This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 40%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
I am seeing unauthorised errors where there should not be any according to the documentation.
The following query works as a User:
https://graph.microsoft.com/v1.0/groups/02bd9fd6-8f93-4758-87c3-1fb73740a315/members/microsoft.graph.user?$expand=manager (Sample Url taken from the Graph Explorer Sample Tenant, I just have a different GUID)
With an App Registration (Application not delegated) that has User.Read.All and
GroupMember.Read.All I get "Insufficient privileges to complete the operation."
What is interesting to me is that as an application it works if I do not expand the managers and I can query the member's managers individually. This is inconsistent and not in line with the API documentation.
An API that connects multiple Microsoft services, enabling data access and automation across platforms
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Alexander Jebens,
Good day. Hope all is well.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Thanks.
Hello Alexander Jebens,
Good day. Hope all is well.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Thanks.
Hello Alexander Jebens,
Thanks for reaching out. To list Managers you need the following application permissions: User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All at a minimum. Please see article for more information. You can decrypt the token via https://jwt.ms to see if the token has the required permissions.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Thanks.