Expanding MemberOf with Microsoft Graph does not p

2019-02-23 08:20发布

问题:

Background
Currently I'm working on implementing Azure Active Directory user management in our own portal to enable user management for users we don't want snooping around in the Azure Portal. I've implemented it using application permissions so we can have the Azure admin grant permissions to this one specific application. RBAC together with user roles in our application make sure only authorized users are able to use the functionality.

One of the things we wanted to enable is inviting users into our Azure Active Directory tenant. I managed to implement that one, and everything seemed great. Next step was to implement a user overview with their assigned roles.

By the way, these are the required (and granted) permissions:

  • Invite guest users to the organization
  • Read all groups
  • Read directory data
  • Read all users' full profiles

The issue
Getting the users in the tenant is no issue. Getting the MemberOf information for a list of users does not work. After some searching I found your application needs the Directory.Read.All permission (documentation on List memberOf). I added the permission, tested the code with anticipation: nothing. The MemberOf property is always null.

Scenarios that do not work:
Expanding MemberOf for a all users:

var allUsers = await _graphClient.Users.Request().Expand(u => u.MemberOf).GetAsync();

Expanding MemberOf for a specific user:

var user = await _graphClient.Users[userId].Request().Expand(u => u.MemberOf).GetAsync();

Scenarios that do work:
Getting all groups expanding Members:

var groupsWithMembers = await _graphClient.Groups.Request().Expand(g => g.Members).GetAsync();

Getting the MemberOf information for a specific user:

var userGroups = await _graphClient.Users[userId].MemberOf.Request().GetAsync();

The question
In short: what am I missing here? As far as I can determine I've set the permissions the application needs, and I'm using the SDK like documented. And that should be correct given the fact that expanding the users' Members property does work.

Any ideas?

回答1:

The documentation is, unfortunately, a little vague on the topic but currently, the /v1.0 endpoint doesn't support expanding the memberOf property. It is however supported by the /beta endpoint.

My recommendation would be to switch to /beta for this call. Normally the guidance is to avoid using Beta in production. There are often subtle schema differences between v1.0 and Beta entities and this endpoint can (and does) receive breaking change without warning. In this specific case, however, it shouldn't be an issue since your expanding a property that already exists in v1.0 (albeit currently non-functional)/