directoryObject: getMemberGroups

Namespace: microsoft.graph

Return all the group IDs for the groups that the specified user, group, service principal, organizational contact, device, or directory object is a member of. This function is transitive.

This API returns up to 11,000 group IDs. If more than 11,000 results are available, it returns a 400 Bad Request error with the Directory_ResultSizeLimitExceeded error code. As a workaround, use the List group transitive memberOf API.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Group memberships for a directory object

Permission type Permissions (from least to most privileged)
Delegated (work or school account) User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Delegated (personal Microsoft account) Not supported.
Application User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All

Group memberships for a user

Permission type Permissions (from least to most privileged)
Delegated (work or school account) User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Delegated (personal Microsoft account) Not supported.
Application User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All

Group memberships for a group

Permission type Permissions (from least to most privileged)
Delegated (work or school account) GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

Group memberships for a service principal

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All

Group memberships for an organizational contact

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Directory.Read.All, Directory.ReadWrite.All

Group memberships for a device

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Device.Read.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

HTTP request

Group memberships for a directory object (user, group, service principal, or organizational contact).

POST /directoryObjects/{id}/getMemberGroups

Group memberships for the signed-in user or other users.

POST /me/getMemberGroups
POST /users/{id | userPrincipalName}/getMemberGroups

Group memberships for a group.

POST /groups/{id}/getMemberGroups

Group memberships for a service principal.

POST /servicePrincipals/{id}/getMemberGroups

Group memberships for an organizational contact.

POST /contacts/{id}/getMemberGroups

Group memberships for a device.

POST /devices/{id}/getMemberGroups

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json

Request body

In the request body, provide a JSON object with the following parameters.

Parameter Type Description
securityEnabledOnly Boolean true to specify that only security groups that the entity is a member of should be returned; false to specify that all groups and directory roles that the entity is a member of should be returned. true can be specified only for users or service principals to return security-enabled groups.

Response

If successful, this method returns 200 OK response code and String collection object in the response body.

Examples

Example 1: Check group memberships for a directory object

Request

POST https://graph.microsoft.com/v1.0/directoryObjects/0049d944-a805-4680-9f54-3ab292090309/getMemberGroups
Content-type: application/json

{
    "securityEnabledOnly": false
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        "a8daa1fb-d24c-47d0-9e9e-c99e83394e3e"
    ]
}

Example 2: Check group memberships for the signed-in user

Request

POST https://graph.microsoft.com/v1.0/me/getMemberGroups
Content-type: application/json

{
  "securityEnabledOnly": true
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        "6239671a-0db6-4e8b-9d2f-f280efb5a181",
        "2e2f1227-1586-45ae-bf51-fccc1de72625",
        "1dae9306-be75-4c3c-99ec-0316a4342c84",
        "0e2d1bbb-76f8-4140-bda7-2a858b74507e",
        "0049d944-a805-4680-9f54-3ab292090309",
        "a8daa1fb-d24c-47d0-9e9e-c99e83394e3e",
        "6f204729-1b8f-4067-bcc9-98fb6c069ffd",
        "59afd38d-441a-4358-b074-8b9b1e7de52f",
        "64ed3df3-53c7-4d4d-ac5c-5c8dd4dafe33",
        "8b676bab-4b1e-419e-a253-7f5aca97d739",
        "be4ef325-9fa8-40d7-b375-4758853ddf52",
        "f5987b5a-61f6-4c31-9fa2-7bfb845c8d2a"
    ]
}