Share via

How to get the groups of Internal/Guest users

Sagar Venaganti 6 Reputation points
2020-01-09T01:30:53.65+00:00

I have written an application where Internal as well as Guest users are authenticated using the graph api. Everything works perfectly fine till here. I can able to get the groups of the Internal users (using https://graph.microsoft.com/v1.0/me/ownerOf), however I am getting the issues while I am trying to get the groups for the Guest users. Getting below error.

No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:ab7adee445a89dff')/profile/memberOf?api-version=AGSV1-internal'.

Here is the code for authenticating the Internal/Guest users: 

        IConfidentialClientApplication clientApp = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(context.AuthenticationTicket.Identity));
        var signedInUser = new ClaimsPrincipal(context.AuthenticationTicket.Identity);
        var tokenStore = new SessionTokenStore(clientApp.UserTokenCache, HttpContext.Current, signedInUser);
        AuthenticationResult result = await clientApp.AcquireTokenByAuthorizationCode(new[] { "User.Read User.ReadBasic.All Group.ReadWrite.All" }, context.Code).ExecuteAsync();

        var userDetails = await GraphHelper.GetUserDetailsAsync(result.AccessToken);

Here is the code to get the groups of the Internal/Guest users: 

        var graphClient = new GraphServiceClient(
            new DelegateAuthenticationProvider(
                async (requestMessage) =>
                {
                    var idClient = ConfidentialClientApplicationBuilder.Create(appId)
                        .WithRedirectUri(redirectUri)
                        .WithClientSecret(appSecret)
                        .Build();

                    var tokenStore = new SessionTokenStore(idClient.UserTokenCache,
                        HttpContext.Current, ClaimsPrincipal.Current);

                    var accounts = await idClient.GetAccountsAsync();

                    // By calling this here, the token can be refreshed
                    // if it's expired right before the Graph call is made
                    var scopes = graphScopes.Split(' ');
                    var result = await idClient.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
                        .ExecuteAsync();

                    requestMessage.Headers.Authorization =
                        new AuthenticationHeaderValue("Bearer", result.AccessToken);
                }));

        var allgroups = await graphClient.Me.OwnedObjects
                    .Request()
                    .GetAsync();
        var groups = allgroups.Where(x => x.ODataType == "#microsoft.graph.group").Cast();

Please let me know if there is any permissions which needs to be given from the Azure Active Directory for the same. If you have any code for the same, please help !

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,866 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. FrankHu-MSFT 976 Reputation points
    2020-01-09T21:30:59.373+00:00

    Hey @Sagar Venaganti

    This should be working properly, can you take a look at Shawn Tabrizi's answer regarding getting guest user memberof attribute here : https://stackoverflow.com/questions/46754507/guest-account-queries-to-azure-ad-or-graph-in-single-tenant-application

    Is this a multi-tenant AAD Application? And what is the exact request that you're making?

    If you're still having issues with this you may need to open a support ticket as there might be an issue with the user that you're making the memberof graph api call. However, I'm thinking that either the issue is that the UserID is wrong, or there is something malformed in the request. Note that the UPN for guests has a #EXT# typically.

    Thanks

    1 person found this answer helpful.