403 forbidden error while calling Graph API endpoint for fetching users

sonal khatri 51 Reputation points


I am receiving 403 error when I am trying to access graph API endpoint. I have registered my application in Azure AD with necessary permissions to call graph API endpoint. I have added group claim for ID, Access and SAML with groupId selected in "Token Configuration".
I created a Security group and added myself as the user.
My requirement is to fetch Users for that particular group from Azure AD and I am performing this operation from my API application and I am the signed user.
Could you please assist me in this?

Here is my code for calling Graph API:

            // Constants for your Azure AD application and group
            const string clientId = "clientId";
            const string clientSecret = "secret";
            const string tenantId = "tenantId";
            const string groupId = "groupId";
            string[] scopes = new string[] { "https://graph.microsoft.com/.default" };

            // Create the GraphServiceClient
            var confidentialClientApplication = ConfidentialClientApplicationBuilder
                var result = await confidentialClientApplication.AcquireTokenForClient(scopes)

                var accesstoken = result.AccessToken;

            using (HttpClient httpClient = new HttpClient())
                string graphApiEndpoint = "https://graph.microsoft.com/v1.0";
                string requestUrl = $"{graphApiEndpoint}/groups/{groupId}/members";

                httpClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accesstoken);

                HttpResponseMessage response = await httpClient.GetAsync(requestUrl);

                if (response.IsSuccessStatusCode)
                    string responseBody = await response.Content.ReadAsStringAsync();
                    Console.WriteLine($"Request failed with status code: {response.StatusCode}");
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,392 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,590 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee

    @sonal khatri

    Thank you for posting your query on Microsoft Q&A. From above error its seems like your application/user does not have permissions to access the user group members via graph API. However to confirm the same kindly:

    • Try accessing the group members directly via Graph AP by running the following query:

    GET https://graph.microsoft.com/v1.0/groups/{group-id}/member

    • Screenshot of the permissions given to the application from AzureAD app registration > "select you app" > API permission

    Please do let me know if you have any queries.


    Akshay Kaushik

    0 comments No comments