none
Graph API permission requirements changed

    Question

  • Hello,

    We have an app that has been calling the https://graph.windows.net/tenant-id/users/user-id/getMemberGroups?api-version=1.6 function happily until yesterday. The app has only the following three delegated permissions:

    • Group.Read.All (Read all groups)
    • User.Read (Sign in and read user profile)
    • User.Read.All (Read all users' full profiles)

    And until yesterday those were enough. We got the first exception at 10:24 PM UTC yesterday (May 1st). After that any attempts to call the endpoint with a valid access token were met with an HTTP 403 Forbidden, along with a message saying we lack privileges.

    After debugging the issue, I renewed all permission grants and still not working.

    What did work however, was adding the delegated permission Access the directory as the signed-in user.

    Now, how is it possible that calling the same endpoint on the same API version now requires more permissions? Isn't the whole point of API versions to isolate this kind of changes?

    Tuesday, May 02, 2017 12:56 PM

All replies

  • We would request you to create a Technical Support Ticket on this, as our engineers would need to work with you on the issue and would also require sensitive information like the subscription and tenant details.

    ---------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.
    Tuesday, May 30, 2017 3:41 PM
    Moderator