Guest users have limited visibility in the directory, which is also reflected in some of the Graph calls. And since when running in the delegate permissions model the effective permissions are the cross section of the user's permission and the app one, you get the result above. For more info, refer to the official documentation: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions
|How do restricted permissions affect which groups guests can see?|Regardless of default or restricted guest permissions, guests can't enumerate the list of groups or users. Guests can see groups they're members of in both the Azure portal and the My Apps portal depending on permissions:
Default permissions: To find the groups they're members of in the Azure portal, the guest must search for their object ID in the All users list, and then select Groups. Here they can see the list of groups that they're members of, including all the group details, including name, email, and so on. In the My Apps portal, they can see a list of groups they own and groups they're in. Restricted guest permissions: In the Azure portal, they can find the list of groups they're in by searching for their object ID in the All users list, and then selecting Groups. They can see only limited details about the group, notably the object ID. By design, the Name and Email columns are blank and Group Type is Unrecognized. In the My Apps portal, they're not able to access the list of groups they own or groups they're a member of.| | -------- | -------- |