Background
Currently I'm working on implementing Azure Active Directory user management in our own portal to enable user management for users we don't want snooping around in the Azure Portal. I've implemented it using application permissions so we can have the Azure admin grant permissions to this one specific application. RBAC together with user roles in our application make sure only authorized users are able to use the functionality.
One of the things we wanted to enable is inviting users into our Azure Active Directory tenant. I managed to implement that one, and everything seemed great. Next step was to implement a user overview with their assigned roles.
By the way, these are the required (and granted) permissions:
- Invite guest users to the organization
- Read all groups
- Read directory data
- Read all users' full profiles
The issue
Getting the users in the tenant is no issue. Getting the MemberOf information for a list of users does not work. After some searching I found your application needs the Directory.Read.All
permission (documentation on List memberOf). I added the permission, tested the code with anticipation: nothing. The MemberOf property is always null
.
Scenarios that do not work:
Expanding MemberOf for a all users:
var allUsers = await _graphClient.Users.Request().Expand(u => u.MemberOf).GetAsync();
Expanding MemberOf for a specific user:
var user = await _graphClient.Users[userId].Request().Expand(u => u.MemberOf).GetAsync();
Scenarios that do work:
Getting all groups expanding Members:
var groupsWithMembers = await _graphClient.Groups.Request().Expand(g => g.Members).GetAsync();
Getting the MemberOf information for a specific user:
var userGroups = await _graphClient.Users[userId].MemberOf.Request().GetAsync();
The question
In short: what am I missing here? As far as I can determine I've set the permissions the application needs, and I'm using the SDK like documented. And that should be correct given the fact that expanding the users' Members
property does work.
Any ideas?