Getting users from MS Graph API with a $filter causes 403 for some users
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
- Directory.AccessAsUser.All
- User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
azure azure-active-directory microsoft-graph asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
|
show 2 more comments
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
- Directory.AccessAsUser.All
- User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
azure azure-active-directory microsoft-graph asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..
– Rohit Saigal
Nov 14 '18 at 19:44
These are from another AAD.
– juunas
Nov 14 '18 at 19:46
You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?
– Philippe Signoret
Nov 14 '18 at 22:54
@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.
– juunas
Nov 15 '18 at 6:56
1
I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...
– Jeremy Thake MSFT
Nov 15 '18 at 19:21
|
show 2 more comments
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
- Directory.AccessAsUser.All
- User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
azure azure-active-directory microsoft-graph asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.
Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.
But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.
Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.
This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).
The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.
My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".
Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.
My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.
The application's token has the following scopes:
- Directory.AccessAsUser.All
- User.Read
We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.
The application is also registered as a Native app, if that makes a difference.
Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.
Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.
azure azure-active-directory microsoft-graph azure azure-active-directory microsoft-graph asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
edited Nov 15 '18 at 18:23
juunas
asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
asked Nov 14 '18 at 17:09
juunasjuunas
22.3k34880
22.3k34880
Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..
– Rohit Saigal
Nov 14 '18 at 19:44
These are from another AAD.
– juunas
Nov 14 '18 at 19:46
You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?
– Philippe Signoret
Nov 14 '18 at 22:54
@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.
– juunas
Nov 15 '18 at 6:56
1
I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...
– Jeremy Thake MSFT
Nov 15 '18 at 19:21
|
show 2 more comments
Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..
– Rohit Saigal
Nov 14 '18 at 19:44
These are from another AAD.
– juunas
Nov 14 '18 at 19:46
You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?
– Philippe Signoret
Nov 14 '18 at 22:54
@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.
– juunas
Nov 15 '18 at 6:56
1
I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...
– Jeremy Thake MSFT
Nov 15 '18 at 19:21
Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..
– Rohit Saigal
Nov 14 '18 at 19:44
Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..
– Rohit Saigal
Nov 14 '18 at 19:44
These are from another AAD.
– juunas
Nov 14 '18 at 19:46
These are from another AAD.
– juunas
Nov 14 '18 at 19:46
You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?
– Philippe Signoret
Nov 14 '18 at 22:54
You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?
– Philippe Signoret
Nov 14 '18 at 22:54
@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.
– juunas
Nov 15 '18 at 6:56
@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.
– juunas
Nov 15 '18 at 6:56
1
1
I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...
– Jeremy Thake MSFT
Nov 15 '18 at 19:21
I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...
– Jeremy Thake MSFT
Nov 15 '18 at 19:21
|
show 2 more comments
3 Answers
3
active
oldest
votes
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
Thanks Jeremy! :)
– juunas
Nov 27 '18 at 18:47
add a comment |
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
The problem is that it does work for the Guest Global Admin account :D
– juunas
Nov 15 '18 at 6:56
add a comment |
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.
– juunas
Nov 14 '18 at 19:40
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305452%2fgetting-users-from-ms-graph-api-with-a-filter-causes-403-for-some-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
Thanks Jeremy! :)
– juunas
Nov 27 '18 at 18:47
add a comment |
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
Thanks Jeremy! :)
– juunas
Nov 27 '18 at 18:47
add a comment |
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
answered Nov 27 '18 at 18:39
Jeremy Thake MSFTJeremy Thake MSFT
8081511
8081511
Thanks Jeremy! :)
– juunas
Nov 27 '18 at 18:47
add a comment |
Thanks Jeremy! :)
– juunas
Nov 27 '18 at 18:47
Thanks Jeremy! :)
– juunas
Nov 27 '18 at 18:47
Thanks Jeremy! :)
– juunas
Nov 27 '18 at 18:47
add a comment |
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
The problem is that it does work for the Guest Global Admin account :D
– juunas
Nov 15 '18 at 6:56
add a comment |
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
The problem is that it does work for the Guest Global Admin account :D
– juunas
Nov 15 '18 at 6:56
add a comment |
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.
You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
answered Nov 14 '18 at 23:49
Philippe SignoretPhilippe Signoret
6,72512443
6,72512443
The problem is that it does work for the Guest Global Admin account :D
– juunas
Nov 15 '18 at 6:56
add a comment |
The problem is that it does work for the Guest Global Admin account :D
– juunas
Nov 15 '18 at 6:56
The problem is that it does work for the Guest Global Admin account :D
– juunas
Nov 15 '18 at 6:56
The problem is that it does work for the Guest Global Admin account :D
– juunas
Nov 15 '18 at 6:56
add a comment |
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.
– juunas
Nov 14 '18 at 19:40
add a comment |
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.
– juunas
Nov 14 '18 at 19:40
add a comment |
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?
If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
answered Nov 14 '18 at 18:23
ZachaferZachafer
939
939
Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.
– juunas
Nov 14 '18 at 19:40
add a comment |
Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.
– juunas
Nov 14 '18 at 19:40
Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.
– juunas
Nov 14 '18 at 19:40
Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.
– juunas
Nov 14 '18 at 19:40
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305452%2fgetting-users-from-ms-graph-api-with-a-filter-causes-403-for-some-users%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..
– Rohit Saigal
Nov 14 '18 at 19:44
These are from another AAD.
– juunas
Nov 14 '18 at 19:46
You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?
– Philippe Signoret
Nov 14 '18 at 22:54
@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.
– juunas
Nov 15 '18 at 6:56
1
I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...
– Jeremy Thake MSFT
Nov 15 '18 at 19:21