Movatterモバイル変換

Namespace: microsoft.graph

Getgroups,directory roles, andadministrative units that the user is a direct member of. This operation isn't transitive. To retrieve groups, directory roles, and administrative units that the user is a member through transitive membership, use theList user transitive memberOf API.

This API is available in the followingnational cloud deployments.

Global service	US Government L4	US Government L5 (DOD)	China operated by 21Vianet
✅	✅	✅	✅

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissionsonly if your app requires it. For details about delegated and application permissions, seePermission types. To learn more about these permissions, see thepermissions reference.

Permissions for the signed-in user's direct memberships

Permission type	Least privileged permissions	Higher privileged permissions
Delegated (work or school account)	User.Read	Directory.Read.All, Directory.ReadWrite.All, GroupMember.Read.All
Delegated (personal Microsoft account)	Not supported.	Not supported.
Application	Not supported.	Not supported.

Permissions for another user's direct memberships

Permission type	Least privileged permissions	Higher privileged permissions
Delegated (work or school account)	User.Read.All	Directory.Read.All, Directory.ReadWrite.All, GroupMember.Read.All
Delegated (personal Microsoft account)	Not supported.	Not supported.
Application	Directory.Read.All	Directory.ReadWrite.All

Important

When an application queries a relationship that returns adirectoryObject type collection, if it doesn't have permission to read a certain resource type, members of that type are returned but with limited information. For example, only the@odata.type property for the object type and theid is returned, while other properties are indicated asnull. With this behavior, applications can request the least privileged permissions they need, rather than rely on the set ofDirectory.* permissions. For details, seeLimited information returned for inaccessible member objects.

Tip

Calling the/me/memberOf endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when you use the/me/memberOf endpoint.
To list the members of a group with hidden membership, theMember.Read.Hidden permission is required.

HTTP request

GET /me/memberOf

Note

Calling the/me endpoint requires a signed-in user and therefore a delegated permission. Application permissions aren't supported when using the/me endpoint.

GET /users/{id | userPrincipalName}/memberOf

Optional query parameters

This method supports theOData query parameters to help customize the response, including$search,$count, and$filter. OData cast is also enabled; for example, you can cast to get just thedirectoryRoles the user is a member of. You can use$search on thedisplayName property. Items that are added or updated for this resource are specially indexed for use with the$count and$search query parameters. There can be a slight delay between when an item is added or updated and when it's available in the index.

The use of$filter with this API requires theConsistencyLevel header set toeventual and$count. However, in such scenarios, you can't use$expand in the same request as it isn't supported with advanced query parameters. For more information, seeAdvanced query capabilities on directory objects.

Request headers

Header	Value
Authorization	Bearer {token}. Required. Learn more aboutauthentication and authorization.
ConsistencyLevel	eventual. This header and`$count` are required when using the`$search`,`$filter`,`$orderby`, or OData cast query parameters. It uses an index that might not be up-to-date with recent changes to the object.

Request body

Don't supply a request body for this method.

Response

If successful, this method returns a200 OK response code and collection ofdirectoryObject objects in the response body.

Examples

Example 1: Get groups, directory roles, and administrative units that the user is a direct member of

Request

The following example shows a request.

GET https://graph.microsoft.com/v1.0/users/6e7b768e-07e2-4810-8459-485f84f8f204/memberOf

// Code snippets are only available for the latest version. Current version is 5.x// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharpvar result = await graphClient.Users["{user-id}"].MemberOf.GetAsync();

// Code snippets are only available for the latest major version. Current major version is $v1.*// Dependenciesimport (  "context"  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"  //other-imports)// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=gomemberOf, err := graphClient.Users().ByUserId("user-id").MemberOf().Get(context.Background(), nil)

// Code snippets are only available for the latest version. Current version is 6.xGraphServiceClient graphClient = new GraphServiceClient(requestAdapter);DirectoryObjectCollectionResponse result = graphClient.users().byUserId("{user-id}").memberOf().get();

const options = {authProvider,};const client = Client.init(options);let memberOf = await client.api('/users/6e7b768e-07e2-4810-8459-485f84f8f204/memberOf').get();

