How to Create Azure AD Security Group using Microsoft Graph APIs (Postman & Python Code Sample)
Azure Active Directory (Azure AD) groups are used to manage users that all need the same access and permissions to resources, such as potentially restricted apps and services. Instead of adding special permissions to individual users, you create a group that applies the special permissions to every member of that group.
You can refer to below steps for the scenarios in which you have Azure AD service principle with required permissions to create Security Groups in Azure Active Directory and need to call Microsoft Graph REST APIs from your dev or local environment via Postman or through python code.
First step is to register a client application with Azure AD and assign required permissions to create AD groups
1. Sign in the Azure portal, search for and select Azure Active Directory.
2. In the left panel, under Manage, select App registrations > All Applications > Select your registered application (Service Principal Account) > API Permissions
3. Least Privileged Permissions required to create AAD groups are:
- Group.Read.All
- Group.ReadWrite.All
- Group.Create
Python Source Code:
Refer attached python source code (SecurityGroupCreatePythonSample.zip)
- Update ClientId, ClientSecret and Tenant details in config.cfg file
- Update Request body to create new group in graph.py file
- Install Required dependencies to build the project.
python3 -m pip install azure-identity python3 -m pip install msgraph-core -
Ensure that installed package script path are added into System Environment Variables.
- Run Main.py file. Choice 6 and 7 are the methods to list or create group using SPN (App Only Authentication)
Reference Link:
Build Python apps with Microsoft Graph - Microsoft Graph | Microsoft Docs
Step 7: Build Python apps with Microsoft Graph - Microsoft Graph | Microsoft Docs
Step 8: Build Python apps with Microsoft Graph - Microsoft Graph | Microsoft Docs
Postman:
Create Authorization Header in Postman Requests Collection Folder Level:
Access Token Url: https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
Scope: https://graph.microsoft.com/.default
Grant_Type = Client Credentials
Rest API to create Group:
Url: https://graph.microsoft.com/v1.0/groups
Request Type: Post
Authorization Type: Bearer Token. Copy the access token created from above step
Request Body:
Reference Link:
Use Postman with the Microsoft Graph API - Microsoft Graph | Microsoft Docs
Note:
- If SPN is granted with Delegated permission, you need to follow User Authorization Code to generate access token
- If SPN is granted with Application permission, you can follow Grant type= Client Credentials
Published on:
Learn moreRelated posts
Fundamentals of Azure DevOps with SQL projects
Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...
Microsoft Copilot Studio – Get Microsoft 365 Copilot agent suggestions based on your work in Copilot Studio
We are announcing the ability to get Microsoft 365 Copilot agent suggestions based on your work in Copilot Studio. This feature will reach gen...
Remote Event Receivers in SharePoint Online will be retired
Remote Event Receivers in SharePoint Online will be retired by July 1, 2027. Azure ACS-registered RERs stopped working April 2, 2026. Organiza...
Microsoft 365 Copilot: Domain exclusion for web grounding
Microsoft 365 Copilot now offers Domain Exclusion, allowing admins to exclude up to 1,000 domains from web grounding to ensure responses align...
Viva Engage: New post creation experience
Viva Engage’s post creation experience will be updated by mid-August 2026 with a simpler, more intuitive layout, improved tool organization, a...
Viva Engage: Reducing reply notification volume on mobile
Viva Engage mobile app will reduce reply notification volume by only notifying users of direct involvement (starting conversations, direct rep...
The Misleading Remove External Chat from User View API in Teams
The Graph removeAllAccessForUser API is supposed to remove external chat messages from the view of a tenant user when the chat contains some o...
How to Set up a Dynamics 365 Integration with SharePoint
Quick Answer You can integrate Dynamics 365 with SharePoint using Microsoft’s native server-based integration in under 30 minutes. This integr...
OneDrive: Block screen capture for sensitivity-labeled PDFs in the OneDrive and SharePoint web viewer
The OneDrive and SharePoint web PDF viewer will block screenshots and screen capture in Microsoft Edge when users open PDFs whose sensitivity ...
Microsoft Copilot (Microsoft 365): Complex web search with Copilot in Excel
Copilot in Excel improves complex web search quality with a multi-agent search system that coordinates parallel research, verifies findings, a...