MS Graph API Photo endpoint not working with App Permissions for Groups

Question

I´m trying to call MS Graph API to get the Photo from a Group using Application permissions, but I´m getting an "Access is denied. Check credentials and try again."

According to this link:

https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/profilephoto_get

App permissions are supported:

For user resource: User.Read.All, User.ReadWrite.All

For group resource: Group.Read.All, Group.ReadWrite.All

I´m getting an App token, and I can see those permissions:

"roles": [
"User.ReadWrite.All",
"Group.Read.All",
"Group.ReadWrite.All",
"Directory.Read.All",
"User.Read.All" ]

Seems a bug in the Photo endpoint for Groups, as curiously, I can get any User photo using same App token. None of the Photo endpoints works for Groups:

/groups/{id}/photo
/groups/{id}/photo/$value
/groups/{id}/photos

Am I missing something? is there any other permission required (not documented).

In case anyone from MS product team can take a look, here is one of the error Ids:

{
    "error": {
        "code": "ErrorAccessDenied",
        "message": "Access is denied. Check credentials and try again.",
        "innerError": {
            "request-id": "ac884427-69ee-407e-b198-06bd6af5f4be",
            "date": "2018-10-30T13:12:19"
        }
    }
}

Thanks!

Arthur H · Accepted Answer

I had the same use case, apparently it seems that it's a known issue documented by Microsoft here : https://learn.microsoft.com/fr-fr/graph/known-issues#permissions-for-groups-and-microsoft-teams

You must use a delegated permission and not an app permission.

Examples of group features that support only delegated permissions: Group conversations, events, photo External senders, accepted or rejected senders, group subscription User favorites and unseen count

MS Graph API Photo endpoint not working with App Permissions for Groups

Answers (2)

Related Questions