I am trying to use GraphAPI in a Blazor .NET 8.0 application, to request a list of all users who have a certain Role assigned.
I configure the roles in Entra Admin Centre > Enterprise applications > (my app) > Users and Groups, and assign users to Roles that I defined in the application registration.
I would like to get a list of users in a certain Role, at runtime. I have tried the following code in a Razor page:
@inject GraphServiceClient GSC@inject MicrosoftIdentityConsentAndConditionalAccessHandler ConsentHandler// ...protected async Task AzTest(){ try { User user = await GSC.Me.Request().GetAsync(); // This one works fine var users = await GSC.Users.Request().expand("appRoleAssignments").GetAsync(); // Error } catch(Exception ex) { ConsentHandler.HandleException(ex); }}The second call causes a runtime exception and the error message indicates that permission User.Read.All is required for that operation. However, my organization does not grant User.Read.All, it only grants User.Read and User.ReadBasic.All.
My questions are:
- Is it possible under the
User.ReadBasic.Alllimitation, to retrieve a list of user names that have a given App Role ? - if so, how do I code that request in such a way as to avoid triggering a requirement for
User.Read.All?