft Entra ID.
 
 ### Root cause analysis: SAML token version detection
 
@@ -67,7 +67,7 @@ Example of PingFederate SAML response (SAML Assertion Grant flow step 1):
 
 :::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png" alt-text="A screenshot of PingFederate SAML Response for SAML Assertion Grant flow step 1" lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response.png":::
 
-After you compare these two responses, you will find PingFederate returns a different TokenType value: `http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1` for the same SAML 1.1 token. However, MSAL does not support any TokenType value other than `urn:oasis:names:tc:SAML:1.0:assertion`.
+After you compare these two responses, you will find PingFederate returns a different TokenType value: `http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1` for the same SAML 1.1 token. However, MSAL doesn't support any TokenType value other than `urn:oasis:names:tc:SAML:1.0:assertion`.
 
 When the identity provider returns a different or unexpected value in the SAML response, MSAL may incorrectly interpret the token as SAML 2.0. As a result, it uses the corresponding `grant_type` value during step 2 of the SAML Assertion Grant flow.
 
@@ -79,12 +79,12 @@ Example of the request sent from MSAL application with AD FS :
 
 :::image type="content" source="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png" alt-text="A screenshot of request sent from MSAL application with AD FS in SAML Assertion Grant flow step 2." lightbox="media/error-code-aadsts7500514-supported-type-saml-response-not-found/pingid-saml-response-3.png":::
 
-In this step, the value of the `grant_type` parameter must align with the actual version of the SAML token. The following values are used:
+In this step, the value of the `grant_type` parameter must align with the actual version of the SAML token. One of the following values are used by MSAL application:
 
 - urn:ietf:params:oauth:grant-type:saml2-bearer - for SAML 2.0 tokens
 - urn:ietf:params:oauth:grant-type:saml1_1-bearer - for SAML 1.1 tokens
 
-In the case of a PingFederate account, MSAL uses the `saml2-bearer` as the `grant_type` based on its misinterpretation of the SAML version. This results in a version mismatch between the `grant_type` parameter and the SAML token included in the assertion that causes the authentication error.
+In the PingFederate example, MSAL uses the `saml2-bearer` as the `grant_type` based on its misinterpretation of the SAML version. This results in a version mismatch between the `grant_type` parameter and the SAML token included in the assertion that causes the authentication error.
 
 ## Solution
 

support/entra/entra-id/toc.yml

@@ -294,7 +294,8 @@
         href: users-groups-entra-apis/identity-of-calling-application-not-established.md
       - name: Add an owner to an application
         href: users-groups-entra-apis/add-owner-for-application-microsoft-graph.md
-
+      - name: 403 error when adding a user to a group
+        href: users-groups-entra-apis/authorization-requestdenied-403-error-add-user-group.md
 - name: Microsoft Entra User Provisioning and Synchronization
   items:
   - name: User Sign-in or password Problems

support/entra/entra-id/users-groups-entra-apis/authorization-requestdenied-403-error-add-user-group.md

