I have created two directories in Azure AD portal. In one directory, I registered client application and given delegated permissions
- User.Read
- Directory.AccessAsUser.All
- Directory.Read.All
I also made it Multitenant for any Azure AD directory to use this application.
After successful login, I call API (https://graph.microsoft.com/v1.0/me/memberOf) to get groups information of the user. This works only for the users in directory where application is registered. I do get all details such displayName etc for the user in directory where app is registered.
When I login through user belonging to another tenant (directory), login is successful but I do not get complete group data in API response (included below). I get correct object id (of group) back though but not the other details.
It seems to be permission related issue which I am not able to figure out. Anyone please suggest.
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.group",
"id": "8bcd8779-8a74-4db7-83f0-8a5c5d076540",
"deletedDateTime": null,
"classification": null,
"createdDateTime": null,
"creationOptions": [],
"description": null,
"displayName": null,
"groupTypes": [],
"isAssignableToRole": null,
"mail": null,
"mailEnabled": null,
"mailNickname": null,
"onPremisesDomainName": null,
"onPremisesLastSyncDateTime": null,
"onPremisesNetBiosName": null,
"onPremisesSamAccountName": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSyncEnabled": null,
"preferredDataLocation": null,
"proxyAddresses": [],
"renewedDateTime": null,
"resourceBehaviorOptions": [],
"resourceProvisioningOptions": [],
"securityEnabled": null,
"securityIdentifier": null,
"visibility": null,
"onPremisesProvisioningErrors": []
}
]
}
I use spring security oauth2 implementation with these configuration properties (id, secret masked)
azure:
activedirectory:
tenant-id: 66aeb78f-7a26-46c9-99ab-460c6309b21e
active-directory-groups: Users
client:
client-id: 9618ac61-43ab-4c97-a9f1-769c91f48e08
client-secret: DxndD0cBezR-AnrGuCH@?b1NpwtFj?47
accessTokenUri: https://login.microsoftonline.com/common/oauth2/v2.0/token
userAuthorizationUri: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=select_account
scope: user.read
resource:
userInfoUri: https://graph.microsoft.com/v1.0/me