Microsoft Graph - Get MemberOf

Question

I'm trying to access the groups a user is a member of using the Microsoft Graph API. I'm facing an issue because I think my permissions are set correctly, however, when I sign into the app, I get the message :

 AADSTS90093: Calling principal cannot consent due to lack of permissions. 

The weird thing is that I'm only asking for this permission scope :

public static String[] ClientScope = { "User.Read", "User.ReadBasic.All", "Group.Read.All"};

What makes me confused is that if I sign in the Microsoft Graph explorer and go to https://graph.microsoft.com/v1.0/me/memberOf , I get the correct results. I got an admin to consent to the permissions I'm asking in the scope of course.

Has anyone encountered that issue ?

Any idea how I should correct that ?

Answer 1

The memberOf API requires one of the following scopes:

• Directory.Read.All
• Directory.ReadWrite.All
• Directory.AccessAsUser.All

Regardless of which of these scopes you choose, they all will require administrative consent before a regular user can authorize them. To do this, you'll first need to have them go through the “Admin Consent” workflow. This workflow requires an administrator but once complete any users of your application will have “admin consent” to the restricted scope.

For example, you would normally you would then authenticate users by redirecting them to

https://login.microsoftonline.com/common/oauth2/authorize?<your params> .

Since this scope requires an Admin however, you fist need to obtain consent by first having an Admin authenticate by redirecting them to

https://login.microsoftonline.com/common/adminconsent?<yours params> .

Once an Admin grants consent, normal users will be able to use OAUTH to authenticate.