directoryObject: checkMemberGroups
Article
09/30/2022
5 minutes to read
12 contributors
Feedback
In this article
Namespace: microsoft.graph
Check for membership in a specified list of group IDs, and return from that list those groups (identified by IDs) of which the specified user , group , service principal , organizational contact , device , or directory object is a member. This function is transitive.
You can check up to a maximum of 20 groups per request. This function supports all groups provisioned in Azure AD. Because Microsoft 365 groups cannot contain other groups, membership in a Microsoft 365 group is always direct.
Permissions
Group memberships for a directory object
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Delegated (personal Microsoft account)
Not supported.
Application
User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Group memberships for a user
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
User.ReadBasic.All and GroupMember.Read.All, User.Read.All and GroupMember.Read.All, User.ReadBasic.All and Group.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Delegated (personal Microsoft account)
Not supported.
Application
User.Read.All and GroupMember.Read.All, User.Read.All and Group.Read.All, Directory.Read.All
Group memberships for a group
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All
Group memberships for a service principal
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Directory.Read.All, Directory.ReadWrite.All
Group memberships for a device
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Device.Read.All, Directory.Read.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All
HTTP request
Group memberships for a directory object (user, group, service principal, or organizational contact).
POST /directoryObjects/{id}/checkMemberGroups
Group memberships for the signed-in user or other users.
POST /me/checkMemberGroups
POST /users/{id | userPrincipalName}/checkMemberGroups
Group memberships for a group.
POST /groups/{id}/checkMemberGroups
Group memberships for a service principal.
POST /servicePrincipals/{id}/checkMemberGroups
Group memberships for an organizational contact.
POST /contacts/{id}/checkMemberGroups
Group memberships for a device.
POST /devices/{id}/checkMemberGroups
Name
Description
Authorization
Bearer {token}. Required.
Content-Type
application/json
Request body
In the request body, provide a JSON object with the following parameters.
Parameter
Type
Description
groupIds
String collection
A collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.
Response
If successful, this method returns 200 OK response code and String collection object in the response body.
Examples
Example 1: Check group memberships for a directory object
Request
POST https://graph.microsoft.com/v1.0/directoryObjects/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e/checkMemberGroups
Content-type: application/json
{
"groupIds": [
"f448435d-3ca7-4073-8152-a1fd73c0fd09",
"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6",
"93670da6-d731-4366-94b5-abed40b6016b",
"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
"c9103f26-f3cf-4004-a611-2a14e81b8f79"
]
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var groupIds = new List<String>()
{
"f448435d-3ca7-4073-8152-a1fd73c0fd09",
"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6",
"93670da6-d731-4366-94b5-abed40b6016b",
"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
"c9103f26-f3cf-4004-a611-2a14e81b8f79"
};
await graphClient.DirectoryObjects["{directoryObject-id}"]
.CheckMemberGroups(groupIds)
.Request()
.PostAsync();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
const string = {
groupIds: [
'f448435d-3ca7-4073-8152-a1fd73c0fd09',
'bd7c6263-4dd5-4ae8-8c96-556e1c0bece6',
'93670da6-d731-4366-94b5-abed40b6016b',
'f5484ab1-4d4d-41ec-a9b8-754b3957bfc7',
'c9103f26-f3cf-4004-a611-2a14e81b8f79'
]
};
await client.api('/directoryObjects/4562bcc8-c436-4f95-b7c0-4f8ce89dca5e/checkMemberGroups')
.post(string);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
LinkedList<String> groupIdsList = new LinkedList<String>();
groupIdsList.add("f448435d-3ca7-4073-8152-a1fd73c0fd09");
groupIdsList.add("bd7c6263-4dd5-4ae8-8c96-556e1c0bece6");
groupIdsList.add("93670da6-d731-4366-94b5-abed40b6016b");
groupIdsList.add("f5484ab1-4d4d-41ec-a9b8-754b3957bfc7");
