Getting users from MS Graph API with a $filter causes 403 for some users












0















We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.



Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.



But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.



Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.



This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).



The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.



My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".



Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.



My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.



The application's token has the following scopes:




  • Directory.AccessAsUser.All

  • User.Read


We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.



The application is also registered as a Native app, if that makes a difference.



Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.



Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.










share|improve this question

























  • Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..

    – Rohit Saigal
    Nov 14 '18 at 19:44











  • These are from another AAD.

    – juunas
    Nov 14 '18 at 19:46











  • You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?

    – Philippe Signoret
    Nov 14 '18 at 22:54











  • @PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.

    – juunas
    Nov 15 '18 at 6:56






  • 1





    I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...

    – Jeremy Thake MSFT
    Nov 15 '18 at 19:21
















0















We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.



Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.



But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.



Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.



This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).



The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.



My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".



Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.



My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.



The application's token has the following scopes:




  • Directory.AccessAsUser.All

  • User.Read


We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.



The application is also registered as a Native app, if that makes a difference.



Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.



Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.










share|improve this question

























  • Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..

    – Rohit Saigal
    Nov 14 '18 at 19:44











  • These are from another AAD.

    – juunas
    Nov 14 '18 at 19:46











  • You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?

    – Philippe Signoret
    Nov 14 '18 at 22:54











  • @PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.

    – juunas
    Nov 15 '18 at 6:56






  • 1





    I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...

    – Jeremy Thake MSFT
    Nov 15 '18 at 19:21














0












0








0


1






We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.



Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.



But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.



Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.



This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).



The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.



My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".



Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.



My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.



The application's token has the following scopes:




  • Directory.AccessAsUser.All

  • User.Read


We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.



The application is also registered as a Native app, if that makes a difference.



Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.



Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.










share|improve this question
















We have a single-page Javascript app that makes calls to Microsoft Graph API using delegated permissions.
One of the things it does is get a list of users via the /users endpoint.



Now when the request URL was https://graph.microsoft.com/v1.0/users?$select=id,displayName,givenName,surname,mail,userPrincipalName,
everything worked fine.



But then we changed it to include a filter.
Specifically we only want Guest users.
So we changed the request URL to https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Guest'&$select=id,displayName,givenName,surname,mail,userPrincipalName,userType.



Now some of the users get a 403 Forbidden when we try to make the query.
What is puzzling is that they can get the full list of users, but are unable to get a subset of the users.



This user is themselves a Guest user, and has the Guest Inviter directory role.
This gives them the ability to read all users.
I have a Global Admin account which is able to use the second request as well (it would be pretty stunning if it could not).



The app itself has the necessary scopes since it is able to read the users, it just depends on the user and their permissions in AAD.



My theory is that the user does not have permission to access the userType property, and this causes the 403.
It is probably part of the "full profile".



Philippe confirmed this by stating you cannot access this property through the User.ReadBasic.All scope.
If we look at the Guest Inviter role's permissions: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#guest-inviter.
We can see that they have microsoft.aad.directory/users/basic/read, a Global admin on the other hand has microsoft.aad.directory/users/allProperties/allTasks.



My question is, what do I need to do to enable this query for the user?
I would like to avoid giving them Global Admin in this case.



The application's token has the following scopes:




  • Directory.AccessAsUser.All

  • User.Read


We used a less privileged scope before,
but we needed to add features that required higher privileges.
The scope we have is the "most privileged" scope for listing users: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list.



The application is also registered as a Native app, if that makes a difference.



Signing out and signing back in (to refresh the token) also does not help.
This problem occurs with a fresh sign-in with the same scopes in the token.
The only difference is the role of the user in AAD.



Request id: 6079bcb2-6f90-44cc-8a57-83a8e1676333, timestamp Thu, 15 Nov 2018 06:49:59 GMT.







azure azure-active-directory microsoft-graph






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 18:23







juunas

















asked Nov 14 '18 at 17:09









juunasjuunas

22.3k34880




22.3k34880













  • Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..

    – Rohit Saigal
    Nov 14 '18 at 19:44











  • These are from another AAD.

    – juunas
    Nov 14 '18 at 19:46











  • You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?

    – Philippe Signoret
    Nov 14 '18 at 22:54











  • @PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.

    – juunas
    Nov 15 '18 at 6:56






  • 1





    I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...

    – Jeremy Thake MSFT
    Nov 15 '18 at 19:21



















  • Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..

    – Rohit Saigal
    Nov 14 '18 at 19:44











  • These are from another AAD.

    – juunas
    Nov 14 '18 at 19:46











  • You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?

    – Philippe Signoret
    Nov 14 '18 at 22:54











  • @PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.

    – juunas
    Nov 15 '18 at 6:56






  • 1





    I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...

    – Jeremy Thake MSFT
    Nov 15 '18 at 19:21

















Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..

– Rohit Saigal
Nov 14 '18 at 19:44





Are these guest users from another Azure AD tenant or something like abc@gmail.com who have nothing to do with Azure AD before invitation? Or may be you have both variations.. I'm asking because I see a little bit different behavior..

– Rohit Saigal
Nov 14 '18 at 19:44













These are from another AAD.

