Bhavya Vootla [MSFT]

What do below API calls do?

https://graph.microsoft.com/v1.0/me/memberOf

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf

These API calls gives us the list of groups and directory roles that the user is a direct member of.

API Call: GET

JSON response:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects",
    "value": [
        {
            "@odata.type": "#microsoft.graph.group",
            "id": "b0a133d4-3f3d-4990-be22-879151155f19",
            "deletedDateTime": null,
            "classification": null,
            "createdDateTime": null,
            "creationOptions": [],
            "description": null,
            "displayName": null,
            "expirationDateTime": null,
            "groupTypes": [],
            "isAssignableToRole": null,
            "mail": null,
            "mailEnabled": null,
            "mailNickname": null,
            "membershipRule": null,
            "membershipRuleProcessingState": null,
        }
}

What is the reason behind seeing null values?

When we make a call to https://graph.microsoft.com/v1.0/me/memberOf or https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}memberOf in certain situations we find null values for few attributes as shown in the above JSON response. In the above response, we only see the value for GroupId and all other attributes are of null values. When an application queries the membership of a container object and does not have permission to read a certain type, members of that type are returned but with limited information. The application receives a 200 response and a collection of objects. Complete information is returned for the object types that the application has permissions to read. For the object types which the application does not have permission to read, only the object type and ID are returned.

Resolution:

When an application queries a relationship that returns a directoryObject type collection, if it does not have permission to read a certain derived type, members of that type are returned but with limited information. To read all the other group information, you would also need to configure at least Directory.Read.All permission in your application.

References:

List memberOf

Limited information returned for inaccessible member objects

5 1 vote
Article Rating
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
wad11656
wad11656
June 17, 2021 9:22 pm

Well that’s silly. The Microsoft infrastructure is so gargantuan and the app permissions settings, UI to access those settings, and even the Azure AD user permissions required to be able to grant/access those settings…is so convoluted it gives me instant brain fog. All I wanted was a list of people in a Microsoft group. It took me 4 business days to work it out! This was the very last step. Geez Louise. And I still feel inept in regards to M365, Azure and how they’re separate from each other…or connected…or why I have to suddenly do so many things in… Read more »

0
Reply