Usecase: Graph API should be able to access only 1 group and only its users.
Issue: Using steps mentioned below, usecase is working fine at group level, i.e, graph API only has access to this group and for all other groups it's throwing AccessDenied, as expected. But I am not able to fetch the user details in groups("groupID").members() list. It is returning correct user IDs, but I also need user email and user name which are coming as null.
Below are the steps taken:
Registered a new App custom_app
Created a directory level custom role under Roles & Administrators : custom_role
Assigned these permissions to custom_role: microsoft.directory/groups/members/read , microsoft.directory/users/identities/read, microsoft.directory/users/standard/read
Create a custom group named as custom_group and assigned 3 users : user1, user2 and user3
Under limited app scope to only this group by below steps
- In custom_role, added assignment
- Scope type: Group
- Scope: custom_group
- Members : ID of custom_app (Service Principle)
I am able to fetch user name and user email only if point 5 above is repeated for assignment Scope: User, Members : Service Principle.
How to achieve the same without user assignment to service principle in custom role, and directly assigning the group?
Thanks for support.
Thanks for sharing the steps above, I was able to replicate your scenario. I resolved this issue by adding User.Read.All app permission on the Customapp as shown in the image. To read the basic properties of a group's members that are users, the app needs at least the User.Read.All permission.
To read the basic properties of a group's members that are groups, the app needs at least the Group.Read.All permission.
Additional info on permissions can be found here - https://learn.microsoft.com/en-us/graph/permissions-overview?tabs=http#limited-information-returned-for-inaccessible-member-objects