AADGroup: Unable to create AAD role-assignable security group due to error

[Borgquite]

Details of the scenario you tried and the problem that is occurring

When trying use AADGroup to create a role-assignable non-mail enabled security group in Azure Active Directory (example follows), the following error occurs:

https://learn.microsoft.com/en-us/azure/active-directory/roles/groups-create-eligible#microsoft-graph-api

Verbose logs showing the problem

VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Resource ]  [[AADGroup]TestGroup]
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Test     ]  [[AADGroup]TestGroup]
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Testing configuration of AzureAD Groups
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Getting configuration of AzureAD Group
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Id was NOT specified
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Group was null, returning null
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Target Values: ApplicationId=***; CertificateThumbprint=***; DisplayName=TestGroup; Ensure=Present; IsAssignableToRole=True; MailEnabled=False; MailNickname=TestGroup; Securit
yEnabled=True; TenantId=***; Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Test-TargetResource returned False
VERBOSE: [COMPUTERNAME]: LCM:  [ End    Test     ]  [[AADGroup]TestGroup]  in 0.5160 seconds.
VERBOSE: [COMPUTERNAME]: LCM:  [ Start  Set      ]  [[AADGroup]TestGroup]
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Setting configuration of Azure AD Groups
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Getting configuration of AzureAD Group
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Id was NOT specified
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Group was null, returning null
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Getting all Service Plans
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Creating new group {TestGroup}
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Creating Group with Values: DisplayName=TestGroup; GroupTypes=(Unified); IsAssignableToRole=True; MailEnabled=False; MailNickname=TestGroup; SecurityEnabled=True; Verbose=True
VERBOSE: [COMPUTERNAME]:                            [[AADGroup]TestGroup] Performing the operation "New-MgGroup_CreateExpanded" on target "Call
 remote 'GroupsGroupCreateGroup' operation".
GroupType cannot be set for security groups assignable to roles.
    + CategoryInfo          : InvalidOperation: ({ body = Micros...oftGraphGroup }:) [], CimException
    + FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.NewMgGroup_CreateExpanded
    + PSComputerName        : localhost

Suggested solution to the issue

MSFT_AADGroup.psm1 line 37 defaults GroupTypes to @('Unified') and lines 405-408 appear to force GroupTypes to the same if it is set null.

Despite what the MS Graph documentation says, 'mailEnabled' does not need to be $true, and 'groupTypes' does not need to be @('Unified') when creating security groups assignable to roles (as the error states) - see the PowerShell documentation. Please update the module to leave groupTypes at $null if configured as such by the system administrator.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration Example
{
    param
    (
        [Parameter(Mandatory = $true)]
        [PSCredential]
        $credsGlobalAdmin
    )

    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        AADGroup 'TestGroup'
        {
            DisplayName                   = 'TestGroup'
            MailNickname                  = 'TestGroup'
            SecurityEnabled               = $true
            MailEnabled                   = $false
            IsAssignableToRole            = $true
            Ensure                        = "Present"
            Credential                    = $credsGlobalAdmin
        }
    }
}

$cd = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}

Example -ConfigurationData $cd

The operating system the target node is running

OsName : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-GB
OsMuiLanguages : {en-GB, en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.308.1

[Borgquite]

Just to confirm, it is possible to create a non-unified, non-mail enabled security group in Azure AD.

Just tested the following with Graph Explorer and it works perfectly:

POST https://graph.microsoft.com/v1.0/groups
{
    "displayName": "TestGroup",
    "isAssignableToRole": true,
    "mailEnabled": false,
    "securityEnabled": true,
    "mailNickname": "TestGroup"
}

Have created separate issue for the docs: MicrosoftDocs/azure-docs#107156