MS Graph Api Read Users that gave permissions

0
votes

i have an azure app registration that only needs delegated permissions. the users allowed the following scopes:

how can i get a list of users that granted this access? i need this to get ther internal user-id. my application only has the email and i need to get the id use the api.

a Filter on /Users wont wort. no permissions.. but i dont want to assign the Scope "User.Read.All" because it needs an admin approval.

1
azuregraphmicrosoft-graph-api

1 Answers

1
votes

What you need to do to get that info is to read the oauth2PermissionGrants/delegated permission grants between the user and the MS Graph API service principal. Documentation: https://docs.microsoft.com/en-us/graph/api/user-list-oauth2permissiongrants?view=graph-rest-1.0&tabs=http

You can query for them through:

GET /users/{id | userPrincipalName}/oauth2PermissionGrants

I tried to filter by scope, but that didn't work sadly, so you'll probably need to parse the list it returns to find the scopes you are looking for. You should also find the objectId for the service principal/enterprise app of MS Graph API in your tenant and filter by that as well. So that you don't look at scopes of another API by mistake.

This endpoint requires Directory.Read.All permission at minimum. You will need admin approval to get this data.