groupIdsList.add("c9103f26-f3cf-4004-a611-2a14e81b8f79");
graphClient.directoryObjects("4562bcc8-c436-4f95-b7c0-4f8ce89dca5e")
.checkMemberGroups(DirectoryObjectCheckMemberGroupsParameterSet
.newBuilder()
.withGroupIds(groupIdsList)
.build())
.buildRequest()
.post();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := graphmodels.NewCheckMemberGroupsPostRequestBody()
groupIds := []string {
"f448435d-3ca7-4073-8152-a1fd73c0fd09",
"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6",
"93670da6-d731-4366-94b5-abed40b6016b",
"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
"c9103f26-f3cf-4004-a611-2a14e81b8f79",
}
requestBody.SetGroupIds(groupIds)
result, err := graphClient.DirectoryObjectsById("directoryObject-id").CheckMemberGroups().Post(context.Background(), requestBody, nil)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Import-Module Microsoft.Graph.DirectoryObjects
$params = @{
GroupIds = @(
"f448435d-3ca7-4073-8152-a1fd73c0fd09"
"bd7c6263-4dd5-4ae8-8c96-556e1c0bece6"
"93670da6-d731-4366-94b5-abed40b6016b"
"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7"
"c9103f26-f3cf-4004-a611-2a14e81b8f79"
)
}
Confirm-MgDirectoryObjectMemberGroup -DirectoryObjectId $directoryObjectId -BodyParameter $params
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new CheckMemberGroupsPostRequestBody();
$requestBody->setGroupIds(['f448435d-3ca7-4073-8152-a1fd73c0fd09', 'bd7c6263-4dd5-4ae8-8c96-556e1c0bece6', '93670da6-d731-4366-94b5-abed40b6016b', 'f5484ab1-4d4d-41ec-a9b8-754b3957bfc7', 'c9103f26-f3cf-4004-a611-2a14e81b8f79', ]);
$requestResult = $graphServiceClient->directoryObjectsById('directoryObject-id')->checkMemberGroups()->post($requestBody);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
The following is an example of the response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
"value": [
"f448435d-3ca7-4073-8152-a1fd73c0fd09",
"93670da6-d731-4366-94b5-abed40b6016b",
"f5484ab1-4d4d-41ec-a9b8-754b3957bfc7",
"c9103f26-f3cf-4004-a611-2a14e81b8f79"
]
}
Example 2: Check group memberships for the signed-in user
Request
POST https://graph.microsoft.com/v1.0/me/checkMemberGroups
Content-type: application/json
{
"groupIds": [
"fee2c45b-915a-4a64b130f4eb9e75525e",
"4fe90ae065a-478b9400e0a0e1cbd540"
]
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var groupIds = new List<String>()
{
"fee2c45b-915a-4a64b130f4eb9e75525e",
"4fe90ae065a-478b9400e0a0e1cbd540"
};
await graphClient.Me
.CheckMemberGroups(groupIds)
.Request()
.PostAsync();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
const options = {
authProvider,
};
const client = Client.init(options);
const string = {
groupIds: [
'fee2c45b-915a-4a64b130f4eb9e75525e',
'4fe90ae065a-478b9400e0a0e1cbd540'
]
};
await client.api('/me/checkMemberGroups')
.post(string);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
LinkedList<String> groupIdsList = new LinkedList<String>();
groupIdsList.add("fee2c45b-915a-4a64b130f4eb9e75525e");
groupIdsList.add("4fe90ae065a-478b9400e0a0e1cbd540");
graphClient.me()
.checkMemberGroups(DirectoryObjectCheckMemberGroupsParameterSet
.newBuilder()
.withGroupIds(groupIdsList)
.build())
.buildRequest()
.post();
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := graphmodels.NewCheckMemberGroupsPostRequestBody()
groupIds := []string {
"fee2c45b-915a-4a64b130f4eb9e75525e",
"4fe90ae065a-478b9400e0a0e1cbd540",
}
requestBody.SetGroupIds(groupIds)
result, err := graphClient.Me().CheckMemberGroups().Post(context.Background(), requestBody, nil)
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Import-Module Microsoft.Graph.Users.Actions
$params = @{
GroupIds = @(
"fee2c45b-915a-4a64b130f4eb9e75525e"
"4fe90ae065a-478b9400e0a0e1cbd540"
)
}
# A UPN can also be used as -UserId.
Confirm-MgUserMemberGroup -UserId $userId -BodyParameter $params
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new CheckMemberGroupsPostRequestBody();
$requestBody->setGroupIds(['fee2c45b-915a-4a64b130f4eb9e75525e', '4fe90ae065a-478b9400e0a0e1cbd540', ]);
$requestResult = $graphServiceClient->me()->checkMemberGroups()->post($requestBody);
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation .
Response
The following is an example of the response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
"value": [
"fee2c45b-915a-4a64-b130-f4eb9e75525e"
]
}