Reputation: 53
MS Graph Guest user cannot read Azure AD data
I created an application registered in Application registration portal and granted the admin consent there. As a user from our Azure AD, I can use my web app to read e.g. groups I have been assigned to in AD.
But when I invite a MS user to our AD (he becomes a Guest user there) the user can sign in into the application but he cannot read the groups (used the same method like the internal user). I always get an error: "Authorization_RequestDenied Insufficient privileges to complete the operation."
Is there a way to get it work? I have tried to browse through the Azure portal to check permissions or whatever but nothing helped so far.
Upvotes: 0
Views: 875
Answers (1)
Reputation: 9401
Actually, for both AAD Graph API and Microsoft graph api , you cannot use a MS account guest user to read the groups data like a member in that tenant.
Even you can set guest user permissions with no limitation, but you still cannot get the data of a group in that tenant. This is because that MS Account is not a member of that tanant. So, it cannot specify a tenant to query.
I suggest you can use/create a member in your tenant to achieve this.
Upvotes: 1
Related Questions
- Users from on-prem AD aren't synced to Azure AD as Guest
- Cannot get signed in users of Azure AD tenant using Microsoft Graph
- Microsoft Graph Api User.Read.All Not granted for my domain
- Guest users unable to fetch data from Microsoft Graph API? Returns a item not found response
- MS Graph api user authentication failing
- Microsoft Graph API getting error querying for guest accounts
- Microsoft graph - Insufficient privileges when trying to get user info
- MSFT Graph API: Unable to filter GUEST users on my tenant
- Graph API Access denied error
- Graph API requests for guest users in Azure AD