Entitlement required: readUserGroups (Read users and groups) or manageUserGroups (Manage users and groups) or manageAllUserGroups (Synchronize users and groups) or manageUserStandardGroups (Manage users and standard groups).
Note: You only need one entitlement, but you can have more than one.
Limitations for tenants that do not support large groups:
When specifying the allNestedUsers membershipType, if the number of nested users exceeds 10,000 then the LargeGroupResponse (HTTP Status Code 207) is returned. If the total number of nested users cannot be determined, the totalMembers value is set to -1. When specifying a membershipType other than allNestedUsers, if the group has more than 10,000 members, then the LargeGroupResponse (HTTP Status Code 207) is returned. When the LargeGroupResponse is returned, the memberAttributes, memberCount, and memberStartIndex parameters are ignored.
Tenants that support large groups can page through all the members of a group for all membershipType queries. Each call to the endpoint returns at most 2,500 members of the group. If more members of the group exist that were not returned, an additional element called "bookmark" is returned in the response payload. To get the next set of members, the caller makes an additional call to the same endpoint, and passes the bookmark value as a query parameter named "nextPage". For example ?nextPage=XASDGAJDGKAWHGI=. The caller continues to make calls to the endpoint until no bookmark element are returned in the response payload, which indicates that all group members were returned. The memberStartIndex and memberCount are supported within the 2,500 members returned.
To check whether the tenant supports large groups, run the GET /v2.0/SCIM/capabilities API.