SharePoint Online REST API - Read Group Members

Question

I am developing a system that allows me to keep a track of SharePoint group membership and I am using the SharePoint REST API to do this.

Using this link (https://medium.com/@anoopt/accessing-sharepoint-data-using-postman-sharepoint-rest-api-76b70630bcbf) I created an App Registration / Client / Secret credentials and also did the bit where you assign permissions.

For testing, as per the link above, I am using POSTMAN. I can generate an OAuth token but when I try to request the group member list (https://MyDomain.sharepoint.com/sites/apps/myApp/_api/web/SiteGroups/GetByName('MyGroup')/Users) it gives me a "Not Authorised" error.

If I paste the URL directly into Chrome, it works fine (probably because its using my logon credentials) so I know the URL is good.

Conversely, if I use the same POSTMAN approach to get List Items (https://MyDomain.sharepoint.com/sites/apps/myApp/_api/web/lists/getbytitle('my list')/items?$select=Title) everything works fine and dandy... both in POSTMAN and CHROME.

So, the question is, what and how do I give the app registration the correct permissions to be able to read group memberships .. I suspect it is something to do with the below..

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl"/>
</AppPermissionRequests>

Edit: We are using O365/Azure AD for general user authentication, but we are using custom sharepoint permission groups for site security

Answer 1

Well it seems like the

<AppPermissionRequests AllowAppOnlyPolicy="true">
  <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl"/>
</AppPermissionRequests>

was the issue... changed the scope to http://sharepoint/content/sitecollection

Whether this is an appropriate solution or not, i don't know, but it worked.