<?phpuse Microsoft\Graph\GraphServiceClient;$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);$result = $graphServiceClient->users()->byUserId('user-id')->memberOf()->get()->wait();

Import-Module Microsoft.Graph.UsersGet-MgUserMemberOf -UserId $userId

# Code snippets are only available for the latest version. Current version is 1.xfrom msgraph import GraphServiceClient# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=pythonresult = await graph_client.users.by_user_id('user-id').member_of.get()

Response

The following example shows the response.

HTTP/1.1 200 OKContent-type: application/json{  "value": [    {      "@odata.type": "#microsoft.graph.group",      "displayName": "All Users",      "mailEnabled": false,      "securityEnabled": true    }  ]}

Example 2: Get only a count of all groups, directory roles, and administrative units that the user is a direct member of

Request

The following example shows a request.

GET https://graph.microsoft.com/v1.0/users/{id}/memberOf/$countConsistencyLevel: eventual

Response

The following example shows the response.

HTTP/1.1 200 OKContent-type: text/plain17

Example 3: Use OData cast to get only a count of group membership

Request

The following example shows a request.

GET https://graph.microsoft.com/v1.0/users/{id}/memberOf/microsoft.graph.group/$countConsistencyLevel: eventual

Response

The following example shows the response.

HTTP/1.1 200 OKContent-type: text/plain16

Example 4: Use $search and OData cast to get membership in groups with display names that contain the letters 'tier' including a count of returned objects

Request

The following example shows a request.

GET https://graph.microsoft.com/v1.0/users/{id}/memberOf/microsoft.graph.group?$count=true&$orderby=displayName&$search="displayName:tier"&$select=displayName,idConsistencyLevel: eventual

Response

The following example shows the response.

HTTP/1.1 200 OKContent-type: application/json{  "@odata.context":"https://graph.microsoft.com/v1.0/$metadata#groups(displayName,id)",  "@odata.count":7,  "value":[    {      "displayName":"Contoso-tier Query Notification",      "id":"11111111-2222-3333-4444-555555555555"    }  ]}

Example 5: Use $filter and OData cast to get groups with a display name that starts with 'a' including a count of returned objects

Request

The following example shows a request.

GET https://graph.microsoft.com/v1.0/users/{id}/memberOf/microsoft.graph.group?$count=true&$orderby=displayName&$filter=startswith(displayName, 'a')ConsistencyLevel: eventual

Response

The following example shows the response.

HTTP/1.1 200 OKContent-type: application/json{  "@odata.context":"https://graph.microsoft.com/v1.0/$metadata#groups",  "@odata.count":76,  "value":[    {      "displayName":"AAD Contoso Users",      "mail":"AADContoso_Users@contoso.com",      "mailEnabled":true,      "mailNickname":"AADContoso_Users",      "securityEnabled":true    }  ]}

Example 6: Use $filter and OData cast to get groups with at least one app role assignment

Request

The following example shows a request.

GET https://graph.microsoft.com/v1.0/users/{id}/memberOf/microsoft.graph.group?$filter=appRoleAssignments/$count gt 0&$select=id,displayName

// Code snippets are only available for the latest version. Current version is 5.x// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharpvar result = await graphClient.Users["{user-id}"].MemberOf.GraphGroup.GetAsync((requestConfiguration) =>{requestConfiguration.QueryParameters.Filter = "appRoleAssignments/$count gt 0";requestConfiguration.QueryParameters.Select = new string []{ "id","displayName" };});

