Unable to get Office 365 groups I'm a member o

2019-05-15 08:21发布

问题:

Trying to get all the Office 365 groups a user is a member of.
I've registered a 'Native client application' on Azure and selected only one permission: 'Read all groups' under the 'Microsoft Graph' scope.

The problem: users from other tenants got the 'Calling principal cannot consent due to lack of permissions.' error, and did not get to the consent step.

If the user has admin rights or if I register another app on a second tenant, I was able to pass the consent step and also got the groups list.

BTW, registering a 'Web application' and selecting 'Yes' in the Multi-tenant option didn't help either.

Does anybody know if 'Group.Read.All' requires admin consent? According to this it doesn't.
I also tried to run this query https://graph.microsoft.com/v1.0/me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified') as mentioned here under 'GET unified groups I’m member of', but with no luck.

Another question, is there a way to configure the Native app as a multi-tenant app?

回答1:

The answer is from what you are saying: Did not get to the consent step and you just selected read all groups are not enough. You have to select sign in users permissions as well in graph api.

Hope this helps.



回答2:

You have a few questions in here, so I'll try to help. Let me know if I've missed something or you need more clarification.

Native applications in Azure AD are multi-tenant by nature, so there's no need to set the multi-tenant toggle like you do with Web apps.

Group.ReadAll does require admin consent. I've found the following page to be super useful as I try to determine the permissions needed for my applications: http://graph.microsoft.io/en-us/docs/authorization/permission_scopes.

During development I have sometimes needed to update the permissions for my app. Whenever permissions are updated I've found it useful to go to http://myapps.microsoft.com to revoke consent for my app. Then the next time I log in to the app, I am always prompted for content so I can clearly see exactly what users will see.