Share via

How do we check if the logged in user is an admin

Pawlu Muscat 0 Reputation points
2025-01-20T12:36:46.2833333+00:00

We are wanting to check if the logged in user is an admin within the tenant so that we can ensure certain features are Admin only and need a reliable way to check this. We are hoping to do this without requiring the Directory.Read.All scope that I believe is necessary when checking the me/memberOf endpoint for the roles.

Microsoft Security | Microsoft Graph
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rajat Vashistha-MSFT 1,690 Reputation points Microsoft External Staff
    2025-01-20T13:01:06.9633333+00:00

    Hi Pawlu Muscat,

    Thanks for reaching out to Microsoft!

    To check if a logged-in user is an admin within the tenant, you can use the Get directoryRoleTemplate or the unified RBAC API. The unified RBAC API provides more functionality and flexibility with the Get unifiedRoleDefinition endpoint.

    You can find more information on these APIs in the following links:

    https://learn.microsoft.com/en-us/graph/api/directoryroletemplate-get?view=graph-rest-1.0&tabs=http

    https://learn.microsoft.com/en-us/graph/api/unifiedroledefinition-get?view=graph-rest-1.0&tabs=http

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.

  2. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2025-01-20T17:08:05.1566667+00:00

    Calling the /me/memberOf/microsoft.graph.directoryRole endpoint is your best option. Alternatively, you can decode the access token and parse the wids claim therein, which contains the set of roles the user is currently assigned to.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.