Thank you for the detailed explanation, that makes perfect sense.

Since I don’t currently have an admin account (and therefore can’t create an App Registration or grant Directory.Read.All consent), I understand that the client secret flow won’t work in my case.

I’ll try switching to the delegated flow with an interactive browser login using my normal user account, so the app can act under my own permissions.

Just to confirm: with that approach, I’ll only be able to read the groups and users that my account has access to, right?

Once we get an admin account later, I can switch back to the app-only (client credentials) approach with full directory scope.

Thanks again for pointing out /groups?$expand=transitiveMembers, that’s very helpful.

Also, Just to know, is there any other workaround to read the groups from Azure Directory/Entra using C#?