question

AndrewOmondi-5314 avatar image
0 Votes"
AndrewOmondi-5314 asked ShwetaChoudhary-8869 answered

me/memberOf can be retrieved with just User.Read scope

As per documentation, the Permissions required to get the groups and directory roles are: Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All but we can retrieve the details by using User.Read permission.
To Reproduce
Steps to reproduce the behavior:
I have tested it through postman with request URL "https://graph.microsoft.com/v1.0/me/memberOf". After passing Access Token that has "scp": "openid profile User.Read email", it returned all the groups and directory roles.

https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http

Is this the intended functionality?

Sourced from https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/778

microsoft-graph-users
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ShwetaChoudhary-8869 avatar image
1 Vote"
ShwetaChoudhary-8869 answered

@AndrewOmondi-5314 Yes, you (the signed-in user) should be able to retrieve all your active memberships with just the User.Read permission.
Please note however, you'll see limited information returned for all those objects (for example, properties indicated with null values)

Thanks for pointing this out and we have updated documentation to make it more clear.

Hope this helps. Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.