directoryObject: checkMemberGroups

Article
03/02/2023
5 minutes to read

Namespace: microsoft.graph

Check for membership in a specified list of group IDs, and return from that list those groups (identified by IDs) of which the specified user, group, service principal, organizational contact, device, or directory object is a member. This function is transitive.

You can check up to a maximum of 20 groups per request. This function supports all groups provisioned in Azure AD. Because Microsoft 365 groups cannot contain other groups, membership in a Microsoft 365 group is always direct.

Permissions

Group memberships for a directory object

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Delegated (personal Microsoft account)	Not supported.
Application	User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All

Group memberships for a user

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Delegated (personal Microsoft account)	Not supported.
Application	User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All

Group memberships for a group

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

Group memberships for a service principal

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All

Group memberships for an organizational contact

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	Directory.Read.All, Directory.ReadWrite.All

Group memberships for a device

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	Device.Read.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

HTTP request

Group memberships for a directory object (user, group, service principal, or organizational contact).

POST /directoryObjects/{id}/checkMemberGroups

Group memberships for the signed-in user or other users.

POST /me/checkMemberGroups
POST /users/{id | userPrincipalName}/checkMemberGroups

Group memberships for a group.

POST /groups/{id}/checkMemberGroups

Group memberships for a service principal.

POST /servicePrincipals/{id}/checkMemberGroups

Group memberships for an organizational contact.

POST /contacts/{id}/checkMemberGroups

Group memberships for a device.

POST /devices/{id}/checkMemberGroups

Request headers

Name	Description
Authorization	Bearer {token}. Required.
Content-Type	application/json

Request body

In the request body, provide a JSON object with the following parameters.

Parameter	Type	Description
groupIds	String collection	A collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.

Response

If successful, this method returns 200 OK response code and String collection object in the response body.

Examples

Example 1: Check group memberships for a directory object

Request

POST https://graph.microsoft.com/v1.0/directoryObjects/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e/checkMemberGroups
Content-type: application/json

{
    "groupIds": [
        "f448435d-3ca7-4073-8152-a1fd73c0fd09",
        "bd7c6263-4dd5-4ae8-8c96-556e1c0bece6",
        "93670da6-d731-4366-94b5-abed40b6016b",
        "f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
        "c9103f26-f3cf-4004-a611-2a14e81b8f79"
    ]
}


var graphClient = new GraphServiceClient(requestAdapter);

var requestBody = new Microsoft.Graph.DirectoryObjects.Item.CheckMemberGroups.CheckMemberGroupsPostRequestBody
{
	GroupIds = new List<string>
	{
		"f448435d-3ca7-4073-8152-a1fd73c0fd09",
		"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6",
		"93670da6-d731-4366-94b5-abed40b6016b",
		"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
		"c9103f26-f3cf-4004-a611-2a14e81b8f79",
	},
};
var result = await graphClient.DirectoryObjects["{directoryObject-id}"].CheckMemberGroups.PostAsync(requestBody);


const options = {
	authProvider,
};

const client = Client.init(options);

const string = {
    groupIds: [
        'f448435d-3ca7-4073-8152-a1fd73c0fd09',
        'bd7c6263-4dd5-4ae8-8c96-556e1c0bece6',
        '93670da6-d731-4366-94b5-abed40b6016b',
        'f5484ab1-4d4d-41ec-a9b8-754b3957bfc7',
        'c9103f26-f3cf-4004-a611-2a14e81b8f79'
    ]
};

await client.api('/directoryObjects/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e/checkMemberGroups')
	.post(string);


GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

LinkedList<String> groupIdsList = new LinkedList<String>();
groupIdsList.add("f448435d-3ca7-4073-8152-a1fd73c0fd09");
groupIdsList.add("bd7c6263-4dd5-4ae8-8c96-556e1c0bece6");
groupIdsList.add("93670da6-d731-4366-94b5-abed40b6016b");
groupIdsList.add("f5484ab1-4d4d-41ec-a9b8-754b3957bfc7");
groupIdsList.add("c9103f26-f3cf-4004-a611-2a14e81b8f79");

graphClient.directoryObjects("4562bcc8-c436-4f95-b7c0-4f8ce89dca5e")
	.checkMemberGroups(DirectoryObjectCheckMemberGroupsParameterSet
		.newBuilder()
		.withGroupIds(groupIdsList)
		.build())
	.buildRequest()
	.post();


//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/DirectoryObjects/Item/CheckMemberGroups"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewCheckMemberGroupsPostRequestBody()
groupIds := []string {
	"f448435d-3ca7-4073-8152-a1fd73c0fd09",
	"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6",
	"93670da6-d731-4366-94b5-abed40b6016b",
	"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
	"c9103f26-f3cf-4004-a611-2a14e81b8f79",