– juunas
Nov 14 '18 at 19:46





These are from another AAD.

– juunas
Nov 14 '18 at 19:46













You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?

– Philippe Signoret
Nov 14 '18 at 22:54





You definitely don't need to give this user Global Admin. I'm having trouble reproducing the issue you describe (with a guest user in the Guest Inviter role I was able to perform both queries you list). What scope does the app have for the request?

– Philippe Signoret
Nov 14 '18 at 22:54













@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.

– juunas
Nov 15 '18 at 6:56





@PhilippeSignoret I added the scopes in the token as well as the app's type to the question. I sent the request id and timestamp to you privately.

– juunas
Nov 15 '18 at 6:56




1




1





I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...

– Jeremy Thake MSFT
Nov 15 '18 at 19:21





I'm followin up internally with the PM who shipped the guest features. Please ping back on twitter if you don't hear from me...

– Jeremy Thake MSFT
Nov 15 '18 at 19:21












3 Answers
3






active

oldest

votes


















1














Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.






share|improve this answer
























  • Thanks Jeremy! :)

    – juunas
    Nov 27 '18 at 18:47



















0














You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.



You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.






share|improve this answer
























  • The problem is that it does work for the Guest Global Admin account :D

    – juunas
    Nov 15 '18 at 6:56



















-1














What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?



If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.






share|improve this answer
























  • Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.

    – juunas
    Nov 14 '18 at 19:40











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305452%2fgetting-users-from-ms-graph-api-with-a-filter-causes-403-for-some-users%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.






share|improve this answer
























  • Thanks Jeremy! :)

    – juunas
    Nov 27 '18 at 18:47
















1














Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.






share|improve this answer
























  • Thanks Jeremy! :)

    – juunas
    Nov 27 '18 at 18:47














1












1








1







Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.






share|improve this answer













Unfortunately your theory is actually correct about guest users not being able to filter on userType. I have just spoken to the engineering team behind this logic on Microsoft Graph. They are looking into a fix here so that it adheres to our Roles based access control (RBAC) for this property and not the pre RBAC logic that it is doing right now. There is no time frame currently on this, they are planning it into their sprint. I'll see if I can get an update in the next few days.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 27 '18 at 18:39









Jeremy Thake MSFTJeremy Thake MSFT

8081511




8081511













  • Thanks Jeremy! :)

    – juunas
    Nov 27 '18 at 18:47



















  • Thanks Jeremy! :)

    – juunas
    Nov 27 '18 at 18:47

















Thanks Jeremy! :)

– juunas
Nov 27 '18 at 18:47





Thanks Jeremy! :)

– juunas
Nov 27 '18 at 18:47













0














You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.



You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.






share|improve this answer
























  • The problem is that it does work for the Guest Global Admin account :D

    – juunas
    Nov 15 '18 at 6:56
















0














You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.



You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.






share|improve this answer
























  • The problem is that it does work for the Guest Global Admin account :D

    – juunas
    Nov 15 '18 at 6:56














0












0








0







You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.



You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.






share|improve this answer













You are most likely experiencing this if your application only has delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. With only User.ReadBasic.All, your app doesn't have permission to read the userType property, which also means it doesn't have permission to filter on that property.



You'll probably find any user in the tenant will have the same experience, including a member or a global admin, not just your guest user. If your app requests for User.Read.All instead, the filter should work as expected for your guest user in the Guest Inviter role.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 14 '18 at 23:49









Philippe SignoretPhilippe Signoret

6,72512443




6,72512443













  • The problem is that it does work for the Guest Global Admin account :D

    – juunas
    Nov 15 '18 at 6:56



















  • The problem is that it does work for the Guest Global Admin account :D

    – juunas
    Nov 15 '18 at 6:56

















The problem is that it does work for the Guest Global Admin account :D

– juunas
Nov 15 '18 at 6:56





The problem is that it does work for the Guest Global Admin account :D

– juunas
Nov 15 '18 at 6:56











-1














What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?



If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.






share|improve this answer
























  • Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.

    – juunas
    Nov 14 '18 at 19:40
















-1














What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?



If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.






share|improve this answer
























  • Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.

    – juunas
    Nov 14 '18 at 19:40














-1












-1








-1







What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?



If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.






share|improve this answer













What do you have set under Azure Active Directory -> User Settings -> External collaboration settings -> Guest user permissions are limited?



If the guest permissions are limited, guest users are unable to enumerate the directory users & groups.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 14 '18 at 18:23









ZachaferZachafer

939




939













  • Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.

    – juunas
    Nov 14 '18 at 19:40



















  • Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.

    – juunas
    Nov 14 '18 at 19:40

















Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.

– juunas
Nov 14 '18 at 19:40





Yes, we have this set. But the user has been given the Guest Inviter role, which gives them the ability to enumerate users anyway. They are able to get users, just not when we specify a filter for userType.

– juunas
Nov 14 '18 at 19:40


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53305452%2fgetting-users-from-ms-graph-api-with-a-filter-causes-403-for-some-users%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Florida Star v. B. J. F.

Danny Elfman

Lugert, Oklahoma