Getting users from MS Graph API with a $filter causes 403 for some users

0
votes

We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions. One of the things it does is get a list of users via the /users endpoint.

Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName, everything worked fine.

But then we changed it to include a filter. Specifically we only want Guest users. So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.

Now some of the users get a 403 Forbidden when we try to make the query. What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.

This user is themselves a Guest user, and has the Guest Inviter directory role. This gives them the ability to read all users. I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).

The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.

My theory is that the user does not have permission to access the userType property, and this causes the 403. It is probably part of the "full profile".

Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope. If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter. We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.

My question is, what do I need to do to enable this query for the user? I would like to avoid giving them Global Admin in this case.

The application's token has the following scopes:

  • Directory.AccessAsUser.All
  • User.Read

We used a less privileged scope before, but we needed to add features that required higher privileges. The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.

The application is also registered as a Native app, if that makes a difference.

Signing out and signing back in (to refresh the token) also does not help. This problem occurs with a fresh sign-in with the same scopes in the token. The only difference is the role of the user in AAD.

Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.

3
azureazure-active-directorymicrosoft-graph-api
Are these guest users from another Azure AD tenant or something like [email protected] who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..Rohit Saigal
These are from another AAD.juunas
You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?Philippe Signoret
@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.juunas
I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...Jeremy Thake MSFT

3 Answers

1
votes

Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.

0
votes

You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.

You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.

-1
votes

What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?

If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.