Not able to get group info of another tenant using Microsoft graph API

1
votes

I have created two directories in Azure AD portal. In one directory, I registered client application and given delegated permissions

  • User.Read
  • Directory.AccessAsUser.All
  • Directory.Read.All

I also made it Multitenant for any Azure AD directory to use this application.

After successful login, I call API (https://graph.microsoft.com/v1.0/me/memberOf) to get groups information of the user. This works only for the users in directory where application is registered. I do get all details such displayName etc for the user in directory where app is registered.

When I login through user belonging to another tenant (directory), login is successful but I do not get complete group data in API response (included below). I get correct object id (of group) back though but not the other details.

It seems to be permission related issue which I am not able to figure out. Anyone please suggest. 

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
    "value": [
        {
            "@odata.type": "#microsoft.graph.group",
            "id": "8bcd8779-8a74-4db7-83f0-8a5c5d076540",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": null,
            "creationOptions": [],
            "description": null,
            "displayName": null,
            "groupTypes": [],
            "isAssignableToRole": null,
            "mail": null,
            "mailEnabled": null,
            "mailNickname": null,
            "onPremisesDomainName": null,
            "onPremisesLastSyncDateTime": null,
            "onPremisesNetBiosName": null,
            "onPremisesSamAccountName": null,
            "onPremisesSecurityIdentifier": null,
            "onPremisesSyncEnabled": null,
            "preferredDataLocation": null,
            "proxyAddresses": [],
            "renewedDateTime": null,
            "resourceBehaviorOptions": [],
            "resourceProvisioningOptions": [],
            "securityEnabled": null,
            "securityIdentifier": null,
            "visibility": null,
            "onPremisesProvisioningErrors": []
        }
    ]
}

I use spring security oauth2 implementation with these configuration properties (id, secret masked)

azure:
  activedirectory:
    tenant-id: 66aeb78f-7a26-46c9-99ab-460c6309b21e
    active-directory-groups: Users
  client:
    client-id: 9618ac61-43ab-4c97-a9f1-769c91f48e08
    client-secret: DxndD0cBezR-AnrGuCH@?b1NpwtFj?47
    accessTokenUri: https://login.microsoftonline.com/common/oauth2/v2.0/token
    userAuthorizationUri: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=select_account
    scope: user.read
  resource:
    userInfoUri: https://graph.microsoft.com/v1.0/me
2
azure-active-directorymicrosoft-graph-api
Can you share how you are obtaining the access token to call Microsoft Graph?Philippe Signoret
first get spring security authentication object (SecurityContextHolder.getContext().getAuthentication()) and then get the token from the authentication object. I have updated question with configuration propertiesNitin Gaur
Now that you put the client secret in the cloud, you may want to change it...Paul Schaeflein
Thanks for alert but I had posted "altered" client secret and ids.Nitin Gaur

2 Answers

1
votes

When the only property populated is the object ID, you are likely in the scenario described in Limited information returned for inaccessible member objects.

In short, while your app does have permission to read the fact that the signed-in user is a member of the group (thanks to User.Read) it does not have permission to read all the properties of that group.

Since Directory.Read.All would be sufficient to read all group properties, a likely conclusion is that in the second tenant, your app has not actually been granted all three permissions you list, and has only been granted User.Read.

Note: Always choose the least-privileged permissions for your scenario. Directory.AccessAsUser.All should be avoided wherever possible as it's the most privileged permission. For the scenario you're described, you may not even need Directory.Read.All. If you only need access to basic group details (e.g. display name, etc.), try GroupMember.Read.All instead.

0
votes

Taking pointer from Philippe's response, I searched where and how to grant permission in second tenant. These links have helped me to understand difference between app registration and enterprise apps.

Azure App registeration vs Enterprise Applications

Difference between "enterprise application" and "app registration" in Azure