Date Published: 1/24/2023
Keyavi Admins
This document explains how one can retrieve AAD groups membership for a given user with standard Microsoft tools and no special permissions.
This process is useful to quickly understand if an AAD user is member of any Keyavi AAD security group to identify what permissions this user enjoys in Keyavi platform.
- Sign into Microsoft Graph Explorer with the account created in the AAD tenant you want to investigate.
2. In the query field, choose “beta” and put the following url:
https://graph.microsoft.com/beta/users/<USER.EMAIL@COMPANY.COM>/transitiveMemberOf?$search="displayname:<security_group_name>"&$select=displayNamewhere:
- EMAIL@COMPANY.COM is the email address of the user who want to check.
- <security_group_name> is the name of the group you want to check I the user is member of
- This can be a partial name, e.g. KEY_
- Type in Key field “ConsistencyLevel”
- Type in Value field “eventual”
- Click Add button
Each set of 2nd level objects in the json response body is a group that the user is member of.
displayName is the name of the group:
5. If you want to narrow down the search, you can enter the full name of the group you are looking for, e.g. KEY_FULL_USER_GRPAdding ?$count=true will add the number of groups the user is member of, that correspond to the search parameters
https://graph.microsoft.com/beta/users/USER.EMAIL@COMAPNY.COM/transitiveMemberOf?$search="displayname:KEY_FULL_USER_GRP"&$count=true