sharepoint online – How to get the Members of a Security Group via API

A customer of ours has their Sharepoint Online access permissions configured via (non-azure) security groups.

We query the roles attached to an item in Sharepoint via the Sharepoint REST API with the following request:


And the response looks something like this:

    "odata.metadata": "https://<tenant>$metadata#SP.ApiData.RoleAssignments",
    "value": (
            "odata.type": "SP.RoleAssignment",
            "": "https://<tenant>",
            "odata.editLink": "Web/RoleAssignments/GetByPrincipalId(3)",
            "Member@odata.navigationLinkUrl": "Web/RoleAssignments/GetByPrincipalId(3)/Member",
            "Member": {
                "odata.type": "SP.Group",
                "": "https://<tenant>",
                "odata.editLink": "Web/RoleAssignments/GetByPrincipalId(3)/Member",
                "Users@odata.navigationLinkUrl": "Web/RoleAssignments/GetByPrincipalId(3)/Member/Users",
                "Users": (
                        "odata.type": "SP.User",
                        "": "",
                        "odata.editLink": "Web/GetUserById(8)",
                        "Id": 8,
                        "IsHiddenInUI": true,
                        "LoginName": "c:0o.c|federateddirectoryclaimprovider|<some hexadecimal ID>_o",
                        "Title": "Besitzer von TestSite",
                        "PrincipalType": 4,
                        "Email": "",
                        "Expiration": "",
                        "IsEmailAuthenticationGuestUser": false,
                        "IsShareByEmailGuestUser": false,
                        "IsSiteAdmin": true,
                        "UserId": null,
                        "UserPrincipalName": null
                "Id": 3,
                "IsHiddenInUI": false,
                "LoginName": "TestSite Owners",
                "Title": "TestSite Owners",
                "PrincipalType": 8,
                "AllowMembersEditMembership": false,
                "AllowRequestToJoinLeave": false,
                "AutoAcceptRequestToJoinLeave": false,
                "Description": null,
                "OnlyAllowMembersViewMembership": false,
                "OwnerTitle": "TestSite Owners",
                "RequestToJoinLeaveEmailSetting": ""
            "PrincipalId": 3

Now, according to the microsoft documentation, PrincipalType 4 means that the “user” really is a “SecurityGroup”.
In our test system, the security group has an Azure ID which makes it relatively easy to get information on via the Graph API. But in our customer’s system the ID is some 16 digit hexadecimal string in a format that I can’t find anywhere else.

How can I find the members of this “SecurityGroup” via any API?