Allow signed in user to read AD group memberships with minimal delegated permissions
Applications that implement group based authorization require the ability to query the group identifiers of the signed in user via minimal delegated permissions. The group based authorization is a common scenario for (multi-tenant) SaaS applications. Oftentimes it's difficult or impossible to get permissions from a customer that can expose a broad set of information. Even if one was able to get the permissions, the implementation would still be sub-optimal and cause unnecessary security risks.
The current version of user: getMemberGroups function doesn't satisfy the need because it requires broad and even application level permissions.
Please note that the above document is out of date and inaccurate regarding the required permissions.
Please implement support for the operation of querying group identifiers of the signed in user with appropriate minimal delegated permissions (such as User.Read).
A recent change was made (for some other reasons) that now allows this information to be read with minimal permissions (like User.Read).
Please see this blog post for information: https://developer.microsoft.com/en-us/graph/blogs/upcoming-api-changes-to-return-limited-information-for-inaccessible-member-resources/
Also see the information in the permissions section of some API topics, like https://docs.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Hope this helps
Daniel Kvist commented
I can't see `User.Read` anywhere in the linked API documentation.
Juho Hanhimäki commented
Thanks for the update, this is great news!
We have now implemented the List user transitive memberOf function in our product to enable group based authorization. We use the User.Read permission and it works fine!
Tristan Crockett commented
Dan Kershaw: Has this change been deployed? If not, is there a timeline for its deployment?