Reputation: 715
getMemberGroups call fails with insufficient privileges
I'm trying to get user's group memberships (transitive) and using Microsoft Graph for it. I used to use group claims in token but after switching to the AD v2.0 endpoint (for dynamic consent support etc.), the token doesn't contain those so they need to be retrieved from AD separately.
The user/getMemberGroups operation does exactly that but I have a hard time getting it to work without granting Directory.Read.All permissions. The documentation says that any of these should work:
User.ReadandGroup.Read.AllUser.ReadBasic.AllandGroup.Read.AllDirectory.Read.AllDirectory.ReadWrite.AllDirectory.AccessAsUser.All
Yet with an on-behalf-of access token for user to Microsoft Graph, the request always fails with response 403 Forbidden and error code Authorization_RequestDenied
Http request
POST /v1.0/me/getMemberGroups HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <removed>
Content-Type: application/json
Cache-Control: no-cache
Postman-Token: dbb2ead3-9863-57ef-af09-d45c3ab88e69
{
"securityEnabledOnly": false
}
I'm actually using the .NET SDK to perform the operation but can repro it with pure HTTP request, which is more clear.
Looking inside the access token, this has both Group.Read.All and User.Read.All which should be a sufficient combination.
{
"aud": "https://graph.microsoft.com",
[....]
"scp": "Group.Read.All User.Read User.Read.All"
}
Current user is a Global Admin for the AD tenant in question so I suppose this shouldn't be a question of him having less privileges to the AD items either. I have done the admin consent for this application using v2.0 endpoints (not that it should matter when using this admin user, AFAIK)
Upvotes: 3
Views: 1834
Answers (1)
Reputation: 5838
The getMemberGroups function should only require both Group.Read.All and in your case (for ../me/getMemberGroups) User.Read. However, due to a bug in the authorization check, this currently requires Directory.Read.All (which is what you've observed). I'm afraid I don't have an ETA for this fix, but will report back when I hear more.
Hope this helps,
Upvotes: 4
Related Questions
- Microsoft graph API getMemberGroups returns 400 bad request. What could be the reason?
- Microsoft Graph user/getMemberGroups fails despite correct Permissions
- Microsoft Graph - me/ownedObjects- Insufficient privileges to complete the operation
- Microsoft graph api returns 403 forbidden when calling groups/xxxx/members
- Getting 401: Unauthorized response when querying groups endpoint of Azure AD Graph API
- Microsoft graph API: getting 403 while trying to read user groups
- Azure GraphAPI getMemberGroups Bad Request error
- getMemberGroups “Insufficient privileges to complete the operation”
- Authorization_RequestDenied when trying to get groups from Azure Active Directory using Graph API
- Azure Active Directory: 'Forbidden' error while fetching groupclaims using Graph API