I am working on a project to audit security on the Azure platform. As such, it is necessary to iterate Azure AD Groups to ascertain direct and transitive Group membership. While there is a route for "get all Groups", there is no documented route for "get all direct members for all Groups". Rather, there seems to only be a single call, which is intended to get direct members of an individual group. Thus, this API must be called multiple times, once per Group.
Given that the AD Graph can mutate between API calls, is it even possible to obtain a temporally valid/consistent set of Group memberships for a given point in time? Even calling the API for every group, in parallel, will still leave the possibility of mutation open, albeit lessening the probability.
I am using this API route, where {{variableName}} represents a variable passed at runtime:
https://graph.windows.net/{{tenantId}}/groups/{{adGroupId}}/$links/members?api-version=1.6
The documentation, such as it is, may be found here: Operations on groups | Graph API reference
In order to obtain all group memberships, it seems necessary to call this API for every single AD Group. Based on this technique, if the AD Group memberships mutate during the calls to this API, it seems that it will not be feasible to obtain an accurate, reliable picture of Group membership for a given point in time across the entire Directory. Am I missing something?
