Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Groups overage claim

Tags:

asp.net-core

openid-connect

azure

azure-active-directory

microsoft-graph-api

I am receiving the group overage claim for a user authenticating against Azure AD. Looks like the below:

{"src1":{"endpoint":"https://graph.windows.net/TENANTID/users/USERID/getMemberObjects"}}

My thought was I could then just call that endpoint, which I did like:

var authenticationContext =
    new AuthenticationContext(
        ctx.Options.Authority);
var clientCredentials =
    new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);

var result =
    await authenticationContext.AcquireTokenAsync("https://graph.windows.net", clientCredentials);

using (var httpClient = new HttpClient())
{
    httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {result.AccessToken}");

    var httpResponse =
        await httpClient.GetAsync("https://graph.windows.net/TENANTID/users/USERID/getMemberObjects?api-version=1.6");

    var jsonresult =
        await httpResponse.Content.ReadAsStringAsync();
}

I thought this would work, but not it is complaining it wants the method to be a Post. Not sure what I would pass in for Content, but it tried it in Postman, and it still failed.

My hope is that I am just making this more difficult than it needs to be, but for the life of me, I cannot find a good definitive example for how to call the Graph API from a MVC Core App.

Any help would be much appreciated!

Update

I changed it to a Post and passed in a null body, and received an error with code Authorization_RequestDenied and value Insufficient privileges to complete the operation..

Made sure to the give the Application Directory.Read.All permissions.

like image 471
mattruma Avatar asked Nov 30 '25 02:11

mattruma

1 Answers

For azure ad Graph your request format is not correct you could try following way

Rquest URL:

https://graph.windows.net/TenantId/users/UserId/getMemberObjects?api-version=1.6

Method Type: POST

Request Body

{ 
   "securityEnabledOnly": false 
}

Postman Sample:

enter image description here

Permission Required:

Permission Type: Application

Directory.Read.All Or Directory.ReadWrite.All

See the screen shot:

enter image description here

For details you could refer this official docs

like image 157
Md Farid Uddin Kiron Avatar answered Dec 02 '25 17:12

Md Farid Uddin Kiron
Sign in to Comment

Related questions

Is there any way to add the custom field in the Signin page in azure b2c?
Azure SQL stored procedure ridiculously slow called from C#
How to create service principal in azure using azuread_application in terraform, Error Insufficient privileges to complete the operation
Increase max url length in Azure Websites?
Is it possible to publish a .net core web api to azure functions?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!