MS Graph Guest user cannot read Azure AD data

0
votes

I created an application registered in Application registration portal and granted the admin consent there. As a user from our Azure AD, I can use my web app to read e.g. groups I have been assigned to in AD.

But when I invite a MS user to our AD (he becomes a Guest user there) the user can sign in into the application but he cannot read the groups (used the same method like the internal user). I always get an error: "Authorization_RequestDenied Insufficient privileges to complete the operation."

Is there a way to get it work? I have tried to browse through the Azure portal to check permissions or whatever but nothing helped so far.

1
azureazure-active-directorymicrosoft-graph-apiazureportal
User settings -> External collaboration settings -> Check if "Guest user permissions are limited" is checked. That blocks user enumeration by guests. Make sure you want to allow it though. - juunas

1 Answers

1
votes

Actually, for both AAD Graph API and Microsoft graph api , you cannot use a MS account guest user to read the groups data like a member in that tenant.

Even you can set guest user permissions with no limitation, but you still cannot get the data of a group in that tenant. This is because that MS Account is not a member of that tanant. So, it cannot specify a tenant to query.

I suggest you can use/create a member in your tenant to achieve this.