Export (0) Print
Expand All

Get User's Group Memberships (intransitive)

Updated: February 23, 2015

The User memberOf operation gets the groups that a specified user is a member of. The operation is intransitive, that is, it will only return groups that the object is a direct member of. This is unlike the isMemberOf function of the directory service, which is transitive and which will return true if the object being tested is a member of a group either directly or through the object’s membership in another group. The memberOf operation can also be performed on groups and contacts.

The request may be constructed as follows. Replace mytenantdomain with the domain of your Azure Active Directory tenant, such as contoso.onmicrosoft.com. The api-version query string parameter is required. If “$links” is included in the URI, then the response will contain only links to the relevant directory objects. If “$links” is omitted from the URI, the objects themselves are returned. Either objectId or userPrincipalName may be used to specify the target user. The examples in this topic use the tenant domain to address the tenant. For other ways of addressing the tenant, see Addressing Entities and Operations in the Graph API.

 

HTTP Method Request URI HTTP Version

GET

https://graph.windows.net/mytenantdomain/users/<objectId||userPrincipalName>/$links/memberOf?api-version=2013-04-05

HTTP 1.1

noteNote
To return group memberships for a group, specify “groups” as the resource set; for a contact, specify “contacts”. You can also specify “directoryObjects” as the resource set; for example, https://graph.windows.net/contoso.onmicrosoft.com/directoryObjects/5e624f44-d38d-4943-b07c-2bad078f52ff/members?api-version=2013-04-05. Only objectId can be used when the resource set is “groups”, “contacts”, or “directoryObjects”.

 

Request Header Description

Authorization

Required. A bearer token issued by Azure Active Directory. See Authentication Scenarios for Azure AD for more information.

Content-Type

Required. The media type of the content in the request body.

Content-Length

Required. The length of the request in bytes.

There is no body required for this request.

The following sample request gets the members for the specified group.

GET https://graph.windows.net/contoso.onmicrosoft.com/users/Mohamed@contoso.onmicrosoft.com/memberOf?api-version=2013-04-05 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net

A successful operation returns status code 200 OK.

 

Response Header Description

ocp-aad-diagnostics-server-name

The identifier for the server that performed the requested operation.

ocp-aad-session-key

The key that identifies the current session with the directory service.

The following sample response is received when the sample request above is sent. The user is a direct member of two groups.

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 813
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Server: Microsoft-IIS/7.5
ocp-aad-diagnostics-server-name: wByDmqOAuV8t6pYQ6JlEvztwcfHFDpgbEASm4svTq80=
request-id: a8019634-c95f-4b3d-a687-deeb5c8a999c
client-request-id: 5799c567-fd51-458f-b6b9-d28b526e2d4a
x-ms-dirapi-data-contract-version: 1.0
ocp-aad-session-key: hIjXnKvAxhu1ikHG4qY6Sal4z2loarVqCfOCSNw_e4iEGZcvpqXe8dTnQxhUyhJTwEcYuRl3wdAIoSjGiUiFoyR-lFr2cOf6cEFsCjKJ3Z8.gbGO2Q0QAnOJtrlrfFUiPZexy9pTHhqHpccIubSyLw4
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Date: Fri, 05 Apr 2013 23:23:19 GMT

{
    "odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects",
    "value": [
        {
            "odata.type": "Microsoft.WindowsAzure.ActiveDirectory.Group",
            "objectType": "Group",
            "objectId": "8ab3f116-1afb-44cb-8e61-6b20cb1e353c",
            "description": null,
            "dirSyncEnabled": null,
            "displayName": "Nortwest Sales",
            "lastDirSyncTime": null,
            "mail": null,
            "mailNickname": "SalesNW",
            "mailEnabled": false,
            "provisioningErrors": [],
            "proxyAddresses": [],
            "securityEnabled": true
        },
        {
            "odata.type": "Microsoft.WindowsAzure.ActiveDirectory.Group",
            "objectType": "Group",
            "objectId": "be78b7e2-a94a-4ab0-9bb4-403977cc7ec6",
            "description": null,
            "dirSyncEnabled": null,
            "displayName": "Managers",
            "lastDirSyncTime": null,
            "mail": null,
            "mailNickname": "Managers",
            "mailEnabled": false,
            "provisioningErrors": [],
            "proxyAddresses": [],
            "securityEnabled": true
        }
    ]
}

The following shows the request and response if links are requested in the URI. In addition the user’s objectID rather than the userPrincipalName is used in the request.

GET https://graph.windows.net/contoso.onmicrosoft.com/users/ea59e4d3-a7a1-4b5b-b65f-a25fcc0c0f99/$links/memberOf?api-version=2013-04-05 HTTP/1.1
Authorization: Bearer eyJ0eX ... FWSXfwtQ
Content-Type: application/json
Host: graph.windows.net

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 462
Content-Type: application/json;odata=minimalmetadata;streaming=true;charset=utf-8
Server: Microsoft-IIS/7.5
ocp-aad-diagnostics-server-name: GpZBqv1HpLKoq8DomLBjVg0qidYJApbIcc5XfQ74dc8=
request-id: 25d7bb8d-8f15-4f91-b789-1f185491e6d5
client-request-id: 5d5b45d1-3fc0-4d18-af75-2ffd155146b4
x-ms-dirapi-data-contract-version: 1.0
ocp-aad-session-key: OOKA1f4U6-J31EGzMlCBU4ET7DlsDLxX-8lNWclH_0Vbh82G5PAKbyHs3hq2tTIRkKfnPI4-kPWDqeXFUqcDVna9x-fcvkFGsNqeakB1HkA.99nFquvIo2hhcHXftZQ7rKcJU-nMgQs6UcxmbVs30Mk
X-Content-Type-Options: nosniff
DataServiceVersion: 3.0;
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Date: Fri, 29 Mar 2013 21:21:01 GMT

{
    "odata.metadata": "https://graph.windows.net/contoso.onmicrosoft.com/$metadata#directoryObjects/$links/memberOf",
    "value": [
        {
            "url": "https://graph.windows.net/contoso.onmicrosoft.com/directoryObjects/8ab3f116-1afb-44cb-8e61-6b20cb1e353c/Microsoft.WindowsAzure.ActiveDirectory.Group"
        },
        {
            "url": "https://graph.windows.net/contoso.onmicrosoft.com/directoryObjects/be78b7e2-a94a-4ab0-9bb4-403977cc7ec6/Microsoft.WindowsAzure.ActiveDirectory.Group"
        }
    ]
}

See Also

Show:
© 2015 Microsoft