| title | directoryObject: getMemberGroups |
|---|---|
| description | Return all the groups that the specified user, group, service principal, organizational contact, device, or directory object is a member of. This function is transitive. |
| ms.localizationpriority | medium |
| author | FaithOmbongi |
| ms.subservice | entra-directory-management |
| doc_type | apiPageType |
| ms.date | 10/02/2024 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Return all the group IDs for the groups that the specified user, group, service principal, organizational contact, device, or directory object is a member of. This function is transitive.
This API returns up to 11,000 group IDs. If more than 11,000 results are available, it returns a 400 Bad Request error with the Directory_ResultSizeLimitExceeded error code. If you get the Directory_ResultSizeLimitExceeded error code, use the List group transitive memberOf API instead.
[!INCLUDE national-cloud-support]
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
Here, the permission allows you to read any directory object, regardless of the object type. To scope the operation to a specific object type and use lesser-privileged permissions, refer to other permissions tables on this page.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | Directory.Read.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | Directory.Read.All |
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All |
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | Directory.Read.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | Directory.Read.All, Directory.ReadWrite.All |
[!INCLUDE permissions-table]
Group memberships for a directory object (user, group, service principal, or organizational contact).
POST /directoryObjects/{id}/getMemberGroupsGroup memberships for the signed-in user or other users.
POST /me/getMemberGroups
POST /users/{id | userPrincipalName}/getMemberGroupsGroup memberships for a group.
POST /groups/{id}/getMemberGroupsGroup memberships for a service principal.
POST /servicePrincipals/{id}/getMemberGroupsGroup memberships for an organizational contact.
POST /contacts/{id}/getMemberGroupsGroup memberships for a device.
POST /devices/{id}/getMemberGroups| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json |
In the request body, provide a JSON object with the following parameters.
| Parameter | Type | Description |
|---|---|---|
| securityEnabledOnly | Boolean | true to specify that only security groups that the entity is a member of should be returned; false to specify that all groups and directory roles that the entity is a member of should be returned. true can be specified only for users or service principals to return security-enabled groups. |
If successful, this method returns 200 OK response code and String collection object in the response body.
POST https://graph.microsoft.com/beta/directoryObjects/0049d944-a805-4680-9f54-3ab292090309/getMemberGroups
Content-type: application/json
{
"securityEnabledOnly": false
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(Edm.String)",
"value": [
"a8daa1fb-d24c-47d0-9e9e-c99e83394e3e"
]
}POST https://graph.microsoft.com/beta/me/getMemberGroups
Content-type: application/json
{
"securityEnabledOnly": true
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(Edm.String)",
"value": [
"6239671a-0db6-4e8b-9d2f-f280efb5a181",
"2e2f1227-1586-45ae-bf51-fccc1de72625",
"f5987b5a-61f6-4c31-9fa2-7bfb845c8d2a"
]
}