Azure Active Directory Get User Groups

Question

I'm trying (like many others) to get the group memberships for users of my app. I keep hitting a blocking point where the following line of code:

IPagedCollection<IGroup> pagedCollection = await client.Groups.ExecuteAsync();

.. throws an exception of ("Not Authorized"). While I get what the error is saying, I'm not sure WHY it's saying that. I have granted my application every single permission under the Graph API (39 Applications permissions & 88 delegated permissions - I am only prototyping at this point).

I have also "admin consented" as I've gone through the sign in process and "Accepted" the very long list of permissions it tells me it's going to use, which then proceeds to take me back to my app and then fail on the line of code above.

For reference, I've been following the "TodoListWebApp" demo code on the Azure documentation site, and while I can successfully log into the app using AD Authentication, my modifications to the HomeController Index action to get the list (as a test) seem to be my downfall.

Here's what I used so far;

ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IGroup> pagedCollection = await client.Groups.ExecuteAsync();

do
{
    List<IGroup> directoryGroups = pagedCollection.CurrentPage.ToList();
    foreach (IGroup directoryGroup in directoryGroups)
    {
        roleList.Add((Group)directoryGroup);
    }
    pagedCollection = await pagedCollection.GetNextPageAsync();
}
while (pagedCollection != null);

I have also tried following this pre-existing question; Get a list of groups that Azure AD user belongs to in claims

I've amended the application manifest as mentioned and also tried using the GetGroupMembershipsByObjectId method posted by Jonas.

This only results in an exception message "One or more errors occurred". So I'm well and truly stuck.

Any help would be awesome

EDITS:

A couple of edits - I realised the code posted wasn't accurate as it referred to Roles rather than Groups, so I've updated that.

Second edit, is that I've nailed down the source of the exception to this helper;

https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web/blob/master/WebAppGraphAPI/Utils/AuthenticationHelper.cs

The token is never set hence the error, but I can't see in the source where it's meant to be set? If someone could point me in that direction.

Answer 1

Based on your description, you are using AD Graph in your MVC application. AFAIK, you just need to register your Web app / API application on Azure Portal, then set the Required permissions for Windows Azure Active Directory API, then select the delegated permissions Access the directory as the signed-in user and Sign in and read user profile as follows:

Moreover, you could follow the github sample about Calling the Azure AD Graph API in a web application.

Additionally, you could use jwt.io to decode your access token and make sure the scp property contains the Directory.AccessAsUser.All and User.Read delegated permissions.