GetPhoto works fine for user with global admin role but fails for normal users.

[surendrauppari]

When I tried to get profile picture for the users, it works fine with the user who is Global admin. But it throws error for other users who are non admins.

Code: UnknownError

Inner error

StatusCode:Unauthorized

I have configured required scopes in the delegated permission.

User.Read User.ReadBasic.All

{ "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/c7dd3e60-9fc4-40c1-8a22-b8d36677cee9/", "iat": 1523429419, "nbf": 1523429419, "exp": 1523433319, "acr": "1", "aio": "Y2NgYNCbzXVKcLOibutr1gUZhjknmj6s7ntrkFPQZjij0WDt+6cA", "amr": [ "pwd" ], "app_displayname": "XXX", "appid": "1dfb0546-7413-445a-beef-a2482e9aeb2e", "appidacr": "1", "e_exp": 262800, "ipaddr": "202.153.46.130", "name": "surendra", "oid": "f67b32d8-4b95-4dc0-9fd4-9ce2057027b1", "platf": "3", "puid": "10037FFEA8D411C2", "scp": "Directory.AccessAsUser.All Directory.ReadWrite.All Files.Read User.Read User.ReadBasic.All User.ReadWrite", "sub": "MAOmTQt1Jb7F1CV_BQxGnE_JQzSd9U6o5oOndydp_98", "tid": "c7dd3e60-9fc4-40c1-8a22-b8d36677cee9", "unique_name": "XXXX", "upn": "XXX", "uti": "Dr8llO2QfUm4BJEttG8qAA", "ver": "1.0" }

[mark-szabo]

Hi @suren4a0 You are using scopes that require admin consent. Exactly Directory.AccessAsUser.All and Directory.ReadWrite.All. You won't be able to use these scopes without an admin pre-approveing. Learn more about the scopes here: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference

[surendrauppari]

hi @mark-szabo

I just added the scopes User.Read User.ReadBasic.All which doesn't require admin consent. But still I am facing the same issue.

acces token: eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6S0xEd1JhSXpCMWN4b2c1SnVoWkZSR25UaTBTSmhlSjNrbEF2SldseVNaY3lodlJXY1ZUSjRoY1hSdHJGdVh1Q05WWDdEWHNOa3J5dV9uWVFWMGUtQmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiRlNpbXVGckZOb0Mwc0pYR212MTNuTlpjZURjIiwia2lkIjoiRlNpbXVGckZOb0Mwc0pYR212MTNuTlpjZURjIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9jN2RkM2U2MC05ZmM0LTQwYzEtOGEyMi1iOGQzNjY3N2NlZTkvIiwiaWF0IjoxNTIzNDQzNjU2LCJuYmYiOjE1MjM0NDM2NTYsImV4cCI6MTUyMzQ0NzU1NiwiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhHQUFBQTMvTzQ1R0ZVR2dtdE11S1dCUEJRNmVTZDJWNjFqeTRHSlNMODdxUlNIcDA9IiwiYW1yIjpbInB3ZCJdLCJhcHBfZGlzcGxheW5hbWUiOiJJZGVudGl0eVNlcnZlckdyYXBoQXBpIiwiYXBwaWQiOiIxZGZiMDU0Ni03NDEzLTQ0NWEtYmVlZi1hMjQ4MmU5YWViMmUiLCJhcHBpZGFjciI6IjEiLCJlX2V4cCI6MjYyODAwLCJpcGFkZHIiOiIyMDIuMTUzLjQ2LjEzMCIsIm5hbWUiOiJzdXJlbmRyYSIsIm9pZCI6ImY2N2IzMmQ4LTRiOTUtNGRjMC05ZmQ0LTljZTIwNTcwMjdiMSIsInBsYXRmIjoiMyIsInB1aWQiOiIxMDAzN0ZGRUE4RDQxMUMyIiwic2NwIjoiVXNlci5SZWFkIFVzZXIuUmVhZEJhc2ljLkFsbCIsInN1YiI6Ik1BT21UUXQxSmI3RjFDVl9CUXhHbkVfSlF6U2Q5VTZvNW9PbmR5ZHBfOTgiLCJ0aWQiOiJjN2RkM2U2MC05ZmM0LTQwYzEtOGEyMi1iOGQzNjY3N2NlZTkiLCJ1bmlxdWVfbmFtZSI6InN1cmVuZHJhLnVwcGFyaUB2YW1zZWN1cml0eS5vbm1pY3Jvc29mdC5jb20iLCJ1cG4iOiJzdXJlbmRyYS51cHBhcmlAdmFtc2VjdXJpdHkub25taWNyb3NvZnQuY29tIiwidXRpIjoiMUw2bHRLSTJjRXUyZEYxLUM1QVRBQSIsInZlciI6IjEuMCJ9.nTMEC2fcy3eHef68j9g4KwzHL_HDC44R5DBh1MsjIoP-tEBfp-lJoZyt1wR0jWsN7N8ZVvlm8CBB2b9kohe0ST4b4uQVd4B6GkaW1pYvP-97iwmcJPd3sY5T6zChy69hSPkBeJqfDRhKEGYXjSo97LwQChTk4571vw_Tv_PLkFROFxYD0cfP7_jD-WqRf3IZz9Bw5mFGYn1wt4lE4yudKDtpMpIbbthGORtCVkp2whVILwVCCXDSkCy-IgW795_4LKHfveRVwMvJ8IDZuJuScOQjzHiUvjywHEvdbQQnDtPmUCv9nwy9qCwcykfhAkVd2pCSHeiofCdWD8zlff4Ymg

