Debug: Graph API throws HTTP 403 with $filter for some users


In recent times, i worked with one of the ISV developer who reported that for some users when they use $filter with Graph API calls throws HTTP 403 – Forbidden. The same call works fine with $filter for most of the users. We chased and found it happens for some users (and not for all the users, but for Guest users). 

We noticed that their application only had delegated permissions for https://graph.microsoft.com/User.ReadBasic.All. So when you just use User.ReadBasic.All, then your app won’t have permission to read the userType property. It also means that it doesn't have permission to filter on that property. So you’ll find any user in the tenant will have the same experience, including a member or a global administrator, not just your guest user. So we asked the user to try with User.Read.All in their app then we noticed the filter worked as expected for the user in the guest role – so it helped us to move forward.

Please note that if the above doesn't help (as your scenario may vary) then I suggest you to have a look at the related Stackoverflow thread.

Hope this helps.

Skip to main content