}
requestBody.SetGroupIds(groupIds)

result, err := graphClient.DirectoryObjectsById("directoryObject-id").CheckMemberGroups().Post(context.Background(), requestBody, nil)


Import-Module Microsoft.Graph.DirectoryObjects

$params = @{
	GroupIds = @(
		"f448435d-3ca7-4073-8152-a1fd73c0fd09"
		"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6"
		"93670da6-d731-4366-94b5-abed40b6016b"
		"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7"
		"c9103f26-f3cf-4004-a611-2a14e81b8f79"
	)
}

Confirm-MgDirectoryObjectMemberGroup -DirectoryObjectId $directoryObjectId -BodyParameter $params


<?php

// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);

$requestBody = new CheckMemberGroupsPostRequestBody();
$requestBody->setGroupIds(['f448435d-3ca7-4073-8152-a1fd73c0fd09', 'bd7c6263-4dd5-4ae8-8c96-556e1c0bece6', '93670da6-d731-4366-94b5-abed40b6016b', 'f5484ab1-4d4d-41ec-a9b8-754b3957bfc7', 'c9103f26-f3cf-4004-a611-2a14e81b8f79', ]);



$requestResult = $graphServiceClient->directoryObjectsById('directoryObject-id')->checkMemberGroups()->post($requestBody);

Response

The following is an example of the response

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
    "value": [
        "f448435d-3ca7-4073-8152-a1fd73c0fd09",
        "93670da6-d731-4366-94b5-abed40b6016b",
        "f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
        "c9103f26-f3cf-4004-a611-2a14e81b8f79"
    ]
}

Example 2: Check group memberships for the signed-in user

Request

POST https://graph.microsoft.com/v1.0/me/checkMemberGroups
Content-type: application/json

{
  "groupIds": [
        "fee2c45b-915a-4a64b130f4eb9e75525e",
        "4fe90ae065a-478b9400e0a0e1cbd540"
  ]
}


var graphClient = new GraphServiceClient(requestAdapter);

var requestBody = new Microsoft.Graph.Me.CheckMemberGroups.CheckMemberGroupsPostRequestBody
{
	GroupIds = new List<string>
	{
		"fee2c45b-915a-4a64b130f4eb9e75525e",
		"4fe90ae065a-478b9400e0a0e1cbd540",
	},
};
var result = await graphClient.Me.CheckMemberGroups.PostAsync(requestBody);


const options = {
	authProvider,
};

const client = Client.init(options);

const string = {
  groupIds: [
        'fee2c45b-915a-4a64b130f4eb9e75525e',
        '4fe90ae065a-478b9400e0a0e1cbd540'
  ]
};

await client.api('/me/checkMemberGroups')
	.post(string);


GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

LinkedList<String> groupIdsList = new LinkedList<String>();
groupIdsList.add("fee2c45b-915a-4a64b130f4eb9e75525e");
groupIdsList.add("4fe90ae065a-478b9400e0a0e1cbd540");

graphClient.me()
	.checkMemberGroups(DirectoryObjectCheckMemberGroupsParameterSet
		.newBuilder()
		.withGroupIds(groupIdsList)
		.build())
	.buildRequest()
	.post();


//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/Me/CheckMemberGroups"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodels.NewCheckMemberGroupsPostRequestBody()
groupIds := []string {
	"fee2c45b-915a-4a64b130f4eb9e75525e",
	"4fe90ae065a-478b9400e0a0e1cbd540",

}
requestBody.SetGroupIds(groupIds)

result, err := graphClient.Me().CheckMemberGroups().Post(context.Background(), requestBody, nil)


Import-Module Microsoft.Graph.Users.Actions

$params = @{
	GroupIds = @(
		"fee2c45b-915a-4a64b130f4eb9e75525e"
		"4fe90ae065a-478b9400e0a0e1cbd540"
	)
}

# A UPN can also be used as -UserId.
Confirm-MgUserMemberGroup -UserId $userId -BodyParameter $params


<?php

// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);

$requestBody = new CheckMemberGroupsPostRequestBody();
$requestBody->setGroupIds(['fee2c45b-915a-4a64b130f4eb9e75525e', '4fe90ae065a-478b9400e0a0e1cbd540', ]);



$requestResult = $graphServiceClient->me()->checkMemberGroups()->post($requestBody);

Response

The following is an example of the response

HTTP/1.1 200 OK
Content-type: application/json

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
  "value": [
        "fee2c45b-915a-4a64-b130-f4eb9e75525e"
  ]
}

directoryObject: checkMemberGroups

Permissions

Group memberships for a directory object

Group memberships for a user

Group memberships for a group

Group memberships for a service principal

Group memberships for an organizational contact

Group memberships for a device

HTTP request

Request headers

Request body

Response

Examples

Example 1: Check group memberships for a directory object

Request

Response

Example 2: Check group memberships for the signed-in user

Request

Response

Feedback

Additional resources

Additional resources