Minimum set of permissions required for checkMemberGroups Graph API in Azure

6
votes

What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?

Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?

Delegated Permissions -

Microsoft Graph API

  • Read all users' full profiles

  • Read all groups

  • Access directory as the signed in user

  • Sign in and read user profile

Windows Azure Active Directory

  • Read all users' full profiles

  • Read all groups

  • Access directory as the signed in user

  • Sign in and read user profile

3
microsoft-graph-apiazure-ad-graph-api
Please feel free to let me know if you still have problem about the permission and scope about Microsoft Graph. - Fei Xue - MSFT

3 Answers

2
votes

If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.

And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.

0
votes

It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.

Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.

0
votes

After some experimentation, it seems that the minimum permissions are the following:

/me/checkMemberGroups

  • User.Read
  • GroupMember.Read.All

/users/{userId}/checkMemberGroups

  • User.ReadBasic.All
  • GroupMember.Read.All