Microsoft Azure AD oauth identify user's role and group (orgunit) which user belong to

Question

I am doing the oauth2 Azure AD. I am be able to authenticate user and list all the groups for a domain by using using this api reference

https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/api-catalog

I am having the issue which i really need some help on:

1) When a user login i am not be able to identify user’s role. In google only admin/delegate admin have permission to list groups thus we are using this to identify admin. Unfortunately for Azure AD normal user also can list groups as well. I want to be able to see if user role is User, User Admin, Password Admin etc

2) Need a way to get the group (orgunit) which user belong to. I went through the api link (above) several times but not be able to find something helpful. i did try to set up a local Active Directory where i setup the orgunit and sync over to Azure AD. But consistently i see department is null.

Answer 1

1) When a user login i am not be able to identify user’s role. In google only admin/delegate admin have permission to list groups thus we are using this to identify admin. Unfortunately for Azure AD normal user also can list groups as well.

The Group.Read.All scope require the Administrator Consent. However the administrator could grant the consent for the organization. Then the normal user also could list the groups. Please refer Azure consent framework here

2) Need a way to get the group (orgunit) which user belong to. I went through the api link (above) several times but not be able to find something helpful

You can use rest below to get a user's group and directory role memberships

GET https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

Refer GetUserMemberShips.