Allow granular management access of AAD groups by service principals
We have a scenario where we would like to use automation to manage membership of an AAD group.
We assign group owner permissions to the service principal. However, operations against that group (using Powershell cmdlets like Add-AzureAdGroupMember) fail with a 403 Forbidden.
We cannot grant Directory.ReadWrite permissions to the AAD application, because that would allow write permissions on the entire AAD directory, not just the group that the AAD application owns.
According to Azure support, the scenario where I would like my service principal to manage groups that it owns is not currently possible. Can we make it possible?