{"id":3741,"date":"2019-11-25T15:05:02","date_gmt":"2019-11-25T22:05:02","guid":{"rendered":"https:\/\/developer.microsoft.com\/en-us\/office\/blogs\/?p=3741"},"modified":"2019-11-25T15:05:02","modified_gmt":"2019-11-25T22:05:02","slug":"upcoming-api-changes-to-return-limited-information-for-inaccessible-member-resources","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/upcoming-api-changes-to-return-limited-information-for-inaccessible-member-resources\/","title":{"rendered":"Upcoming API changes to return limited information for inaccessible member resources"},"content":{"rendered":"

Hi folks,<\/p>\n

Starting soon, when your application does not have access to some of the types in a response\u2019s collection, a limited amount of information will be returned. When an application does not have access to a type of resource, we will no longer return a 403 when instances of that resource are members of groups, roles, etc. Instead, we will now return the data type and ID, and all other properties will have a null value. Applications will not be able to use the ID to get the actual resource unless they have the necessary permission to read that resource\u2019s type.<\/p>\n

Before (and until this change goes into effect), if your app didn’t have access to read a type of resource, any instance of that resource in a returned collection would cause the whole call to fail with a 403 error. For example, if an application had User.Read.All and Group.Read.All permissions for Microsoft Graph and a group had been created which contains a user, a group, and a device the entire call would fail with a 403\/Forbidden because the application did not have access to the device resource.<\/p>\n

Below is an example of the new response pattern when an application has permission to read groups and users, but not devices. Notice the returned device item.<\/p>\n

Call:<\/p>\n

GET https:\/\/graph.microsoft.com\/v1.0\/groups\/{id}\/members?$select=id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl<\/code><\/pre>\n
Response:<\/p>\n
{\n\"@odata.context\":\"https:\/\/graph.microsoft.com\/v1.0\/$metadata#directoryObjects(id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl)\",\n    \"value\":[\n        {\n            \"@odata.type\":\"#microsoft.graph.user\",\n            \"id\":\"69d035a3-29c9-469f-809d-d21a4ae69e65\",\n            \"displayName\":\"Jane Dane\",\n            \"createdDateTime\":\"2019-09-18T09:06:51Z\",\n            \"deletedDateTime\":null\n        },\n        {\n            \"@odata.type\":\"#microsoft.graph.group\",\n            \"id\":\"c43a7cc9-2d95-44b6-bf6a-6392e41949b4\",\n            \"displayName\":\"Group 1\",\n            \"description\":null,\n            \"createdDateTime\":\"2019-10-24T01:34:35Z\",\n            \"deletedDateTime\":null\n        },\n        {\n                    \"@odata.type\":\"#microsoft.graph.device\",\n                    \"id\": \"d282309e-f91d-43b6-badb-9e68aa4b4fc8\",\n                    \"accountEnabled\":null,\n                    \"deviceId\":null,\n                    \"displayName\":null,\n                    \"operatingSystem\":null,\n                    \"operatingSystemVersion\":null\n                }\n    ]\n}<\/code><\/pre>\n
We’re making this change to allow your app to request only the least privileged permissions it needs while still getting a predictable response. We\u2019d love to hear from you<\/a>, so please let us know what you think.<\/p>\n
\u2013 The Microsoft Identity Access Control Team<\/p>\n","protected":false},"excerpt":{"rendered":"
Hi folks, Starting soon, when your application does not have access to some of the types in a response\u2019s collection, a limited amount of information will be returned. When an application does not have access to a type of resource, we will no longer return a 403 when instances of that resource are members of […]<\/p>\n","protected":false},"author":69077,"featured_media":25159,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3741","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-graph"],"acf":[],"blog_post_summary":"
Hi folks, Starting soon, when your application does not have access to some of the types in a response\u2019s collection, a limited amount of information will be returned. When an application does not have access to a type of resource, we will no longer return a 403 when instances of that resource are members of […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/3741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/69077"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=3741"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/3741\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/25159"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=3741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=3741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=3741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}