Knowledge Base

How to confirm user’s AAD group membership with Graph Explorer

Problem:

You configured a rule which adds a signature to messages sent by users belonging to a certain Azure Active Directory (AAD) group. After adding a new user to the group, you find out that the user does not get the signature when they send an email. You would like to check the user’s AAD membership status to confirm they have been properly added to the group.

Solution:

The first logical step in such a situation would be to review group members on the Members settings page in the Azure Active Directory admin center. However, this approach might not return reliable results. To make sure the user has been correctly added to the group, you need to dig deeper and check if their membership is properly read by Graph, the APIs platform that connects all Microsoft’s solutions and services. To do so, you can use Graph Explorer, a convenient online tool which allows you to test a Microsoft service or an app that integrates with Microsoft’s solutions.

There are two ways to find out if your newly added user actually belongs to a given AAD group:

To learn more about each method, click a link above to go straight to an appropriate section or read on.

Displaying members of the group

With this method, you will get the list of users that belong to the AAD group in question. You can check this list to verify membership of the specific user. To display group members in Microsoft Graph Explorer, follow the steps below:

  1. Open the Azure Active Directory admin center.
  2. In the navigation menu on the left, click All services, and, on the page that opens, select Groups (Fig. 1.).

Accessing Azure Active Directory groups.
Fig. 1. Accessing Azure Active Directory groups.

  1. Click the group which the newly added user belongs to and, on the Overview settings page that opens, copy the object ID value by using the button on the right end of the Object Id text field (Fig. 2.).

Copying the group’s Object ID value from the Azure Active Directory admin center.
Fig. 2. Copying the group’s Object ID value from the Azure Active Directory admin center.

  1. Next, navigate to Microsoft Graph Explorer in your browser.
  2. Once there, log in by clicking the Sign in to Graph Explorer button (Fig. 3.) on the left and providing your global admin credentials. Now, you can finally query Graph Explorer for the group membership data.

Signing in to Graph Explorer.
Fig. 3. Signing in to Graph Explorer.

  1. First, choose GET from the leftmost drop-down menu at the top of the window (Fig. 4., item 1). Next, in the URL text field, type or paste https://graph.microsoft.com/v1.0/groups/{ID}/members, replacing the {ID} portion with the group’s Object ID value you’ve copied in step 3 (Fig. 4., item 2). Finally, click the Run query button in the top right corner of the window (Fig. 4., item 3).

Defining the query to retrieve information on group members from Microsoft Graph.
Fig. 4. Defining the query to retrieve information on group members from Microsoft Graph.

Info

If you get the Request_ResourceNotFound error while running the query, it most probably means that you are either not logged in to your admin account or there was a problem with the AAD group Object ID value. Make sure you are logged in and use the correct URL format with the right object ID.

If you get the following or similar error:

Forbidden - 403. You need to consent to the permissions on the Modify permissions (Preview) tab

go to Modify permissions tab (Fig. 5., item 1). Click the Consent button (Fig. 5., item 2) and then Accept in the pop-up window that opens (Fig. 5., item 3). Repeat this procedure for each of the listed permissions. After completing the steps, resend your query by clicking the Run query button again.

Granting the permissions necessary to run the query.
Fig. 5. Granting the permissions necessary to run the query.

  1. You should now get the list of users belonging to the group (in the JSON format) on the Response preview tab at the bottom of the window (see Fig. 4., item 4). You can identify the user by the displayName property or any other property you wish (e.g. user’s ID). If the new user who does not get the signature:
    1. is NOT on the list, it may mean the problem is related to Microsoft services (e.g. there was an error while adding the user or the change hasn’t been propagated in Azure AD yet). In such a situation, try re-adding the user or wait for the changes to propagate;
    2. is on the list, it may mean the problem is related to the CodeTwo software. In such a situation, please review your configuration of CodeTwo Email Signatures for Office 365, especially the conditions and exceptions settings. Should the problem persist, you can always contact our support.

Displaying groups the user belongs to

With this method, you will get the list of groups which the user, who does not get the signature, belongs to. You will be able to check if the group in question is actually listed there. To display user’s groups in Microsoft Graph Explorer, follow the steps below:

  1. Open the Azure Active Directory admin center.
  2. In the navigation menu on the left, click All services, and, on the page that opens, select Users (Fig. 6.).

Accessing the user’s list in the Azure Active Directory admin center.
Fig. 6. Accessing the user’s list in the Azure Active Directory admin center.

  1. Find the user on the list and click them. If your users’ base is large, you can locate the user with the search box at the top of the list.
  2. Once the Profile page is displayed, copy the value form the Object ID text field by using the button on the right end of the field (Fig. 7.).

Copying the user’s Object ID value from the Azure Active Directory admin center.
Fig. 7. Copying the user’s Object ID value from the Azure Active Directory admin center.

  1. Next, navigate to Microsoft Graph Explorer in your browser.
  2. Once there, log in by clicking the Sign in to Graph Explorer button (Fig. 3.) on the left and providing your global admin credentials. Now, you can start building your query to list the groups the user belongs to.
  3. First, choose GET from the leftmost drop-down menu at the top of the window (Fig. 8., item 1). Next, in the URL text field, type or paste https://graph.microsoft.com/v1.0/users/{ID}/transitiveMemberOf, replacing the {ID} portion with the user’s Object ID value you’ve copied in step 4 (Fig. 8., item 2). Finally, click the Run query button in the top right corner of the window (Fig. 8., item 3).

Defining the query to retrieve information on the groups the user belongs to from Microsoft Graph.
Fig. 8. Defining the query to retrieve information on the groups the user belongs to from Microsoft Graph.

Info

If you get the Request_ResourceNotFound error while running the query, it most probably means that you are either not logged in to your admin account or there was a problem with the AAD group object ID value. Make sure you are logged in and use the correct URL format with the right object ID.

If you get

Forbidden - 403. You need to consent to the permissions on the Modify permissions (Preview) tab

or similar error, go to this section to learn how to solve it.

  1. You should now get the list of groups (in the JSON format) on the Response preview tab at the bottom of the window (see Fig. 8., item 4). You can identify the group by the displayName property or any other property you wish (e.g. group’s ID). If the group which you’ve added the new user to:
    1. is NOT on the list, it may mean the problem is related to Microsoft services (e.g. there was an error while adding the user or the change hasn’t been propagated in Azure AD yet). In such a situation, try re-adding the user or wait for the changes to propagate;
    2. is on the list, it may mean the problem is related to the CodeTwo software. In such a situation, please review your configuration of CodeTwo Email Signatures for Office 365, especially the conditions and exceptions settings. Should the problem persist, you can always contact our support.