Azure App Registration, App-only access to access Azure ad group returns 403

Question

I have an azure app registration [xyz] which has the listed graph api permissions : group.read.all, user.read and user.read.all My application uses the above app registration and grant type client credential with the following details

1. clientid [clientid for xyz]
2. client secret [client secret for xyz]
3. scope api://graph.microsoft.com/.default

I receive a valid token back no problems, however when make a call to https://graph.microsoft.com/v1.0/groups/ it fails with a 403 error. What am I missing?

Here is the jwt token, I cannot see the scope i.e. group.read.all in it

{
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/{GUID}/",
  "iat": 1679391993,
  "nbf": 1679391993,
  "exp": 1679395893,
  "aio": "{AIO}",
  "app_displayname": "{APP_REGISTRATION_NAME}",
  "appid": "{APPID}",
  "appidacr": "1",
  "idp": "https://sts.windows.net/{GUID}/",
  "idtyp": "app",
  "oid": "{OID}",
  "rh": "0.AQMAx8q3U74U1Ea-Q_KtkkTZAQMAAAAAAAAAwAAAAAAAAAADAAA.",
  "sub": "{SUBID}",
  "tenant_region_scope": "NA",
  "tid": "{GUID}",
  "uti": "OU8mJZ7FBEqSBXmpO5l8AA",
  "ver": "1.0",
  "wids": [
    "{WID_ID}"
  ],
  "xms_tcdt": 1348176132
}

Answer 1

I tried to reproduce the same in my environment and got the same error as below:

To resolve the error, make sure to Grant Group.Read.All Application permission like below:

Now, I generated the access token using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:https://graph.microsoft.com/.default
client_secret:ClientSecret
grant_type:client_credentials

When I decoded the access token Group.Read.All scope is present like below:

By using the above generated access token, I am able to fetch the Groups successfully like below:

GET https://graph.microsoft.com/v1.0/groups