|
1 | 1 | --- |
2 | | -title: Can't look up users using Microsoft Graph /users endpoint |
| 2 | +title: Can't Look Up Users Using Microsoft Graph /Users Endpoint |
3 | 3 | description: Provides a solution to an issue where a user can't look up other users using the Microsoft Graph /users endpoint when a tenant policy configuration restricts access. |
4 | | -ms.date: 04/23/2025 |
| 4 | +ms.date: 04/30/2025 |
5 | 5 | ms.service: entra-id |
6 | 6 | ms.custom: sap:Getting access denied errors (Authorization) |
7 | 7 | ms.reviewer: daga, v-weizhu |
8 | 8 | --- |
9 | | -# 401 HTTP response when looking up users using Microsoft Graph /users endpoint |
| 9 | +# 401 HTTP response when looking up users using the Microsoft Graph /users endpoint |
10 | 10 |
|
11 | | -You can use the Microsoft Graph endpoint to interact programmatically with your tenant data. A common scenario is a Microsoft Graph `/users` endpoint to look up users in the tenant. In this scenario, if you use delegated permissions in your access token, the `User.Read.All` permission is necessary. There are ways to prevent you from looking up other users, for example, using an [authorizationPolicy](/graph/api/resources/authorizationpolicy) that can control Microsoft Entra authorization settings, unless you are a tenant administrator. |
| 11 | +You can use the Microsoft Graph endpoint to interact programmatically with your tenant data. A common scenario is to use a Microsoft Graph `/users` endpoint to look up users in the tenant. In this case, if you use delegated permissions in your access token, the `User.Read.All` permission is necessary. There are ways to prevent you from looking up other users, such as using an [authorizationPolicy](/graph/api/resources/authorizationpolicy) object that can control Microsoft Entra authorization settings, unless you're a tenant administrator. |
12 | 12 |
|
13 | | -This article provides a solution to an issue where you can't look up other users using the Microsoft Graph `users` endpoint after a tenant policy configuration restricts access to other users. |
| 13 | +This article provides a solution to an issue where you can't look up other users using the Microsoft Graph `/users` endpoint after a tenant policy configuration restricts access to other users. |
14 | 14 |
|
15 | 15 | ## Symptoms |
16 | 16 |
|
17 | | -After you enable an authorizationPolicy in your tenant to prevent the user lookup action, if a new application performs this action, it gets a 401 HTTP response. This issue occurs even though proper permissions are consented to on the app registration and the access token has the proper permission. |
| 17 | +After you enable an `authorizationPolicy` object in your tenant to prevent the user lookup action, a new application receives a 401 HTTP response when it performs this action. This issue occurs even though the proper permissions are consented to during app registration and the access token has the proper permissions. |
18 | 18 |
|
19 | 19 | ## Cause |
20 | 20 |
|
21 | | -The `allowedToReadOtherUser` property on the authorizationPolicy is set to `false`. This setting causes the default user role can't read other users. You can check its value via a `GET` request: |
| 21 | +The `allowedToReadOtherUser` property in the `authorizationPolicy` is set to `false`. This setting prevents the default user role from reading other users. You can check its value via a `GET` request: |
22 | 22 |
|
23 | 23 | `GET https://graph.microsoft.com/v1.0/policies/authorizationPolicy` |
24 | 24 |
|
|
0 commit comments