Adding a group member fails with the application level "GroupMember.ReadWrite.All" permissions - works with "Group.ReadWrite.All"

According to msdocs it should be sufficient to have the "GroupMember.ReadWrite.All" application level permissions to add members to a security group

I get an authorization error (see below) - it works as expected if I grant the "Group.ReadWrite.All" permissions

Did I miss something obvious here?

Language is PowerShell - connected to the Graph API v1.0 with the "client_credentials" grant type

Error message:

Invoke-RestMethod : {
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "71b06588-f9a2-48ef-ac3f-5223899cad68",
      "date": "2020-01-03T09:30:31"
    }
  }
}

Add member endpoint documentation states that for Application permission type one the following permissions are required:

> GroupMember.ReadWrite.All, Group.ReadWrite.All and
> Directory.ReadWrite.All

But, it appears, it also varies based on group type:

• for Office365 group, one of the following permissions are
  sufficient: GroupMember.ReadWrite.All or Group.ReadWrite.All
• while for Security group, along with GroupMember.ReadWrite.All permission, Directory.ReadWrite.All needs to be specified as well

So, the solution would be to specify permission Directory.ReadWrite.All along with GroupMember.ReadWrite.All