directoryObject: checkMemberGroups
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Check for membership in a specified list of group IDs, and return from that list those groups (identified by IDs) of which the specified user, group, service principal, organizational contact, device, or directory object is a member. This function is transitive.
You can check up to a maximum of 20 groups per request. This function supports all groups provisioned in Azure AD. Because Microsoft 365 groups cannot contain other groups, membership in a Microsoft 365 group is always direct.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
Group memberships for a directory object
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | User.ReadBasic.All, User.Read.All, Directory.Read.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | User.Read.All, Directory.Read.All |
Group memberships for a user
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | User.ReadBasic.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
Group memberships for a group
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
Group memberships for a service principal
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
Group memberships for an organizational contact
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | Directory.Read.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | Directory.Read.All, Directory.ReadWrite.All |
HTTP request
Group memberships for a directory object (user, group, service principal, or organizational contact).
POST /directoryObjects/{id}/checkMemberGroups
Group memberships for the signed-in user or other users.
POST /me/checkMemberGroups
POST /users/{id | userPrincipalName}/checkMemberGroups
Group memberships for a group.
POST /groups/{id}/checkMemberGroups
Group memberships for a service principal.
POST /servicePrincipals/{id}/checkMemberGroups
Group memberships for an organizational contact.
POST /contacts/{id}/checkMemberGroups
Group memberships for a device.
POST /devices/{id}/checkMemberGroups
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. |
| Content-Type | application/json |
Request body
In the request body, provide a JSON object with the following parameters.
| Parameter | Type | Description |
|---|---|---|
| groupIds | String collection | A collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified. |
Response
If successful, this method returns 200 OK response code and String collection object in the response body.
Examples
Example 1: Check group memberships for a directory object
Request
POST https://graph.microsoft.com/beta/directoryObjects/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e/checkMemberGroups
Content-type: application/json
{
"groupIds": [
"f448435d-3ca7-4073-8152-a1fd73c0fd09",
"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6",
"93670da6-d731-4366-94b5-abed40b6016b",
"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
"c9103f26-f3cf-4004-a611-2a14e81b8f79"
]
}
Response
The following is an example of the response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(Edm.String)",
"value": [
"f448435d-3ca7-4073-8152-a1fd73c0fd09",
"93670da6-d731-4366-94b5-abed40b6016b",
"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
"c9103f26-f3cf-4004-a611-2a14e81b8f79"
]
}
Example 2: Check group memberships for the signed-in user
Request
POST https://graph.microsoft.com/beta/me/checkMemberGroups
Content-type: application/json
{
"groupIds": [
"fee2c45b-915a-4a64-b130-f4eb9e75525e",
"4fe90ae7-065a-478b-9400-e0a0e1cbd540"
]
}
Response
The following is an example of the response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(Edm.String)",
"value": [
"fee2c45b-915a-4a64-b130-f4eb9e75525e"
]
}
Feedback
Submit and view feedback for