msgraph-sdk-python icon indicating copy to clipboard operation
msgraph-sdk-python copied to clipboard
verified publisher icon microsoftgraph

Group members request gives an incomplete list

Open howardjones opened this issue 8 months ago • 1 comments

Describe the bug

I am trying to use Ansible to update membership of an Entra group with managed identities in it. It is misbehaving because the list of members it gets back from the GraphServiceClient is incomplete - in my case, only 20 of the 35 members listed in the Azure portal actually show up, even with the msgraph_beta SDK.

Expected behavior

A list of all the users in the Direct Members section of the group in the Azure portal.

How to reproduce

SP is created with:

az identity create -g {{ resource_group }} -n {{ application_name }}-mi -o json

Attached is a minimal(ish) test example to get members from a group and also fetch a single service principal (that should be in the group but isn't) by object_id. The SP does exist, with odata_type='#microsoft.graph.servicePrincipal'


import asyncio
from msgraph_beta.generated.groups.groups_request_builder import GroupsRequestBuilder
from msgraph_beta.generated.models.group import Group
from msgraph_beta.generated.groups.item.transitive_members.transitive_members_request_builder import \
    TransitiveMembersRequestBuilder
from msgraph_beta.generated.groups.item.group_item_request_builder import GroupItemRequestBuilder
from msgraph_beta.generated.models.reference_create import ReferenceCreate
from msgraph_beta.generated.users.item.user_item_request_builder import UserItemRequestBuilder
from msgraph_beta.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder

from msgraph_beta import GraphServiceClient
from azure.identity import DefaultAzureCredential




class Blah:
    def __init__(self):
        self.azure_credential_track2 = DefaultAzureCredential()
        self._client = self.get_msgraph_client()
    
    def get_msgraph_client(self):
        return GraphServiceClient(self.azure_credential_track2)
    
    async def get_raw_group_members(self, group_id, filters=None):
        request_configuration = GroupItemRequestBuilder.GroupItemRequestBuilderGetRequestConfiguration(
            query_parameters=GroupItemRequestBuilder.GroupItemRequestBuilderGetQueryParameters(
                # this ensures service principals are returned
                # see https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
                expand=["members"]
            ),
        )
        if filters:
            request_configuration.query_parameters.filter = filters
        group = await self._client.groups.by_group_id(group_id).get(request_configuration=request_configuration)
        return group.members


    async def get_user(self, user_id):
        req = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetRequestConfiguration(
            query_parameters=ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetRequestConfiguration()
        )
        user = await self._client.service_principals.by_service_principal_id(user_id).get(request_configuration=req)
        return user

    def test(self, group_id):
        ret = asyncio.get_event_loop().run_until_complete(self.get_raw_group_members(group_id))
        current_members = [(object.id, object.display_name, object.odata_type) for object in ret]
                
        return current_members
    
    def test2(self, user_id):
        ret = asyncio.get_event_loop().run_until_complete(self.get_user(user_id=user_id))
        print(ret)
    


def main():
    
    group_id = "XXXXXX-YYYY-4e07-a3ab-6de8cbd4e560"
    user_id = "XXXXXX-YYYY-4b39-9842-0a1e617f6497"
    
    t = Blah()  
    cm = t.test(group_id)    
    print("========================")
    for c in cm:
        print(f"  {c[0]} {c[2]} {c[1]}")
        
    t.test2(user_id)

if __name__ == "__main__":
    main()

SDK Version

No response

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log ``` 
</details>


### Configuration

- Linux (ubuntu 24.04) on x64
- Python 3.12 (same in 3.11)
- msgraph-beta-sdk                        1.33.0
- msgraph-core                            1.3.3
- msgraph-sdk                             1.6.0


### Other information

_No response_

howardjones avatar May 15 '25 18:05 howardjones

Apart from a current bug in the beta SDK, using the List Group Members API in the beta API instead does work and provide all the expected members, but is not supported for production use. It has been this way for FOUR YEARS as far as I can tell - is there any plan to have a supported way to get a list of group members? This seems like basic functionality for an Directory service.

howardjones avatar May 19 '25 12:05 howardjones