{ "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/c7dd3e60-9fc4-40c1-8a22-b8d36677cee9/", "iat": 1523443656, "nbf": 1523443656, "exp": 1523447556, "acr": "1", "aio": "ASQA2/8GAAAA3/O45GFUGgmtMuKWBPBQ6eSd2V61jy4GJSL87qRSHp0=", "amr": [ "pwd" ], "app_displayname": "IdentityServerGraphApi", "appid": "1dfb0546-7413-445a-beef-a2482e9aeb2e", "appidacr": "1", "e_exp": 262800, "ipaddr": "202.153.46.130", "name": "surendra", "oid": "f67b32d8-4b95-4dc0-9fd4-9ce2057027b1", "platf": "3", "puid": "10037FFEA8D411C2", "scp": "User.Read User.ReadBasic.All", "sub": "MAOmTQt1Jb7F1CV_BQxGnE_JQzSd9U6o5oOndydp_98", "tid": "c7dd3e60-9fc4-40c1-8a22-b8d36677cee9", "unique_name": "surendra.uppari@vamsecurity.onmicrosoft.com", "upn": "surendra.uppari@vamsecurity.onmicrosoft.com", "uti": "1L6ltKI2cEu2dF1-C5ATAA", "ver": "1.0" }

[mark-szabo]

Please make sure you set only non-admin scopes on the app registration portal too. More info in the readme: https://github.com/microsoftgraph/aspnetcore-connect-sample/blob/master/README.md#register-the-app

[surendrauppari]

hi @mark-szabo ,

I tried with only non-admin scopes mapped. But no luck.

Thanks, Surendra

[ssshake]

umm why does azure say it doesnt require admin though? This has been causing us great problems just trying to get /memberof so the user can get a list of group ids they belong too.

Seems weird to me to require admin consent to let me see what groups I'm a member of.

[mark-szabo]

@ssshake It DOES NOT require admin consent to get the list of groups the signed-in user belongs to: https://graph.microsoft.com/v1.0/me/memberOf. But it DOES require admin consent to get anybody else's list of groups: https://graph.microsoft.com/v1.0/{user-id}/memberOf.

You can read more about User permissions: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions

Let me know if something isn't clear! :)

[ssshake]

@mark-szabo that doesnt appear to be the case, the user get's a 403 attempting to get /me/memberOf. There doesn't appear to be any permission set that I can see that allows /me/memberOf WITHOUT requiring admin consent.

In my screenshot it says requires admin "NO" but that is not what is experienced. In the document you linked, it says admin consent is required so this disagrees with whats in azure portal (my original screenshot).

Also from graph explorer:

So 1) I'm suggesting that the above two references are correct but azure portal is incorrect stating Admin = NO for Directory.AccessAsUser.All. So azure portal's UI should be updated to reflect the documentation for Directory.AccessAsUser.All

2) I would really like to know which permission set I have to apply (if any) in order to make this call without admin consent. https://graph.microsoft.com/v1.0/me/memberOf. This endpoint will not work with the default permissions.

From what I have tried and what I have read there is no such permission set. I find that odd that I cannot get a list of my own groups without an admin consented permission set

[ssshake]

To be clear, https://graph.microsoft.com/v1.0/me/memberOf does appear to require a permission such as Directory.AccessAsUser.All.

Without that or a similar permission (all which seem to require admin consent) it 403's. I wish what you said is true that you do not require admin consent to get your own list of groups but it appears that is certainly the case. This is bad for our app because now we need admin intervention to get a list of groups which seems strange.

(have also tried the expand option in beta)

[jasonjoh]

We seem to be talking about two different things here.

• @suren4a0 is reporting trouble with GET /me/photo/$value
• @ssshake is reporting trouble with GET /me/memberOf

So first, @suren4a0: Please get a network trace. You should have no trouble getting a user's profile photo with User.ReadBasic.All, so there must be some subtle nuance we're not seeing here.

@ssshake You are correct that getting /me/memberOf apparently requires admin consent per the documentation. You might want to provide feedback on this at UserVoice

[ssshake]

sorry for hijacking the ticket. If you have an internal process for raising this issue that would be appreciated. Otherwise I've moved on by requiring the admin consented permissions.

[mark-szabo]

I'll close this for now. Please reopen if you feel your question wasn't answered or you need more assistance! :)

[ssshake]

My question was not answered if no action was taken to correct the API so that it does what the docs say, or update the documents to reflect how the API currently behaves.