SagarVenaganti-8062 avatar image
1 Vote"
SagarVenaganti-8062 asked ·

How to get the groups of Internal/Guest users

I have written an application where Internal as well as Guest users are authenticated using the graph api. Everything works perfectly fine till here. I can able to get the groups of the Internal users (using, however I am getting the issues while I am trying to get the groups for the Guest users. Getting below error.

No HTTP resource was found that matches the request URI ''CID:ab7adee445a89dff')/profile/memberOf?api-version=AGSV1-internal'.

Here is the code for authenticating the Internal/Guest users:

         IConfidentialClientApplication clientApp = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(context.AuthenticationTicket.Identity));
         var signedInUser = new ClaimsPrincipal(context.AuthenticationTicket.Identity);
         var tokenStore = new SessionTokenStore(clientApp.UserTokenCache, HttpContext.Current, signedInUser);
         AuthenticationResult result = await clientApp.AcquireTokenByAuthorizationCode(new[] { "User.Read User.ReadBasic.All Group.ReadWrite.All" }, context.Code).ExecuteAsync();

         var userDetails = await GraphHelper.GetUserDetailsAsync(result.AccessToken);

Here is the code to get the groups of the Internal/Guest users:

         var graphClient = new GraphServiceClient(
             new DelegateAuthenticationProvider(
                 async (requestMessage) =>
                     var idClient = ConfidentialClientApplicationBuilder.Create(appId)

                     var tokenStore = new SessionTokenStore(idClient.UserTokenCache,
                         HttpContext.Current, ClaimsPrincipal.Current);

                     var accounts = await idClient.GetAccountsAsync();

                     // By calling this here, the token can be refreshed
                     // if it's expired right before the Graph call is made
                     var scopes = graphScopes.Split(' ');
                     var result = await idClient.AcquireTokenSilent(scopes, accounts.FirstOrDefault())

                     requestMessage.Headers.Authorization =
                         new AuthenticationHeaderValue("Bearer", result.AccessToken);

         var allgroups = await graphClient.Me.OwnedObjects
         var groups = allgroups.Where(x => x.ODataType == "").Cast();

Please let me know if there is any permissions which needs to be given from the Azure Active Directory for the same. If you have any code for the same, please help !

10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FrankHuMSFT-3200 avatar image
1 Vote"
FrankHuMSFT-3200 answered ·

Hey @SagarVenaganti-8062

This should be working properly, can you take a look at Shawn Tabrizi's answer regarding getting guest user memberof attribute here :

Is this a multi-tenant AAD Application? And what is the exact request that you're making?

If you're still having issues with this you may need to open a support ticket as there might be an issue with the user that you're making the memberof graph api call. However, I'm thinking that either the issue is that the UserID is wrong, or there is something malformed in the request. Note that the UPN for guests has a #EXT# typically.


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I got the this exact problem and changing the tenant name from "common" to my specific tenant name helped.

0 Votes 0 ·