403 forbidden error while calling Graph API endpoint for fetching users

sonal khatri 51 Reputation points
2023-06-02T07:04:25.6966667+00:00

Hello,

I am receiving 403 error when I am trying to access graph API endpoint. I have registered my application in Azure AD with necessary permissions to call graph API endpoint. I have added group claim for ID, Access and SAML with groupId selected in "Token Configuration".
I created a Security group and added myself as the user.
My requirement is to fetch Users for that particular group from Azure AD and I am performing this operation from my API application and I am the signed user.
Could you please assist me in this?

Here is my code for calling Graph API:

            // Constants for your Azure AD application and group
            const string clientId = "clientId";
            const string clientSecret = "secret";
            const string tenantId = "tenantId";
            const string groupId = "groupId";
            string[] scopes = new string[] { "https://graph.microsoft.com/.default" };

            // Create the GraphServiceClient
            var confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create(clientId)
                .WithClientSecret(clientSecret)
                .WithAuthority($"https://login.microsoftonline.com/{tenantId}")
            .Build();
                var result = await confidentialClientApplication.AcquireTokenForClient(scopes)
                    .ExecuteAsync();

                var accesstoken = result.AccessToken;

            using (HttpClient httpClient = new HttpClient())
            {
                string graphApiEndpoint = "https://graph.microsoft.com/v1.0";
                string requestUrl = $"{graphApiEndpoint}/groups/{groupId}/members";

                httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accesstoken);

                HttpResponseMessage response = await httpClient.GetAsync(requestUrl);

                if (response.IsSuccessStatusCode)
                {
                    string responseBody = await response.Content.ReadAsStringAsync();
                    Console.WriteLine(responseBody);
                }
                else
                {
                    Console.WriteLine($"Request failed with status code: {response.StatusCode}");
 
               }
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,392 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,590 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2023-06-05T09:10:41.96+00:00

    @sonal khatri

    Thank you for posting your query on Microsoft Q&A. From above error its seems like your application/user does not have permissions to access the user group members via graph API. However to confirm the same kindly:

    • Try accessing the group members directly via Graph AP by running the following query:

    GET https://graph.microsoft.com/v1.0/groups/{group-id}/member

    • Screenshot of the permissions given to the application from AzureAD app registration > "select you app" > API permission

    Please do let me know if you have any queries.

    Thanks,

    Akshay Kaushik

    0 comments No comments