25,081 questions
Have you looked at:
https://learn.microsoft.com/en-us/graph/permissions-reference#group-permissions
How to allow application to read users and group memberships with limited permissions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 42%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Jason Lines
0
Reputation points
I have a background service that needs to get all of the user profiles and the groups they belong to. I'm assuming that I will call the memberOf endpoint for each userid in order to get their groups. The problem is that this endpoint seems to require Directory.Read.All permissions, and that provides way more access to information than I need.
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Is there a way to get a list of groups that a user belongs to and the group names without enabling the entire Directory.Read.All permission?
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Graph
13,721 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,621 Reputation points Microsoft Employee Moderator2023-07-25T03:41:15.8066667+00:00 @Jason Lines Just checking in to see if any of the below information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment
3 answers
Sort by: Most helpful
-
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator2023-07-23T14:49:29.0166667+00:00 -
Jason Lines 0 Reputation points
2023-07-26T01:58:07.9533333+00:00 deleted
-
Jason Lines 0 Reputation points
2023-07-26T02:10:05.3766667+00:00 I did experiment with Groups.Read.All which does allow me to read the group names, but it also allows me to read all the conversations that have taken place in group chats. That is even more permissions than I want my service to have access to.
Sign in to comment -
-
CarlZhao-MSFT 46,371 Reputation points2023-07-24T06:40:04.5633333+00:00 Hi @Jason Lines
Try granting
User.Read.Allapplication permission to your app to list user sets. You only need to expand the/memberOfendpoint when listing user sets to list all groups that all users belong to, you don't need to grant additional permissions for this.https://graph.microsoft.com/v1.0/users?$expand=memberOfNote that the values of directory-level attributes will not be returned.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
-
Jason Lines 0 Reputation points
2023-07-26T02:06:48.16+00:00 Yes, I am able to make the call to memberOf, however I would like to get the group names in addition to the group ids. The displayName will not be returned unless Directory.Read.All permission is granted.
-
CarlZhao-MSFT 46,371 Reputation points
2023-07-26T02:20:16.52+00:00 Hi @Jason Lines
No, the
User.Read.Allapplication permission is absolutely able to return the group name, have you tested the API I provided in the answer? -
CarlZhao-MSFT 46,371 Reputation points
2023-07-26T03:00:03.7933333+00:00 Hi @Jason Lines
Note that the
/memberOfendpoint can be used to get the groups, directory roles, and administrative units of which the user is a direct member. Directory roles and administrative units are directory-level resources, and if you do not have permission to read the directory (Directory.Read.All), the names of directory roles and administrative units will not be returned.However, the User.Read.All permission will be sufficient to return the information (id/name) of the groups the user belongs to.
-
CarlZhao-MSFT 46,371 Reputation points
2023-07-27T06:07:12.7133333+00:00 Hi @Jason Lines
I am checking to see if this issue is resolved or not. If you have any concerns, please feel free to reply.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 17%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Alexandru Burac 0 Reputation points2023-11-09T04:41:10.59+00:00 How about just sending a group claim, which ensures the app will get only the groups list.