添加成员

2025-02-05

命名空间：microsoft.graph

将成员添加到安全或Microsoft 365 组。使用 API 在一个请求中添加多个成员时，最多只能添加 20 个成员。

下表显示了可添加到安全组或 Microsoft 365 组的成员类型。

对象类型	安全组成员	Microsoft 365 组成员
User
安全组
Microsoft 365 组
设备
服务主体
组织联系人

此 API 可用于以下国家级云部署。

全局服务	美国政府 L4	美国政府 L5 (DOD)	由世纪互联运营的中国
✅	✅	✅	✅

权限

下表显示了调用此 API 时，每种资源类型所需的最低特权权限。若要了解详细信息，包括如何选择权限的信息，请参阅权限。

支持的资源	委派（工作或学校帐户）	委派（个人 Microsoft 帐户）	应用程序
设备	GroupMember.ReadWrite.All 和 Device.ReadWrite.All	不支持。	GroupMember.ReadWrite.All 和 Device.ReadWrite.All
组	GroupMember.ReadWrite.All	不支持。	GroupMember.ReadWrite.All
orgContact	GroupMember.ReadWrite.All 和 OrgContact.Read.All	不支持。	GroupMember.ReadWrite.All 和 OrgContact.Read.All
servicePrincipal	GroupMember.ReadWrite.All 和 Application.ReadWrite.All	不支持。	GroupMember.ReadWrite.All 和 Application.ReadWrite.All
user	GroupMember.ReadWrite.All	不支持。	GroupMember.ReadWrite.All

重要

在委托方案中，还必须为登录用户分配受支持的Microsoft Entra角色或具有角色权限的microsoft.directory/groups/members/update自定义角色。以下角色是此作支持的最小特权角色，但可分配角色的组除外：

组所有者
目录作者
组管理员
标识治理管理员
用户管理员
Exchange 管理员 - 仅适用于 Microsoft 365 个组
SharePoint 管理员 - 仅适用于 Microsoft 365 个组
Teams 管理员 - 仅适用于 Microsoft 365 个组
Yammer 管理员 - 仅适用于 Microsoft 365 个组
Intune管理员 - 仅适用于安全组

若要将成员添加到可分配角色的组，还必须为应用分配 RoleManagement.ReadWrite.Directory 权限，并且必须为调用用户分配受支持的Microsoft Entra角色。 特权角色管理员 是此作支持的最小特权角色。

HTTP 请求

POST /groups/{group-id}/members/$ref
PATCH /groups/{group-id}/members

请求标头

标头	值
Authorization	持有者 {token}。必填。详细了解身份验证和授权。
Content-type	application/json. 必需。

请求正文

使用 POST /groups/{group-id}/members/$ref 语法时，提供包含 @odata.id 属性的 JSON 对象，并按 ID 引用受支持的组成员对象类型。

使用 PATCH /groups/{group-id}/members 语法时，请提供一个 JSON 对象，该对象包含一个 members@odata.bind 属性，该属性具有对支持的组成员对象类型的一个或多个 ID 引用。那是：

对于 Microsoft 365 个组，只有 https://graph.microsoft.com/v1.0/directoryObjects/{id} 和 https://graph.microsoft.com/v1.0/groups/{id} 才允许在其中必须是用户， {id} 因为只有用户才能Microsoft 365 个组的成员。
对于安全组，允许使用以下 ID 引用：
- https://graph.microsoft.com/v1.0/directoryObjects/{id} 其中 {id} 必须属于用户、安全组、设备、服务主体或组织联系人。
- https://graph.microsoft.com/v1.0/groups/{id} 其中 {id} 必须属于另一个安全组。 Microsoft 365 组不能是安全组成员。
- https://graph.microsoft.com/v1.0/devices/{id} 其中 {id} 属于设备。
- https://graph.microsoft.com/v1.0/servicePrincipal/{id} 其中 {id} 属于服务主体。
- https://graph.microsoft.com/v1.0/orgContact/{id} 其中 {id} 属于组织联系人。

响应

如果成功，此方法返回 204 No Content 响应代码。当对象已是组的成员或不支持作为组成员时，它将返回 400 Bad Request 响应代码。当要添加的对象不存在时，它将返回 404 Not Found 响应代码。在以下其中一种方案中返回 403 Unauthorized ：

你正在尝试将成员添加到无法通过 Microsoft Graph 管理的组。此 API 仅支持安全性和Microsoft 365 个组。
你正在尝试添加你没有添加权限的成员。有关添加不同成员类型所需的权限，请参阅前面的权限部分。
你正在尝试将成员添加到可分配角色的组，但你没有所需的权限。

