Microsoft AD spoke OOB action to AddUser to group throws exception "Failed while executing ActionAddUserToADGroup.ps1 (Access denied)"Issue In Flow Designer, Microsoft AD spoke OOB action to Lookup User works while the other OOB action to perform AddUser to group throws the below error: Authentication failure with the user. SEVERE *** ERROR *** Authentication failure with the userSEVERE *** ERROR *** Failed while executing ActionAddUserToADGroup.ps1 (Access denied) Kindly note that both the actions Lookup User/ AddUser to group use the same credentials and target systems.CausePerform the below steps to validate user permissions : 1. Execute the below command from the power shell to see whether you are able to add a group member.Add-ADGroupMember -Identity $groupname -Members $username -Credential (Get-Credential) -Server $computerYou have to specify Groupname, Username & AD server IP explicitly. And with the above command, it will prompt for the credentials.2. Try comparing the permissions of two users by running the following command for each user individually, for working users and non-working users.(Get-ACL "AD:$((Get-ADUser username).distinguishedname)").access3. Try login into the mid server by giving the logon rights to the user and run the power shell commands with the affected user. Since the user is already added to the administrator's group, it should execute the actions but as mentioned the issue still persist then executing the command from the MID server would help to dig further.ResolutionWhile reviewing the mid server agent logs we could see " Authentication failure with the user exceptions in agent logs". 02/15/21 11:14:42 (870) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a Worker starting: IPaaSActionProbe source: e826d1d2d152281007d9c98234dba932 02/15/21 11:14:43 (089) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a DEBUG: Executing command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy unrestricted -noninteractive -nologo -noprofile -command "& {& 'scripts\PowerShell\PSScript.ps1' -computer 'dcjnprawsw2b02.jnpr.net' -script 'C:\Users\user\Desktop\mid.orlando-12-11-2019__patch9a-01-04-2021_01-08-2021_1842.windows.x86-64\agent\scripts\PowerShell\ADSpoke\ActionAddUserToADGroup.ps1' -useCred $true -ismid $false -isDiscovery $true -debug $true -logInfo $false -skipTest $false -executeRemote $false -copyScriptToTarget $false; exit $LASTEXITCODE}" 02/15/21 11:14:43 (089) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a DEBUG: With credential named : MicrosoftAD 02/15/21 11:14:43 (108) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a DEBUG: Thread name is Powershell is executing... 02/15/21 11:14:45 (032) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a DEBUG: The exit value from waitFor() is 1 02/15/21 11:14:47 (097) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a DEBUG: Execution status: failed 02/15/21 11:14:47 (097) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a SEVERE *** ERROR *** Authentication failure with the user 02/15/21 11:14:47 (097) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a SEVERE *** ERROR *** Failed while executing ActionAddUserToADGroup.ps1 (Access denied) 02/15/21 11:14:47 (097) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a SEVERE *** ERROR *** Authentication failure with the user 02/15/21 11:14:47 (097) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a 2021-02-15 11:14:43 Tried Credential: name=MicrosoftAD, affinity: yes, status=failed, sysid=0a757bc9dbad645046a154f94896190e, username=, type=Windows, order=100 02/15/21 11:14:47 (566) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a Enqueuing: C:\Users\user\Desktop\mid.orlando-12-11-2019__patch9a-01-04-2021_01-08-2021_1842.windows.x86-64\agent\work\monitors\ECCSender\output_1\ecc_queue.f026d1d2db52281046a154f94896194a.xml 02/15/21 11:14:47 (566) Worker-Expedited:IPaaSActionProbe-f026d1d2db52281046a154f94896194a Worker completed: IPaaSActionProbe source: e826d1d2d152281007d9c98234dba932 time: 0:00:04.680 02/15/21 11:14:47 (957) ECCSender.1 Sending ecc_queue.f026d1d2db52281046a154f94896194a.xml Also while performing the same action from the powers shell window, we could see "Insufficient access rights to perform the operation" [code] PS C:\Windows\system32> Add-ADGroupMember -Identity EIS -Members dbora -Credential _snowprod-oim -Server dcjnprawsw2b02>>Add-ADGroupMember : Insufficient access rights to perform the operationAt line:1 char:1+ Add-ADGroupMember -Identity EIS -Members dbora -Credential _snowprod- ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (EIS:ADGroup) [Add-ADGroupMember], ADException+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMembeR [/code] It was clear from the above step that the user doesn't have write permissions and it does have read permissions at AD. The solution for the above exception is to add the AD user to the "Account operator" or "Domain Admin" group.