@@ -0,0 +1,113 @@
+---
+title: Troubleshoot 403 error when adding a user to a group using Microsoft Graph API
+description: Provides solutions to 403 Authorization_RequestDenied error that occurs when you add a user to a group using Microsoft Graph API.
+ms.date: 04/21/2025
+ms.service: entra-id
+ms.author: bachoang
+ms.custom: sap:Getting access denied errors (Authorization)
+---
+
+# Troubleshoot 403 error when adding a user to a group using Microsoft Graph API
+
+This article provides guidance on troubleshooting a 403 Authorization_RequestDenied error when you try to add a user to a group using the Microsoft Graph API.
+
+## Symptoms
+
+When you try to add a user to a group using Microsoft Graph API, you receive the 403 error with the following error message:
+
+```output
+{
+"error": {
+"code": "Authorization\_RequestDenied",
+"message": "Insufficient privileges to complete the operation.",
+"innerError": {
+"date": "2024-05-07T15:39:39",
+"request-id": "aa324f0f-b4a3-4af6-9c4f-996e195xxxx",
+"client-request-id": "aa324f0f-b4a3-4af6-9c4f-996e1959074e"
+}
+}
+}
+```
+
+## Cause
+
+This issue might occur if the group you tried to add the use to can't be managed by Microsoft Graph. Microsoft Graph only supports Microsoft 365 groups and Security groups.
+
+For the Microsoft Graph supported group types, see [Working with groups in Microsoft Graph](/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http#group-types-in-microsoft-entra-id-and-microsoft-graph)
+
+## Solution
+
+### Step 1: Check the group type
+
+Make sure that the group you are working is supported by Microsoft Graph.
+
+1. In Microsoft Graph, the type of group can be identified by the settings of its `groupTypes`, `mailEnabled`, and `securityEnabled` properties. Use the [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) tool to check the group's attributes:
+
+    ```http
+    https://graph.microsoft.com/v1.0/groups/<Group Object ID>?$select=displayName,groupTypes,mailEnabled,securityEnable
+    ```
+
+    Example response:
+
+    ```output
+        {
+         "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(displayName,groupTypes,mailEnabled,securityEnabled)/$entity",
+        "displayName": "Test group A",
+        "groupTypes": [],
+        "mailEnabled": true,
+        "securityEnabled": false
+        }
+    
+   ```
+
+2. Review the following table to verify if the group type is supported by Microsoft Graph API. In the example response, the "Test group A" group is a security group.  For more information, see [Working with groups in Microsoft Graph](/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http#group-types-in-microsoft-entra-id-and-microsoft-graph).
+
+    | Type |groupTypes | mailEnabled | securityEnabled | Created and managed via the groups APIs |
+    |--|--|--|--|--|
+    | [Microsoft 365 groups](#microsoft-365-groups) | `["Unified"]` | `true` | `true` or `false` | Yes |
+    | [Security groups](#security-groups-and-mail-enabled-security-groups) | `[]` | `false` | `true` | Yes |
+    | [Mail-enabled security groups](#security-groups-and-mail-enabled-security-groups) | `[]` | `true` | `true` | No; read-only through Microsoft Graph |
+    | Distribution groups | `[]` | `true` | `false` | No; read-only through Microsoft Graph |
+
+> [!NOTE]
+> - Group type cannot be changed after creation. For more information, see [Edit group settings](/entra/fundamentals/how-to-manage-groups#edit-group-settings).
+> - Dynamic groups (groupTypes contains "DynamicMembership") cannot have their membership managed via Microsoft Graph.
+
+### Step 2: Verify required permissions
+
+Different group member types require specific permissions. For user-type membership, ensure that the application or account performing the operation has the `GroupMember.ReadWrite.All` permission.
+
+Refer to the [Add members documentation](https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&amp;tabs=http) for detailed permission requirements.
+
+### Step 3: Check if the group is a role-assignable group
+
+1. Role-assignable groups require additional permissions to manage their members. You can confirm if the group is role-assignable using Azure Portal or Microsoft Graph Explorer:
+
+    **Azure Portal**
+    
+    1. In the [Azure portal](https://portal.azure.com), go to **Microsoft Entra ID**, select **Groups**, and then select **All groups**.
+    1. Locate the group that you are working on, select **Properties**. Review the  **Microsoft Entra role can be assigned to the group** option.
+     
+    **Microsoft Graph Explorer:**
+    
+    Perform the following query and check the `isAssignableToRoles` value.
+    
+    ```http
+    GET https://graph.microsoft.com/v1.0/groups/<group object="" id="">?$select=displayName,groupTypes,mailEnabled,securityEnabled,isAssignableToRole
+    ```
+    Example response:
+
+    ```output
+     {
+         "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(displayName,groupTypes,mailEnabled,securityEnabled,isAssignableToRole)/$entity",
+        "displayName": "Test group B",
+        "groupTypes": [],
+        "mailEnabled": false,
+        "securityEnabled": true,
+        "isAssignableToRole": true
+        }
+    ```
+  
+2. If the group is role-assignable, you need the `RoleManagement.ReadWrite.Directory` permission in addition to `GroupMember.ReadWrite.All`. Fore more information, see [Add members documentation](/graph/api/group-post-members?view=graph-rest-1.0&amp;tabs=http#permissions).
+
+[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]