示例

示例 1：将成员添加到组

请求

以下示例演示使用 directoryObjects 引用将成员添加到组的请求。

POST https://graph.microsoft.com/v1.0/groups/{group-id}/members/$ref
Content-type: application/json

{
  "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{id}"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ReferenceCreate
{
	OdataId = "https://graph.microsoft.com/v1.0/directoryObjects/{id}",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Groups["{group-id}"].Members.Ref.PostAsync(requestBody);



mgc groups members ref post --group-id {group-id} --body '{\
  "@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{id}"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/v1.0/directoryObjects/{id}"
requestBody.SetOdataId(&odataId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Groups().ByGroupId("group-id").Members().Ref().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.ReferenceCreate referenceCreate = new com.microsoft.graph.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/v1.0/directoryObjects/{id}");
graphClient.groups().byGroupId("{group-id}").members().ref().post(referenceCreate);


const options = {
	authProvider,
};

const client = Client.init(options);

const directoryObject = {
  '@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/{id}'
};

await client.api('/groups/{group-id}/members/$ref')
	.post(directoryObject);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/v1.0/directoryObjects/{id}');

$graphServiceClient->groups()->byGroupId('group-id')->members()->ref()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Groups

$params = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/{id}"
}

New-MgGroupMemberByRef -GroupId $groupId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
	odata_id = "https://graph.microsoft.com/v1.0/directoryObjects/{id}",
)

await graph_client.groups.by_group_id('group-id').members.ref.post(request_body)

响应

以下示例显示了相应的响应。

HTTP/1.1 204 No Content

示例 2：在单个请求中向组添加多个成员

此示例说明了如何在 PATCH 操作中通过 OData 绑定支持向组添加多个成员。在单个请求中最多可以添加 20 个成员。如果请求正文中存在错误条件，则不添加任何成员，并且返回相应的响应代码。

请求

以下示例显示了一个请求。

PATCH https://graph.microsoft.com/v1.0/groups/{group-id}
Content-type: application/json

{
  "members@odata.bind": [
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}",
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}",
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}"
    ]
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Group
{
	AdditionalData = new Dictionary<string, object>
	{
		{
			"members@odata.bind" , new List<string>
			{
				"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
				"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
				"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
			}
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Groups["{group-id}"].PatchAsync(requestBody);



mgc groups patch --group-id {group-id} --body '{\
  "members@odata.bind": [\
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}",\
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}",\
    "https://graph.microsoft.com/v1.0/directoryObjects/{id}"\
    ]\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewGroup()
additionalData := map[string]interface{}{
	odataBind := []string {
		"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
		"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
		"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
	}
}
requestBody.SetAdditionalData(additionalData)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
groups, err := graphClient.Groups().ByGroupId("group-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Group group = new Group();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
LinkedList<String> membersOdataBind = new LinkedList<String>();
membersOdataBind.add("https://graph.microsoft.com/v1.0/directoryObjects/{id}");
membersOdataBind.add("https://graph.microsoft.com/v1.0/directoryObjects/{id}");
membersOdataBind.add("https://graph.microsoft.com/v1.0/directoryObjects/{id}");
additionalData.put("members@odata.bind", membersOdataBind);
group.setAdditionalData(additionalData);
Group result = graphClient.groups().byGroupId("{group-id}").patch(group);


const options = {
	authProvider,
};

const client = Client.init(options);

const group = {
  'members@odata.bind': [
    'https://graph.microsoft.com/v1.0/directoryObjects/{id}',
    'https://graph.microsoft.com/v1.0/directoryObjects/{id}',
    'https://graph.microsoft.com/v1.0/directoryObjects/{id}'
    ]
};

await client.api('/groups/{group-id}')
	.update(group);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Group;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Group();
$additionalData = [
	'members@odata.bind' => [
'https://graph.microsoft.com/v1.0/directoryObjects/{id}', 'https://graph.microsoft.com/v1.0/directoryObjects/{id}', 'https://graph.microsoft.com/v1.0/directoryObjects/{id}', ],
];
$requestBody->setAdditionalData($additionalData);

$result = $graphServiceClient->groups()->byGroupId('group-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Groups

$params = @{
	"members@odata.bind" = @(
	"https://graph.microsoft.com/v1.0/directoryObjects/{id}"
"https://graph.microsoft.com/v1.0/directoryObjects/{id}"
"https://graph.microsoft.com/v1.0/directoryObjects/{id}"
)
}

Update-MgGroup -GroupId $groupId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.group import Group
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Group(
	additional_data = {
			"members@odata_bind" : [
				"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
				"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
				"https://graph.microsoft.com/v1.0/directoryObjects/{id}",
			],
	}
)

result = await graph_client.groups.by_group_id('group-id').patch(request_body)

在请求正文中，提供要添加的 directoryObject、user 或 group 对象的 JSON 表示形式。

响应