Reputation: 1
Group memberships for users returned by $expand=memberOf are unreliable
I'm building an integration that uses the Graph Api to download all users, groups and group memberships from Azure Ad.
In the past, I've paged through all users, groups and members (for directories with 100k+ users and 60k+ groups, this is slow, and, if several instances run at the same time, it causes the server to run out of handles after a while).
A much quicker way of downloading this data, is to page through all users and groups (and expanding memberOf of both).
There is one small caveat, which is noted in the documentation: https://learn.microsoft.com/en-us/graph/query-parameters#expand-parameter
With Azure AD resources that derive from directoryObject, like user and group, $expand is only supported for beta and typically returns a maximum of 20 items for the expanded relationship.
And, according to this SO answer, https://stackoverflow.com/a/41390581/7240171, there is no NextPageRequest support for the expand parameter.
To get around this, I issue a separate request to the MemberOf endpoint for each user and group where the expanded memberOf returns 20 results.
This works most of the time. However, I have examples of users where the expanded memberOf property returns 13 groups, while the user is actually a member of 26 groups. I would have expected that the expanded memberOf property for any user with 20 or more memberships would have returned 20.
So. My question comes down to this.
For a user that is a member of 26 groups, when queried through the MemberOf API.
var memberships = await graph.Users[userId].MemberOf.Request().GetAsync();
Why are only 13 memberships returned when queried using the $expand=memberOf query parameter (I have not found a pattern where certain group types are excluded, so I don't think there is some implicit filter applied).
var userWithMemberships = await graph.Users[userId].Request().Expand("memberOf").GetAsync();
I have tested using both beta and production endpoints, and I'm seeing the same issue in both versions. Is the $expand=memberOf unreliable?
Upvotes: 0
Views: 1170
Answers (1)
Reputation: 15754
As far as I know, $expand is somewhat limited in Directory. I think the api /memberOf will response the accurate data. So we'd better use the api /memberOf(or sdk graph.Users[userId].MemberOf.Request().GetAsync()) instead of use $expand=memberOf.
Upvotes: 0
Related Questions
- Microsoft Graph Group query does not expand relationships when $select is present
- Microsoft Graph get AD group members with extensionattributes
- Microsoft Graph user/getMemberGroups fails despite correct Permissions
- Adding group members via Azure Graph API and Powershell
- get group members from azure ad via microsoft graph
- Filter groupType works on groups but not on memberOf
- Expanding MemberOf with Microsoft Graph does not populate groups
- Group Membership does not include Contacts
- Microsoft Graph OData query parameter $expand doesn't seem to work
- Exception when querying the members of group in Microsoft.Graph Client