Microsoft Graph - Get MemberOf error with application token

0
votes

I am trying access Microsoft Graph API to query list of groups a user belongs to, using the below endpoint

https://graph.microsoft.com/v1.0/users/{userID}/memberOf

But since last two days, my queries are failing with below response

{   error: {
    code: 'Authorization_RequestDenied',
    message: 'Insufficient privileges to complete the operation.',
    innerError: {
      'request-id': '7d8a5602-19ca-4cc7-a84d-60cc0c9c09d5',
      date: '2020-04-28T11:44:24'
    }   } }

I already have required permission and concent granted as admin, the access rights I gave include 

Directory.Read.All
Directory.ReadWrite.All
Group.Read.All

As mentioned in microsoft documentation here: https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http

enter image description here

The API request is being sent with the autorization header of access token (from service) following this documentation https://docs.microsoft.com/en-us/graph/auth-v2-service

Decoded JWT Token being passed in the authorization header:

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/TENANTID_REMOVED_FOR_SECURITY/",
  "iat": 1588150105,
  "nbf": 1588150105,
  "exp": 1588154005,
  "aio": "42dgYOCaN0c46++enU1fZx+98Lc3DQA=",
  "app_displayname": "dspIT",
  "appid": "MYAPPID_REMOVED_FOR_SECURITY",
  "appidacr": "1",
  "idp": "https://sts.windows.net/TENANTID_REMOVED_FOR_SECURITY/",
  "oid": "fc709ea2-887e-4794-9417-ac578ab825e8",
  "rh": "0.ATEAfGSULqtSkUqIuFyy2LRFJyPSTnvDYjVDlpuh_cMocSgxAAA.",
  "roles": [
    "User.ReadWrite.All",
    "RoleManagement.Read.Directory",
    "Group.Read.All",
    "Directory.ReadWrite.All",
    "Group.Create",
    "Group.ReadWrite.All",
    "User.Invite.All",
    "Directory.Read.All",
    "User.Read.All",
    "GroupMember.Read.All",
    "User.Export.All",
    "PrivilegedAccess.Read.AzureADGroup",
    "User.ManageIdentities.All",
    "RoleManagement.ReadWrite.Directory",
    "GroupMember.ReadWrite.All",
    "Group.Selected",
    "PrivilegedAccess.ReadWrite.AzureADGroup"
  ],
  "sub": "fc709ea2-887e-4794-9417-ac578ab825e8",
  "tid": "TENANTID_REMOVED_FOR_SECURITY",
  "uti": "wvHXdAZomUefp2RpSGBPAA",
  "ver": "1.0",
  "xms_tcdt": 1519129156
}

Thanks for your help.

1
azureauthenticationazure-active-directorymicrosoft-graph-api
Can you please decode your access token in jwt.io to see what "roles" it includes? Please share a screenshot if it's convenient.Allen Wu
Hi Kumar Vivek, are you facing this issue with the West Europe region? I am also facing this issue only in West Europe region. It is working fine in UK SouthSaurabh Srivastava
@AllenWu thanks for coming forward to help, I updated the question with encoded JWT token being passed with the API request.Kumar Vivek
@SaurabhSrivastava Azure AD properties suggest its hosted in "Germany" with "EU Model Clause compliant datacenters"Kumar Vivek
@SaurabhSrivastava our AKS where the service is running is from west europe and maybe thats why its failing. Thanks for confirming that issuse is also from Germany region.Kumar Vivek

1 Answers

2
votes

Based on your Decoded JWT Token, I did a quick test and have found the reason.

There seems to be an Application permission Group.Selected that affects the calling of this API endpoint /memberOf.

There is something wrong with this permission and it has affected some other endpoint. I answered a similar post before here.

So if it's not necessary, just remove it from your Azure AD application. Then this error will disappear.

If this permission is needed, I'm afraid you need to create a new Azure AD app to add the permission in it for using.