// Code snippets are only available for the latest major version. Current major version is $v1.*// Dependenciesimport (  "context"  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"  graphusers "github.com/microsoftgraph/msgraph-sdk-go/users"  //other-imports)requestFilter := "appRoleAssignments/$count gt 0"requestParameters := &graphusers.ItemMemberOfGraph.groupRequestBuilderGetQueryParameters{Filter: &requestFilter,Select: [] string {"id","displayName"},}configuration := &graphusers.ItemMemberOfGraph.groupRequestBuilderGetRequestConfiguration{QueryParameters: requestParameters,}// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=gographGroup, err := graphClient.Users().ByUserId("user-id").MemberOf().GraphGroup().Get(context.Background(), configuration)

// Code snippets are only available for the latest version. Current version is 6.xGraphServiceClient graphClient = new GraphServiceClient(requestAdapter);GroupCollectionResponse result = graphClient.users().byUserId("{user-id}").memberOf().graphGroup().get(requestConfiguration -> {requestConfiguration.queryParameters.filter = "appRoleAssignments/$count gt 0";requestConfiguration.queryParameters.select = new String []{"id", "displayName"};});

const options = {authProvider,};const client = Client.init(options);let group = await client.api('/users/{id}/memberOf/microsoft.graph.group').filter('appRoleAssignments/$count gt 0').select('id,displayName').get();

<?phpuse Microsoft\Graph\GraphServiceClient;use Microsoft\Graph\Generated\Users\Item\MemberOf\Graph\Group\GroupRequestBuilderGetRequestConfiguration;$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);$requestConfiguration = new GraphGroupRequestBuilderGetRequestConfiguration();$queryParameters = GraphGroupRequestBuilderGetRequestConfiguration::createQueryParameters();$queryParameters->filter = "appRoleAssignments/\$count gt 0";$queryParameters->select = ["id","displayName"];$requestConfiguration->queryParameters = $queryParameters;$result = $graphServiceClient->users()->byUserId('user-id')->memberOf()->graphGroup()->get($requestConfiguration)->wait();

Import-Module Microsoft.Graph.UsersGet-MgUserMemberOfAsGroup -UserId $userId -Filter "appRoleAssignments/`$count gt 0" -Property "id,displayName"

# Code snippets are only available for the latest version. Current version is 1.xfrom msgraph import GraphServiceClientfrom msgraph.generated.users.item.member_of.graph.group.group_request_builder import GroupRequestBuilderfrom kiota_abstractions.base_request_configuration import RequestConfiguration# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=pythonquery_params = GroupRequestBuilder.GroupRequestBuilderGetQueryParameters(filter = "appRoleAssignments/$count gt 0",select = ["id","displayName"],)request_configuration = RequestConfiguration(query_parameters = query_params,)result = await graph_client.users.by_user_id('user-id').member_of.graph_group.get(request_configuration = request_configuration)

Response

The following example shows the response.

HTTP/1.1 200 OKContent-type: application/json{  "@odata.context":"https://graph.microsoft.com/v1.0/$metadata#groups",  "value":[    {      "id": "c11b732b-0e16-46c1-b0fa-bd32c8a42455",      "displayName":"All users"    },    {      "id": "3f927b40-06f8-4352-b8e4-37a7ba04b7ff",      "displayName":"AAD Contoso Users"    }  ]}

Movatterモバイル変換

Share via

List a user's direct memberships

In this article

Permissions

Permissions for the signed-in user's direct memberships

Permissions for another user's direct memberships

HTTP request

Optional query parameters

Request headers

Request body

Response

Examples

Example 1: Get groups, directory roles, and administrative units that the user is a direct member of

Request

Response

Example 2: Get only a count of all groups, directory roles, and administrative units that the user is a direct member of

Request

Response

Example 3: Use OData cast to get only a count of group membership

Request

Response

Example 4: Use $search and OData cast to get membership in groups with display names that contain the letters 'tier' including a count of returned objects

Request

Response

Example 5: Use $filter and OData cast to get groups with a display name that starts with 'a' including a count of returned objects

Request

Response

Example 6: Use $filter and OData cast to get groups with at least one app role assignment

Request

Response

Feedback

Additional resources

In this article