“I have a Security group without email that needs permissions to SharePoint items, but Power Automate always asks for an email!”
When creating new groups in Entra Id, you’ve got two options – Microsoft 365 group and Security group. I won’t go into the differences, except one – Security group doesn’t have an email address. That might be a problem in some Power Automate operations that need an email. For example, the ‘Grant access to an item or a folder’. If your group doesn’t have an email, you’re out of luck, group id won’t work.
How do you then use Security groups to manage permissions in a flow?
You’ll need the user principal id
Since you don’t have an email, you’ll need another identifier – the principal id. It’s the same id you use to manage permission using HTTP requests. This id is assigned once you use the user / group on a SharePoint site, meaning there’s a prerequisite: you must add the group somewhere on the site manually. It’s very similar to the way you work with SharePoint groups.
Once you use it anywhere on the site you can get the id with an HTTP request…
Method: GET
Uri: _api/web/siteusers?$filter=Title eq '<security group name>'
…and extract it with an expression.
first(body('Send_an_HTTP_request_to_SharePoint')?['d']?['results'])?['Id']
From that point on it’s the same as when sharing item to a SharePoint group, as explained in this article. You have the principal id, get the permissions level id and use it to assign the permissions.
Summary
It’s possible to add permissions to a security group without an email in a Power Automate flow, but not with the standard actions. Since you don’t have an email address, you need another identifier – the principal id. But once you get it, it’s the same process as when sharing items / files with a SharePoint group, just a bunch of http requests.
Great article! 😉