Minimum set of permissions required for checkMemberGroups Graph API in Azure

Question

What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?

Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?

Delegated Permissions -

Microsoft Graph API

• Read all users' full profiles

• Read all groups

• Access directory as the signed in user

• Sign in and read user profile

Windows Azure Active Directory

• Read all users' full profiles

• Read all groups

• Access directory as the signed in user

• Sign in and read user profile

Answer 1

After some experimentation, it seems that the minimum permissions are the following:

/me/checkMemberGroups

• User.Read
• GroupMember.Read.All

/users/{userId}/checkMemberGroups

• User.ReadBasic.All
• GroupMember.Read.All

Answer 2

If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.

And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.

Answer 3

It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.

Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.