commit

Author: AmandaAZ

support/entra/entra-id/toc.yml

@@ -289,6 +289,8 @@
         href: users-groups-entra-apis/cannot-modify-user-mail-phone-attributes.md
       - name: Error "The identity of the calling application could not be established"
         href: users-groups-entra-apis/identity-of-calling-application-not-established.md
+      - name: Can't look up users using the /users endpoint
+        href: users-groups-entra-apis/add-owner-for-application-microsoft-graph.md
       - name: Add an owner to an application
         href: users-groups-entra-apis/add-owner-for-application-microsoft-graph.md
 

support/entra/entra-id/users-groups-entra-apis/users-look-up-other-users-using-microsoft-graph-users-endpoint.md

@@ -8,17 +8,17 @@ ms.reviewer: daga, v-weizhu
 ---
 # 401 HTTP response when looking up users using Microsoft Graph /users endpoint
 
-You can use the Microsoft Graph endpoint to interact programmatically with your tenant data. A common scenario is a Microsoft Graph `/users` endpoint to look up users in the tenant. In this scenario, if you use delegated permissions in your access token, the `User.Read.All` permission is necessary. However, there are ways to prevent you from looking up other users, for example, using an [authorization policy](https://learn.microsoft.com/en-us/graph/api/resources/authorizationpolicy) that can control Microsoft Entra authorization settings.
+You can use the Microsoft Graph endpoint to interact programmatically with your tenant data. A common scenario is a Microsoft Graph `/users` endpoint to look up users in the tenant. In this scenario, if you use delegated permissions in your access token, the `User.Read.All` permission is necessary. There are ways to prevent you from looking up other users, for example, using an [authorizationPolicy](https://learn.microsoft.com/en-us/graph/api/resources/authorizationpolicy) that can control Microsoft Entra authorization settings, unless you are a tenant administrator.
 
-This article provides a solution to an issue where you can't look up other users using the Microsoft Graph `users` endpoint when a tenant policy configuration restricts access.
+This article provides a solution to an issue where you can't look up other users using the Microsoft Graph `users` endpoint after a tenant policy configuration restricts access to other users.
 
 ## Symptoms
 
-After you enable an authorization policy in your tenant to prevent the user lookup action, if a new application performs this action, it gets a 401 HTTP response. This issue occurs even though proper permissions are consented to on the app registration and the access token has the proper permission. It doesn't occur with tenant administrators.
+After you enable an authorizationPolicy in your tenant to prevent the user lookup action, if a new application performs this action, it gets a 401 HTTP response. This issue occurs even though proper permissions are consented to on the app registration and the access token has the proper permission.
 
 ## Cause
 
-The `allowedToReadOtherUser` property on the [authorization policy](/graph/api/resources/authorizationpolicy) is set to `false`, which restricts access. You can check its value via a `GET` request:
+The `allowedToReadOtherUser` property on the authorizationPolicy is set to `false`. This setting causes the default user role can't read other users. You can check its value via a `GET` request:
 
 `GET https://graph.microsoft.com/v1.0/policies/authorizationPolicy`