| title | directoryObject: getMemberObjects |
|---|---|
| description | Return all the groups, administrative units, and directory roles that a user, group, service principal, organizational contact, device, or directory object is a member of. This function is transitive. |
| ms.localizationpriority | medium |
| author | FaithOmbongi |
| ms.subservice | entra-directory-management |
| doc_type | apiPageType |
| ms.date | 04/04/2024 |
Namespace: microsoft.graph
Return all IDs for the groups, administrative units, and directory roles that an object of one of the following types is a member of:
This function is transitive. Only users and role-enabled groups can be members of directory roles.
[!INCLUDE national-cloud-support]
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Directory.Read.All | Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Directory.Read.All | Directory.ReadWrite.All |
Note
The Directory.* permissions allow you to retrieve any supported directory object type via this API. To retrieve only a specific type, you can use permissions specific to the resource.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | User.Read | User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Not supported. | Not supported. |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | User.ReadBasic.All and GroupMember.Read.All | User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | User.ReadBasic.All and GroupMember.Read.All | User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | GroupMember.Read.All | Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | GroupMember.Read.All | Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Application.Read.All | Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Application.Read.All | Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Directory.Read.All | Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Directory.Read.All | Directory.ReadWrite.All |
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Device.Read.All | Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Device.Read.All | Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All |
Memberships for a directory object
POST /directoryObjects/{id}/getMemberObjectsMemberships for the signed-in user.
POST /me/getMemberObjects[!INCLUDE me-apis-sign-in-note]
[!INCLUDE me-apis-sign-in-note]
Memberships for other user.
POST /users/{id | userPrincipalName}/getMemberObjectsMemberships for a group
POST /groups/{id}/getMemberObjectsMemberships for a service principal
POST /servicePrincipals/{id}/getMemberObjectsMemberships for an organizational contact
POST /contacts/{id}/getMemberObjectsMemberships for a device
POST /devices/{id}/getMemberObjects| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json |
In the request body, provide a JSON object with the following parameters.
| Parameter | Type | Description |
|---|---|---|
| securityEnabledOnly | Boolean | true to specify that only security groups that the entity is a member of should be returned; false to specify that all groups, administrative units, and directory roles that the entity is a member of should be returned. |
If successful, this method returns 200 OK response code and String collection object in the response body.
POST https://graph.microsoft.com/v1.0/directoryObjects/{object-id}/getMemberObjects
Content-type: application/json
{
"securityEnabledOnly": true
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
"value": [
"fee2c45b-915a-4a64-b130-f4eb9e75525e",
"4fe90ae7-065a-478b-9400-e0a0e1cbd540",
"c9ee2d50-9e8a-4352-b97c-4c2c99557c22",
"e0c3beaf-eeb4-43d8-abc5-94f037a65697"
]
}