How to get the groups of Internal/Guest users

Question

I have written an application where Internal as well as Guest users are authenticated using the graph api. Everything works perfectly fine till here. I can able to get the groups of the Internal users (using https://graph.microsoft.com/v1.0/me/ownerOf), however I am getting the issues while I am trying to get the groups for the Guest users. Getting below error.

No HTTP resource was found that matches the request URI 'https://outlook.office365.com:444/profile/v1.0/users('CID:ab7adee445a89dff')/profile/memberOf?api-version=AGSV1-internal'.

Here is the code for authenticating the Internal/Guest users:

        IConfidentialClientApplication clientApp = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(context.AuthenticationTicket.Identity));
        var signedInUser = new ClaimsPrincipal(context.AuthenticationTicket.Identity);
        var tokenStore = new SessionTokenStore(clientApp.UserTokenCache, HttpContext.Current, signedInUser);
        AuthenticationResult result = await clientApp.AcquireTokenByAuthorizationCode(new[] { "User.Read User.ReadBasic.All Group.ReadWrite.All" }, context.Code).ExecuteAsync();

        var userDetails = await GraphHelper.GetUserDetailsAsync(result.AccessToken);

Here is the code to get the groups of the Internal/Guest users:

        var graphClient = new GraphServiceClient(
            new DelegateAuthenticationProvider(
                async (requestMessage) =>
                {
                    var idClient = ConfidentialClientApplicationBuilder.Create(appId)
                        .WithRedirectUri(redirectUri)
                        .WithClientSecret(appSecret)
                        .Build();

                    var tokenStore = new SessionTokenStore(idClient.UserTokenCache,
                        HttpContext.Current, ClaimsPrincipal.Current);

                    var accounts = await idClient.GetAccountsAsync();

                    // By calling this here, the token can be refreshed
                    // if it's expired right before the Graph call is made
                    var scopes = graphScopes.Split(' ');
                    var result = await idClient.AcquireTokenSilent(scopes, accounts.FirstOrDefault())
                        .ExecuteAsync();

                    requestMessage.Headers.Authorization =
                        new AuthenticationHeaderValue("Bearer", result.AccessToken);
                }));

        var allgroups = await graphClient.Me.OwnedObjects
                    .Request()
                    .GetAsync();
        var groups = allgroups.Where(x => x.ODataType == "#microsoft.graph.group").Cast();

Please let me know if there is any permissions which needs to be given from the Azure Active Directory for the same. If you have any code for the same, please help !

Answer 1

Hey @Sagar Venaganti

This should be working properly, can you take a look at Shawn Tabrizi's answer regarding getting guest user memberof attribute here : https://stackoverflow.com/questions/46754507/guest-account-queries-to-azure-ad-or-graph-in-single-tenant-application

Is this a multi-tenant AAD Application? And what is the exact request that you're making?

If you're still having issues with this you may need to open a support ticket as there might be an issue with the user that you're making the memberof graph api call. However, I'm thinking that either the issue is that the UserID is wrong, or there is something malformed in the request. Note that the UPN for guests has a #EXT# typically.

Thanks