Skip to content

directoryobject-getmembergroups.md

Latest commit

 

History

History
318 lines (245 loc) · 13.4 KB

directoryobject-getmembergroups.md

File metadata and controls

318 lines (245 loc) · 13.4 KB
title directoryObject: getMemberGroups
description Return all the groups that the specified user, group, service principal, organizational contact, device, or directory object is a member of. This function is transitive.
ms.localizationpriority medium
author FaithOmbongi
ms.subservice entra-directory-management
doc_type apiPageType
ms.date 10/02/2024

directoryObject: getMemberGroups

Namespace: microsoft.graph

Return all the group IDs for the groups that the specified user, group, service principal, organizational contact, device, or directory object is a member of. This function is transitive.

This API returns up to 11,000 group IDs. If more than 11,000 results are available, it returns a 400 Bad Request error with the Directory_ResultSizeLimitExceeded error code. If you get the Directory_ResultSizeLimitExceeded error code, use the List group transitive memberOf API instead.

[!INCLUDE national-cloud-support]

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Group memberships for a directory object

Here, the permission allows you to read any directory object, regardless of the object type. To scope the operation to a specific object type and use lesser-privileged permissions, refer to other permissions tables on this page.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Directory.Read.All
Delegated (personal Microsoft account) Not supported.
Application Directory.Read.All

Group memberships for a user

Permission type Permissions (from least to most privileged)
Delegated (work or school account) User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Delegated (personal Microsoft account) Not supported.
Application User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All

Group memberships for a group

Permission type Permissions (from least to most privileged)
Delegated (work or school account) GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

Group memberships for a service principal

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All

Group memberships for an organizational contact

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application Directory.Read.All, Directory.ReadWrite.All

Group memberships for a device

[!INCLUDE permissions-table]

HTTP request

Group memberships for a directory object (user, group, service principal, or organizational contact).

POST /directoryObjects/{id}/getMemberGroups

Group memberships for the signed-in user or other users.

POST /me/getMemberGroups
POST /users/{id | userPrincipalName}/getMemberGroups

[!INCLUDE me-apis-sign-in-note]

[!INCLUDE me-apis-sign-in-note]

Group memberships for a group.

POST /groups/{id}/getMemberGroups

Group memberships for a service principal.

POST /servicePrincipals/{id}/getMemberGroups

Group memberships for an organizational contact.

POST /contacts/{id}/getMemberGroups

Group memberships for a device.

POST /devices/{id}/getMemberGroups

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json

Request body

In the request body, provide a JSON object with the following parameters.

Parameter Type Description
securityEnabledOnly Boolean true to specify that only security groups that the entity is a member of should be returned; false to specify that all groups and directory roles that the entity is a member of should be returned. true can be specified only for users or service principals to return security-enabled groups.

Response

If successful, this method returns 200 OK response code and String collection object in the response body.

Examples

Example 1: Check group memberships for a directory object

Request

HTTP

POST https://graph.microsoft.com/v1.0/directoryObjects/0049d944-a805-4680-9f54-3ab292090309/getMemberGroups
Content-type: application/json

{
    "securityEnabledOnly": false
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        "a8daa1fb-d24c-47d0-9e9e-c99e83394e3e"
    ]
}

Example 2: Check group memberships for the signed-in user

Request

HTTP

POST https://graph.microsoft.com/v1.0/me/getMemberGroups
Content-type: application/json

{
  "securityEnabledOnly": true
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        "6239671a-0db6-4e8b-9d2f-f280efb5a181",
        "2e2f1227-1586-45ae-bf51-fccc1de72625",
        "1dae9306-be75-4c3c-99ec-0316a4342c84",
        "0e2d1bbb-76f8-4140-bda7-2a858b74507e",
        "0049d944-a805-4680-9f54-3ab292090309",
        "a8daa1fb-d24c-47d0-9e9e-c99e83394e3e",
        "6f204729-1b8f-4067-bcc9-98fb6c069ffd",
        "59afd38d-441a-4358-b074-8b9b1e7de52f",
        "64ed3df3-53c7-4d4d-ac5c-5c8dd4dafe33",
        "8b676bab-4b1e-419e-a253-7f5aca97d739",
        "be4ef325-9fa8-40d7-b375-4758853ddf52",
        "f5987b5a-61f6-4c31-9fa2-7bfb845c8d2a"
    ]
}