Microsoft Graph Api returns forbidden response when trying to use /me/memberOf in ASP.NET Core MVC

Question

Here is what I have. (ApiVersion is v1.0)

private async Task GetUsersRoles(string accessToken, ClaimsIdentity identity, string userId)
         


        

Answer 1

Please take another read of this Microsoft Graph topic on permissions here: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes. There are a couple of concepts here that might help clarify things (although our docs can certainly be improved in this area):

1. There are 2 types of permission: application and delegated permissions
2. Some delegated permissions can be consented by end users (generally when the permission is scoped to requesting the signed-in user's data - like their profile, their mail, their files.
3. Other delegated permissions that provide access to more data than is scoped to the signed-in user generally requires an administrator to consent.
4. Application permissions ALWAYS require an administrator to consent. These are by definition tenant-wide (since there is no user context).
5. It is possible for admins to consent to delegated permissions on behalf of the organization (thus suppressing any consent experience for end users). Again there are more topics on this available.

If you always have a signed-in user present (which it looks like), I would strongly recommend that you use delegated permissions over application permissions.

I also noticed that you are creating claims using group display names. The group display name is NOT immutable and can be changed... Not sure if this could lead to some interesting security issues if apps are making authz decisions based on the value of these claims.

Hope this helps,