| title | directoryObject: checkMemberObjects |
|---|---|
| description | Check for membership in a list of groups, administrative units, or directory roles for the specified user, group, service principal, organizational contact, device, or directory object. |
| ms.localizationpriority | medium |
| author | yyuank |
| ms.reviewer | iamut |
| ms.subservice | entra-users |
| doc_type | apiPageType |
| ms.date | 10/22/2024 |
| ms.custom | sfi-ga-nochange |
Namespace: microsoft.graph
Check for membership in a list of group IDs, administrative unit IDs, or directory role IDs, for the IDs of the specified
This method is transitive.
[!INCLUDE national-cloud-support]
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Directory.Read.All | Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Directory.Read.All | Directory.ReadWrite.All |
Note
The Directory.* permissions allow you to retrieve any supported directory object type via this API. To retrieve only a specific type, you can use permissions specific to the resource.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | User.Read | User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Not supported. | Not supported. |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | User.ReadBasic.All and GroupMember.Read.All | User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | User.ReadBasic.All and GroupMember.Read.All | User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | GroupMember.Read.All | Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | GroupMember.Read.All | Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Application.Read.All | Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Application.Read.All | Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Directory.Read.All | Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Directory.Read.All | Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Device.Read.All | Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Device.Read.All | Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
Memberships for a directory object.
POST /directoryObjects/{id}/checkMemberObjectsMemberships for the signed-in user.
POST /me/checkMemberObjects[!INCLUDE me-apis-sign-in-note]
Memberships for other users.
POST /users/{id | userPrincipalName}/checkMemberObjectsMemberships for a group.
POST /groups/{id}/checkMemberObjectsMemberships for a service principal.
POST /servicePrincipals/{id}/checkMemberObjectsMemberships for an organizational contact.
POST /contacts/{id}/checkMemberObjectsMemberships for a device.
POST /devices/{id}/checkMemberObjects| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, provide a JSON object with the following parameters.
| Parameter | Type | Description |
|---|---|---|
| ids | String collection | A collection that contains the object IDs of the groups, administrative units, directory roles, or roleTemplate IDs of directory roles, in which to check membership. You can specify up to 20 objects. |
If successful, this method returns a 200 OK response code and a new String collection object in the response body.
The following is an example of how to call this API.
The following example shows a request.
POST https://graph.microsoft.com/v1.0/me/checkMemberObjects
Content-type: application/json
{
"ids": [
"80a963dd-84af-4eb8-b2a6-781e444d4fb0",
"62e90394-69f5-4237-9190-012177145e10",
"86a64f51-3a64-4cc6-a8c8-6b8f000c0f52",
"ac38546e-ddf3-437a-ac5c-27a94cd7a0f1"
]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"value": [
"80a963dd-84af-4eb8-b2a6-781e444d4fb0",
"62e90394-69f5-4237-9190-012177145e10"
]
}