I have a working Azure app that gives me the group names when I call https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group However, I have tried to recreate the app several times, and checked all settings in App Registrations and Enterprise Applications to match the original app - but can never get the group names in the new apps (created in the last 24 hours). API Permissions: Group.Read.All GroupMember.Read.All User.Read App is created using these steps App registrations, add, Single tenant Quickstart, Mobile and desktop applications, Desktop, Make this change for me Token configuration, Add groups claim, Security groups, set all to sAMAccountName API Permissions, add Group.Read.All and GroupMember.Read.All Permission granted using “Grant admin consent for Default Directory” Any clues would be much appreciated. FYI fragment of group result that I get "@odata.id": "https://graph.microsoft.com/v2/5ed71832-327b-4b98-b68a-6c54ff1717c0/directoryObjects/2f95e1d3-c7cf-4796-92a2-df844feb52d0/Microsoft.DirectoryServices.Group", "id": "12345678-c7cf-4796-92a2-df844feb5eee", "deletedDateTime": null, "classification": null, "createdDateTime": null, "creationOptions": [], "description": null, "displayName": null, <<<<<<<<<< why is this null???

Unable to get display names (sAMAccountName) of groups from Graph API call

C, Richard 1

I have a working Azure app that gives me the group names when I call
https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group

However, I have tried to recreate the app several times, and checked all settings in App Registrations and Enterprise Applications to match the original app - but can never get the group names in the new apps (created in the last 24 hours).

API Permissions:

Group.Read.All
GroupMember.Read.All
User.Read

App is created using these steps

App registrations, add, Single tenant
Quickstart, Mobile and desktop applications, Desktop, Make this change for me
Token configuration, Add groups claim, Security groups, set all to sAMAccountName
API Permissions, add Group.Read.All and GroupMember.Read.All
Permission granted using “Grant admin consent for Default Directory”

Any clues would be much appreciated.

FYI fragment of group result that I get

        "@odata.id": "https://graph.microsoft.com/v2/5ed71832-327b-4b98-b68a-6c54ff1717c0/directoryObjects/2f95e1d3-c7cf-4796-92a2-df844feb52d0/Microsoft.DirectoryServices.Group",
        "id": "12345678-c7cf-4796-92a2-df844feb5eee",
        "deletedDateTime": null,
        "classification": null,
        "createdDateTime": null,
        "creationOptions": [],
        "description": null,
        "displayName": null,       <<<<<<<<<< why is this null???

JosephXu-MSFT 531 Reputation points

2021-08-03T02:30:19.937+00:00

Can you get any infomation about your groups from this api (https://graph.microsoft.com/v1.0/me/transitiveMemberOf) in Microsoft Graph Explorer and find your group id 12345678-c7cf-4796-92a2-df844feb5eee?
C, Richard 1 Reputation point

2021-08-03T04:24:26.707+00:00
I went to Microsoft Graph Explorer
Signed into two actual accounts (both members of @mydomainname.online (verified)

one of them shows the group IDs and display names

the other shows ONLY group IDs with NO display names (null)

I am not sure what is happening here.
Even using the account that shows display names

using clientID for Azure app 1 - display names are returned

using clientID for Azure app 2,3,4,5.. - display names are not returned

I cannot for the life of me remember what I did differently with app #1 in the past, but the group display names are showing, whatever account I use to log in using Microsoft.Identity.Client.Desktop flow.

Note: The group id above has some alphanumerics replaced, so it's not real
JosephXu-MSFT 531 Reputation points

2021-08-03T06:12:39.59+00:00

Did you create this group in Azure AD? Can you tell us what the difference between these two accounts? You can try to add Directory.Read.All permission in your application.
C, Richard 1 Reputation point

2021-08-03T06:17:10.353+00:00
That is the whole point - I don't know what is different between account 1 and account 2 - both admins.
But one of them in Microsoft Graph Explorer shows the names, the other doesn't.

Then with regards to the two apps, I have lined up feature by feature, and cannot see any differences between app1 and app2.
One shows the group names (regardless of which account was used), the other has null for displayname.

In case it only works for app1 due to caching by WAM - I am using

PublicClientApplicationBuilder.Create(ClientId) .WithExperimentalFeatures(); .WithWindowsBroker();

Is there a way to clear or sign out of all accounts in WAM to retry from scratch? I have not found a way to do that.
JosephXu-MSFT 531 Reputation points

2021-08-03T07:34:05.977+00:00

Hi @C, Richard , I've created a simple test: 1. New a user in Azure AD 2. Create a new group in Azure AD 3. Add this user to the group. When I login to Microsoft Graph Explorer with this user, I can get the displayName of the group. So it has nothing to do with user permissions. :)
C, Richard 1 Reputation point

2021-08-03T07:39:21.68+00:00

I am glad that it works for you. Why do my calls to https://graph.microsoft.com/v1.0/me/transitiveMemberOf not show anything?
This is a user logged in username@keyman .online then calling that in Microsoft Graph Explorer

This is the starting fragment
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.group",
"@odata.id": "https://graph.microsoft.com/v2/12341832-327b-4b98-b68a-6c54ff17deed/directoryObjects/12342342-ed3b-4d83-b846-646a8a6ffeed/Microsoft.DirectoryServices.Group",
"id": "12342342-ed3b-4d83-b846-646a8a6f9999",
"deletedDateTime": null,
"classification": null,
"createdDateTime": null,
"creationOptions": [],
"description": null,
"displayName": null,
"expirationDateTime": null,
"groupTypes": [],
"isAssignableToRole": null,
JosephXu-MSFT 531 Reputation points

2021-08-04T06:30:51.947+00:00

Hi @crichard Is there any update on your issue?
JosephXu-MSFT 531 Reputation points

2021-08-10T06:34:17.867+00:00

Hi @C, Richard Since you are using third part account, you can create a support ticket here to ask for help. Thanks.
Dan Kershaw 416 Reputation points Microsoft Employee

2021-10-23T19:24:20.2+00:00

@C, Richard sorry for the late response.
This really looks like your client app does not have permissions to read group details, and hence you are getting a security trimmed response. See https://learn.microsoft.com/en-us/graph/permissions-reference?context=graph%2Fapi%2F1.0&view=graph-rest-1.0#limited-information-returned-for-inaccessible-member-objects.
We can more easily confirm this if you supply the client-request-id and timestamp for the cases where the response only contains the id value (and the rest of the property values are null).