Skip to main content

Office 365: Developer Blog

Upcoming API changes to return limited information for inaccessible member resources

Hi folks,

Starting soon, when your application does not have access to some of the types in a response’s collection, a limited amount of information will be returned. When an application does not have access to a type of resource, we will no longer return a 403 when instances of that resource are members of groups, roles, etc. Instead, we will now return the data type and ID, and all other properties will have a null value. Applications will not be able to use the ID to get the actual resource unless they have the necessary permission to read that resource’s type.

Before (and until this change goes into effect), if your app didn’t have access to read a type of resource, any instance of that resource in a returned collection would cause the whole call to fail with a 403 error. For example, if an application had User.Read.All and Group.Read.All permissions for Microsoft Graph and a group had been created which contains a user, a group, and a device the entire call would fail with a 403/Forbidden because the application did not have access to the device resource.

Below is an example of the new response pattern when an application has permission to read groups and users, but not devices. Notice the returned device item.

Call:

GET https://graph.microsoft.com/v1.0/groups/{id}/members?$select=id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl

Response:

{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl)",
    "value":[
        {
            "@odata.type":"#microsoft.graph.user",
            "id":"69d035a3-29c9-469f-809d-d21a4ae69e65",
            "displayName":"Jane Dane",
            "createdDateTime":"2019-09-18T09:06:51Z",
            "deletedDateTime":null
        },
        {
            "@odata.type":"#microsoft.graph.group",
            "id":"c43a7cc9-2d95-44b6-bf6a-6392e41949b4",
            "displayName":"Group 1",
            "description":null,
            "createdDateTime":"2019-10-24T01:34:35Z",
            "deletedDateTime":null
        },
        {
                    "@odata.type":"#microsoft.graph.device",
                    "id": "d282309e-f91d-43b6-badb-9e68aa4b4fc8",
                    "accountEnabled":null,
                    "deviceId":null,
                    "displayName":null,
                    "operatingSystem":null,
                    "operatingSystemVersion":null
                }
    ]
}

We’re making this change to allow your app to request only the least privileged permissions it needs while still getting a predictable response. We’d love to hear from you, so please let us know what you think.

– The Microsoft Identity Access Control Team

filter-icon