Login/Register
Minimum set of permissions required for checkMemberGroups Graph API in Azure
Asked Answered
microsoft-graph-apiazure-ad-graph-api
I

3

7

What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?

Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?

Delegated Permissions -

Microsoft Graph API

  • Read all users' full profiles

  • Read all groups

  • Access directory as the signed in user

  • Sign in and read user profile

Windows Azure Active Directory

  • Read all users' full profiles

  • Read all groups

  • Access directory as the signed in user

  • Sign in and read user profile

Irrationality answered 4/4, 2017 at 18:46 Comment(1)
Please feel free to let me know if you still have problem about the permission and scope about Microsoft Graph.Dispute
D
2

If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.

And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.

Dispute answered 7/4, 2017 at 2:41 Comment(1)
Can the OP or anyone confirm just granting User.Read.All permissions works to make the checkMemberGroups() call?Anemochore
T
0

It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.

Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.

Teferi answered 4/4, 2017 at 19:29 Comment(1)
want to check if a user belongs to a certain group and I am using checkMemberGroups API. As per the documentation developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/… , any one of these should do : One of the following scopes is required to execute this API: User.Read.All; User.ReadWrite.All; Directory.Read.All; Directory.ReadWrite.All; Directory.AccessAsUser.All. But I want to confirm if I choose Read all users' full profiles, do I also need other three permssions : Read all groups,Access directory as the signed in user,Sign in and read user profileIrrationality
M
0

After some experimentation, it seems that the minimum permissions are the following:

/me/checkMemberGroups

  • User.Read
  • GroupMember.Read.All

/users/{userId}/checkMemberGroups

  • User.ReadBasic.All
  • GroupMember.Read.All
Madge answered 15/3, 2020 at 5:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.