How to retrieve which Keyavi AAD security groups an AAD user is member of?

Date Published: 1/24/2023

 

This document explains how one can retrieve AAD groups membership for a given user with standard Microsoft tools and no special permissions.

This process is useful to quickly understand if an AAD user is member of any Keyavi AAD security group to identify what permissions this user enjoys in Keyavi platform.

 

1. Sign into Microsoft Graph Explorer with the account created in the AAD tenant you want to investigate.

  2.   In the query field, choose “beta” and put the following url:

https://graph.microsoft.com/beta/users/<USER.EMAIL@COMPANY.COM>/transitiveMemberOf?$search="displayname:<security_group_name>"&$select=displayName

where:

• EMAIL@COMPANY.COM is the email address of the user who want to check.
• <security_group_name> is the name of the group you want to check I the user is member of
  • This can be a partial name, e.g. KEY_

3.   In the “Request headers”, add a new Key/Value item:

• Type in Key field “ConsistencyLevel”
• Type in Value field “eventual”
• Click Add button

 4.  Click on “Run query”

Each set of 2nd level objects in the json response body is a group that the user is member of.

displayName is the name of the group:

 5.  If you want to narrow down the search, you can enter the full name of the group you are looking for, e.g. KEY_FULL_USER_GRP

https://graph.microsoft.com/beta/users/USER.EMAIL@COMPANY.COM/transitiveMemberOf?$search="displayname:KEY_FULL_USER_GRP"

Adding ?$count=true will add the number of groups the user is member of, that correspond to the search parameters

https://graph.microsoft.com/beta/users/USER.EMAIL@COMAPNY.COM/transitiveMemberOf?$search="displayname:KEY_FULL_USER_GRP"&$count=true