adombeck
commented
1 week ago It seems like it's actually not related to personal accounts, but to accounts which are guests on the tenant. Those seem to require additional privileges to call the https://graph.microsoft.com/v1.0/users/{id}/transitiveMemberOf endpoint to get the groups, directory roles and administrative units. However, these accounts can access the https://graph.microsoft.com/v1.0/users/{id}/transitiveMemberOf/microsoft.graph.group endpoint instead, which only returns the groups, not the directory roles and administrative units.
The Microsoft graph API doesn't support listing groups of personal accounts: https://learn.microsoft.com/en-us/graph/api/user-list-transitivememberof?view=graph-rest-1.0&tabs=http#permissions-for-the-signed-in-users-memberships
Currently, the broker denies authentication if it can't fetch the user's groups. If fetching the user groups is not possible because it's a personal account, we should just log the user in without adding them to any groups.