Microsoft GraphAPI: How do I retrieve the assigned groups of an azure user?

0
votes

As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.

My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.

The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.

For example:

When Peter logs in with his azure account on my webpage, he should only be able to see: Add new Document Edit Document Remove Document because he is only assigned as "User" in Azure Active Directory.

But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see: Manage Products Add new customer etc. because she is been assigned as an admin in Azure Active Directory.

My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.

I already tried this API call:

https://graph.microsoft.com/v1.0/me/

But it seems, that the response of this call does not include the actual assigned group of that user.

Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?

I hope you understand my point and I am also looking forward for any response. Thanks in advance!

3
azureazure-active-directorymicrosoft-graph-api
You could define the roles in your app in the app's manifest and assign those to the users. The id token will then always contain the roles. More info: joonasw.net/view/defining-permissions-and-roles-in-aadjuunas

3 Answers

2
votes

Add /memberOf to the URL to receive the groups a user is member of.

https://graph.microsoft.com/v1.0/me/memberOf
0
votes

Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups

Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to - https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md

Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens

0
votes

According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.

But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.

It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.