Microsoft Graph API get groups for user gives privileges error

0
votes

Requirement: We would like to query the groups of a user via Microsoft’s Graph API with the following request:

https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_getmembergroups

In our case the response looks like this:

{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "request-id": "a230a67e-8ef1-4f88-aa19-2c5b983c3de4",
      "date": "2017-01-04T16:29:55"
    }
  }
}

(Note: the GET https://graph.microsoft.com/v1.0/me/ is working fine and returns the user data)

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
  "id": "e23976a1-8bd9-4cca-a410-e095d2c2022d",
  "businessPhones": [],
  "displayName": "XXXX Vad",
  "givenName": "XXXX",
  "jobTitle": null,
  "mail": null,
  "mobilePhone": null,
  "officeLocation": null,
  "preferredLanguage": null,
  "surname": "Vad",
  "userPrincipalName": "XXXX.vad_outlook.com#EXT#@XXXXvadoutlook.onmicrosoft.com"
}

Environment:

  • Application created on apps.dev.microsoft.com with the following parameters: o Application Id: 412386c3-8fa3-4000-9039-748111407XXX o Delegated Permissions: [ User.Read ]
  • This application is visible on ‘Azure Portal / AAD / Enterprise applications’ and the user with a group ‘BASIC’ is added to this application

An example of an access token obtained from AAD:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/b9df6a2d-9150-45f9-abf0-9c30f9e527c7/",
  "iat": 1483548390,
  "nbf": 1483548390,
  "exp": 1483552290,
  "acr": "1",
  "aio": "AQABAAEAAADRNYRQ3dhRSrm-4K-adpCJhEVX2WEl4aboghl6AXaqOVcbaQPl1yYg1X1D2r4cNxBYmPvUiTKE9bB6wwpNSBKeD2OZXhrzdE3FPddCzbaTo84X8aSoKFaAt2vysYSv1HdChNXBPbfrVlA6YBuSwVwEIAA",
  "altsecid": "1:live.com:00037FFEC5917401",
  "amr": [
    "pwd"
  ],
  "app_displayname": "XXX test",
  "appid": "412386c3-8fa3-4000-9039-748111407XXX",
  "appidacr": "0",
  "email": "[email protected]",
  "family_name": "Vad",
  "given_name": "XXXX",
  "idp": "live.com",
  "ipaddr": "165.225.80.95",
  "name": "XXXX Vad",
  "oid": "e23976a1-8bd9-4cca-a410-e095d2c20XXX",
  "platf": "3",
  "puid": "10037FFE9D51DXXX",
  "scp": "User.Read",
  "sub": "sCDfsIUynhm4GdgPIe8hYguyNbbc7IBjZeKLd1UDXXX",
  "tid": "b9df6a2d-9150-45f9-abf0-9c30f9e52XXX",
  "unique_name": "live.com#[email protected]",
  "ver": "1.0"
}

What am I doing wrong or what’s missing? Any help is appreciated.

1
azureauthorizationazure-active-directoryazure-ad-graph-api
So you have permission to read users but I guess that doesn't mean you can read groups?juunas
Yes, I have added User.READ at the apps.dev.microsoft to my app and I use the same appId to retrieve the token (see above). Although the "aud" claim is not my app url...csikos.balint
The aud claim says who the token is for, so nothing wrong with that. You probably need some other permission.juunas
Now that I checked documentation it seems the scope should be enough. But sadly it would not be the first time documentation about required scopes was wrong. In the meantime you should try adding some other higher-level permissions and seeing which one works.juunas

1 Answers

0
votes

You have to have admin consent right now to pull groups. They changed the required permissions a while back.

https://blogs.msdn.microsoft.com/aadgraphteam/2015/03/18/update-to-graph-api-consent-permissions/