What do below API calls do?
https://graph.microsoft.com/v1.0/me/memberOf
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf
These API calls gives us the list of groups and directory roles that the user is a direct member of.
JSON response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
"value": [
{
"@odata.type": "#microsoft.graph.group",
"id": "b0a133d4-3f3d-4990-be22-879151155f19",
"deletedDateTime": null,
"classification": null,
"createdDateTime": null,
"creationOptions": [],
"description": null,
"displayName": null,
"expirationDateTime": null,
"groupTypes": [],
"isAssignableToRole": null,
"mail": null,
"mailEnabled": null,
"mailNickname": null,
"membershipRule": null,
"membershipRuleProcessingState": null,
}
}
What is the reason behind seeing null values?
When we make a call to https://graph.microsoft.com/v1.0/me/memberOf or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}memberOf in certain situations we find null values for few attributes as shown in the above JSON response. In the above response, we only see the value for GroupId and all other attributes are of null values. When an application queries the membership of a container object and does not have permission to read a certain type, members of that type are returned but with limited information. The application receives a 200 response and a collection of objects. Complete information is returned for the object types that the application has permissions to read. For the object types which the application does not have permission to read, only the object type and ID are returned.
Resolution:
When an application queries a relationship that returns a directoryObject type collection, if it does not have permission to read a certain derived type, members of that type are returned but with limited information. To read all the other group information, you would also need to configure at least Directory.Read.All permission in your application.
References:
Limited information returned for inaccessible member objects
Well that’s silly. The Microsoft infrastructure is so gargantuan and the app permissions settings, UI to access those settings, and even the Azure AD user permissions required to be able to grant/access those settings…is so convoluted it gives me instant brain fog. All I wanted was a list of people in a Microsoft group. It took me 4 business days to work it out! This was the very last step. Geez Louise. And I still feel inept in regards to M365, Azure and how they’re separate from each other…or connected…or why I have to suddenly do so many things in Azure in the first place; my group resides in the Microsoft 365 portal and in Microsoft Outlook–not Azure Outlook! Anyway, rant over. Thanks!
This was so helpful! I had been attempting to read the groups associated with a user and I was getting the correct count of groups, but all the fields were null. Adding the “Directory.Read.All” permissions did the trick. Thank you!