How to confirm user’s AAD group membership with Graph Explorer
Problem:
You configured a rule which adds a signature to messages sent by users belonging to a certain Azure Active Directory (AAD) group. After adding a new user to the group, you find out that the user does not get the signature when they send an email. You would like to check the user’s AAD membership status to confirm they have been properly added to the group.
Solution:
The first logical step in such a situation would be to review group members on the Members settings page in the Microsoft Entra admin center. However, this approach might not return reliable results. To make sure the user has been correctly added to the group, you need to dig deeper and check if their membership is properly read by Graph, the APIs platform that connects all Microsoft’s solutions and services. To do so, you can use Graph Explorer, a convenient online tool which allows you to test a Microsoft service or an app that integrates with Microsoft’s solutions.
There are two ways to find out if your newly added user actually belongs to a given AAD group:
- Display the members of the group using a query for the group object.
- Display the groups user belongs to using a query for the user object.
To learn more about each method, click a link above to go straight to an appropriate section or read on.
Displaying members of the group
With this method, you will get the list of users that belong to the AAD group in question. You can check this list to verify membership of the specific user. To display group members in Microsoft Graph Explorer, follow the steps below:
- Open the Microsoft Entra admin center.
- In the navigation menu on the left, go to Azure Active Directory (or Identity) > Groups > All groups (Fig. 1.).
Fig. 1. Accessing Azure Active Directory groups.
- Click the group which the newly added user belongs to and, on the Overview settings page that opens, copy the object IDvalue by using the button on the right end of the Object Id text field (Fig. 2.).
Fig. 2. Copying the group’s Object ID value from the Microsoft Entra admin center.
- Next, navigate to Microsoft Graph Explorer in your browser.
- Once there, sign in by clicking the avatar in the top right corner (Fig. 3.) and providing your global admin credentials. Now, you can finally query Graph Explorer for the group membership data.
Fig. 3. Signing in to Graph Explorer.
- First, choose GET from the leftmost drop-down menu at the top of the window (Fig. 4., item 1). Next, in the URL text field, type or paste https://graph.microsoft.com/v1.0/groups/{ID}/members, replacing the {ID} portion with the group’s Object ID value you’ve copied in step 3 (Fig. 4., item 2). Finally, click the Run query button in the top right corner of the window (Fig. 4., item 3).
Fig. 4. Defining the query to retrieve information on group members from Microsoft Graph.
If you get the Request_ResourceNotFound error while running the query, it most probably means that you are either not signed in to your admin account or there was a problem with the AAD group Object ID value. Make sure you are signed in and use the correct URL format with the right object ID.
If you get the following or similar error:
Forbidden - 403. Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab
go to Modify permissions tab (Fig. 5., item 1). Click the Consent button (Fig. 5., item 2) and then Accept in the pop-up window that opens (Fig. 5., item 3). Repeat this procedure for each of the listed permissions. After completing the steps, resend your query by clicking the Run query button again.
Fig. 5. Granting the permissions necessary to run the query.
- You should now get the list of users belonging to the group (in the JSON format) on the Response preview tab at the bottom of the window (see Fig. 4., item 4). You can identify the user by the displayName property or any other property you wish (e.g. user’s ID). If the new user who does not get the signature:
- is NOT on the list, it may mean the problem is related to Microsoft services (e.g. there was an error while adding the user or the change hasn’t been propagated in Azure AD yet). In such a situation, try re-adding the user or wait for the changes to propagate;
- is on the list, it may mean the problem is related to the CodeTwo software. In such a situation, please review your configuration of CodeTwo Email Signatures 365, especially the conditions and exceptions settings. Should the problem persist, you can always contact our support.
Displaying groups the user belongs to
With this method, you will get the list of groups which the user, who does not get the signature, belongs to. You will be able to check if the group in question is actually listed there. To display user’s groups in Microsoft Graph Explorer, follow the steps below:
- Open the Microsoft Entra admin center.
- In the navigation menu on the left, go to Azure Active Directory (or Identity) > Users > All users (Fig. 6.).
Fig. 6. Accessing the user’s list in the Microsoft Entra admin center.
- Find the user on the list and click them. If your users’ base is large, you can locate the user with the search box at the top of the list.
- Once the Overview page is displayed, copy the Object ID value by using the button to the right of it (Fig. 7.).
Fig. 7. Copying the user’s Object ID value from the Microsoft Entra admin center.
- Next, navigate to Microsoft Graph Explorer in your browser.
- Once there, sign in by clicking the avatar in the top right corner (see Fig. 3.) and providing your global admin credentials. Now, you can start building your query to list the groups the user belongs to.
- First, choose GET from the leftmost drop-down menu at the top of the window (Fig. 8., item 1). Next, in the URL text field, type or paste https://graph.microsoft.com/v1.0/users/{ID}/transitiveMemberOf, replacing the {ID} portion with the user’s Object ID value you’ve copied in step 4 (Fig. 8., item 2). Finally, click the Run query button in the top right corner of the window (Fig. 8., item 3).
Fig. 8. Defining the query to retrieve information on the groups the user belongs to from Microsoft Graph.
Info
If you get the Request_ResourceNotFound error while running the query, it most probably means that you are either not logged in to your admin account or there was a problem with the AAD group object ID value. Make sure you are logged in and use the correct URL format with the right object ID.
If you get
Forbidden - 403. Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab
or similar error, go to this section to learn how to solve it.
- You should now get the list of groups (in the JSON format) on the Response preview tab at the bottom of the window (see Fig. 8., item 4). You can identify the group by the displayName property or any other property you wish (e.g. group’s ID). If the group which you’ve added the new user to:
- is NOT on the list, it may mean the problem is related to Microsoft services (e.g. there was an error while adding the user or the change hasn’t been propagated in Azure AD yet). In such a situation, try re-adding the user or wait for the changes to propagate;
- is on the list, it may mean the problem is related to the CodeTwo software. In such a situation, please review your configuration of CodeTwo Email Signatures 365, especially the conditions and exceptions settings. Should the problem persist, you can always contact our support.
Related products: | CodeTwo Email Signatures for Office 365 1.x |
Categories: | How-To, Troubleshooting |
Last modified: | July 14, 2023 |
Created: | July 15, 2021 |
ID: | 929 |