Microsoft Graph returns "null" values for displayName while using memberOf query for guest accounts (user type in Azure)

Maciej Klimowicz 20 Reputation points
2023-10-12T08:55:04.5766667+00:00

Hi, I have a problem with retrieving group names while using Microsoft Graph, all details are listed below, it works properly for organization member accounts, but guest accounts in the same organization return "null" values for displayName fields.

URI: https://graph.microsoft.com/v1.0/me/memberOf?$select=id,displayName

Scope in request: User.Read GroupMember.Read.All Group.Read.All

API Permissions:

  • user_imprersonation
  • email
  • Group.Read.All
  • GroupMember.Read.All
  • offline_access
  • openid
  • profile
  • User.Read

User type Member: proper response with list of id's and displayName's

User type Guest: response with list of proper id's, but all displayName's are "null"

I wonder if we are missing some other API Permission, or maybe it is something else with configuration of Azure AD that is needed to be set up in order to see proper group names.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,858 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 97,231 Reputation points MVP
    2023-10-12T15:34:00.3366667+00:00

    Guest users have limited visibility in the directory, which is also reflected in some of the Graph calls. And since when running in the delegate permissions model the effective permissions are the cross section of the user's permission and the app one, you get the result above. For more info, refer to the official documentation: https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-restrict-guest-permissions

    |How do restricted permissions affect which groups guests can see?|Regardless of default or restricted guest permissions, guests can't enumerate the list of groups or users. Guests can see groups they're members of in both the Azure portal and the My Apps portal depending on permissions:

    Default permissions: To find the groups they're members of in the Azure portal, the guest must search for their object ID in the All users list, and then select Groups. Here they can see the list of groups that they're members of, including all the group details, including name, email, and so on. In the My Apps portal, they can see a list of groups they own and groups they're in. Restricted guest permissions: In the Azure portal, they can find the list of groups they're in by searching for their object ID in the All users list, and then selecting Groups. They can see only limited details about the group, notably the object ID. By design, the Name and Email columns are blank and Group Type is Unrecognized. In the My Apps portal, they're not able to access the list of groups they own or groups they're a member of.| | -------- | -------- |

    0 comments No comments

0 additional answers

Sort by: Most helpful