The Microsoft Graph endpoint is how you can interact programmatically with your tenant data. One of the most common scenarios is a MS Graph request to look up a user or users in the tenant. If you’re using delegated permissions in your access token, for a user to look up another user, the access token will need the delegated permission of User.Read.All However, there are ways to prevent users from being able to lookup other users in MS Graph via a tenant policy unless the user is a tenant admin. This sometimes is a gotcha because you may implement this policy in the tenant but later on, a new application needs to be able to perform this action and it is getting a 401 response, even though the proper permissions are consented to on the app registration and the access token has the proper permission. And, you have forgotten that this policy was enabled but it works for admin users. This is your clue that there is a policy in place preventing normal users from querying users.
The documentation is not easy to find for this scenario, hence this blog post to help you discover a solution when searching for this problem. The documentation for this is here. The setting you’re interested in is “allowedToReadOtherUsers”. You can query to see if that setting is on the policy and set to “true” using a GET request. To update the policy to resolve the issue, you can make a PATCH request for that setting:
PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy
{ “defaultUserRolePermissions”: { “allowedToReadOtherUsers”: true } }