diff --git a/.drone.env b/.drone.env
index a350fb74ab0..751093365f1 100644
--- a/.drone.env
+++ b/.drone.env
@@ -1,5 +1,5 @@
 # The test runner source for API tests
-CORE_COMMITID=7296d4f3544a0de278d8d2eee7388b6c44160724
+CORE_COMMITID=ff3c509f6956ed6d1b51dab63176b122c2027cb0
 CORE_BRANCH=master
 
 # The test runner source for UI tests
diff --git a/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md b/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md
index 52e5357111e..87fe5d7cc83 100644
--- a/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md
+++ b/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md
@@ -44,3 +44,6 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiSpacesShares/moveSpaces.feature:306](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/moveSpaces.feature#L306)
 - [apiSpacesShares/copySpaces.feature:710](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L710)
 - [apiSpacesShares/copySpaces.feature:748](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L748)
+
+### [Creating group with empty name returns status code 200](https://github.com/owncloud/ocis/issues/5050)
+- [apiGraph/createGroup.feature:40](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/createGroup.feature#L40)
diff --git a/tests/acceptance/features/apiGraph/createGroup.feature b/tests/acceptance/features/apiGraph/createGroup.feature
index afc1306a452..78f0e6968fc 100644
--- a/tests/acceptance/features/apiGraph/createGroup.feature
+++ b/tests/acceptance/features/apiGraph/createGroup.feature
@@ -34,4 +34,9 @@ Feature: create group
     Given user "Brian" has been created with default attributes and without skeleton files
     When user "Brian" tries to create a group "mygroup" using the Graph API
     And the HTTP status code should be "401"
-    And group "mygroup" should not exist
\ No newline at end of file
+    And group "mygroup" should not exist
+
+
+  Scenario: admin user tries to create a group that is the empty string
+    When user "Alice" tries to create a group "" using the Graph API
+    Then the HTTP status code should be "400"
\ No newline at end of file
diff --git a/tests/acceptance/features/apiGraph/getGroup.feature b/tests/acceptance/features/apiGraph/getGroup.feature
new file mode 100644
index 00000000000..d4fc69ac727
--- /dev/null
+++ b/tests/acceptance/features/apiGraph/getGroup.feature
@@ -0,0 +1,54 @@
+@api @skipOnOcV10
+Feature: get groups and their members
+  As an admin
+  I want to be able to get groups
+  So that I can see all the groups and their members
+
+  Background:
+    Given user "Alice" has been created with default attributes and without skeleton files
+    And the administrator has given "Alice" the role "Admin" using the settings api
+
+
+  Scenario: admin user lists all the groups
+    Given group "tea-lover" has been created
+    And group "coffee-lover" has been created
+    And group "h2o-lover" has been created
+    When user "Alice" gets all the groups using the Graph API
+    Then the HTTP status code should be "200"
+    And the extra groups returned by the API should be
+      | tea-lover    |
+      | coffee-lover |
+      | h2o-lover    |
+
+
+  Scenario: normal user cannot get the groups list
+    Given user "Brian" has been created with default attributes and without skeleton files
+    And group "tea-lover" has been created
+    And group "coffee-lover" has been created
+    And group "h2o-lover" has been created
+    When user "Brian" gets all the groups using the Graph API
+    Then the HTTP status code should be "401"
+    And the last response should be an unauthorized response
+
+
+  Scenario: admin user gets users of a group
+    Given these users have been created with default attributes and without skeleton files:
+      | username |
+      | Brian    |
+      | Carol    |
+    And group "tea-lover" has been created
+    And user "Brian" has been added to group "tea-lover"
+    And user "Carol" has been added to group "tea-lover"
+    When user "Alice" gets all the members of group "tea-lover" using the Graph API
+    Then the HTTP status code should be "200"
+    And the users returned by the API should be
+      | Brian |
+      | Carol |
+
+
+  Scenario: normal user tries to get users of a group
+    Given user "Brian" has been created with default attributes and without skeleton files
+    And group "tea-lover" has been created
+    When user "Brian" gets all the members of group "tea-lover" using the Graph API
+    Then the HTTP status code should be "401"
+    And the last response should be an unauthorized response
diff --git a/tests/acceptance/features/bootstrap/GraphContext.php b/tests/acceptance/features/bootstrap/GraphContext.php
index 59a48c56667..35d6a0e199b 100644
--- a/tests/acceptance/features/bootstrap/GraphContext.php
+++ b/tests/acceptance/features/bootstrap/GraphContext.php
@@ -318,19 +318,85 @@ public function adminChangesPasswordOfUserToUsingTheGraphApi(
 	}
 
 	/**
-	 * returns list of all groups
 	 *
-	 * @return array
+	 * @param array $groups
+	 *
+	 * @return void
+	 * @throws Exception
+	 */
+	public function theseGroupsShouldBeInTheResponse(array $groups): void {
+		$respondedGroups = $this->getArrayOfGroupsResponded($this->featureContext->getResponse());
+		foreach ($groups as $group) {
+			$found = false;
+			foreach ($respondedGroups as $respondedGroup) {
+				if ($respondedGroup["displayName"] === $group) {
+					$found = true;
+					break;
+				}
+			}
+			Assert::assertTrue($found, "Group '$group' not found in the list");
+		}
+	}
+
+	/**
+	 *
+	 * @param array $users
+	 *
+	 * @return void
 	 * @throws Exception
+	 */
+	public function theseUsersShouldBeInTheResponse(array $users): void {
+		$respondedUsers = $this->getArrayOfUsersResponded($this->featureContext->getResponse());
+		foreach ($users as $user) {
+			$found = false;
+			foreach ($respondedUsers as $respondedUser) {
+				if ($respondedUser["onPremisesSamAccountName"] === $user) {
+					$found = true;
+					break;
+				}
+			}
+			Assert::assertTrue($found, "User '$user' not found in the list");
+		}
+	}
+
+	/**
+	 *
+	 * @param string|null $user
+	 *
+	 * @return array
+	 */
+	public function getAdminOrUserCredentials(?string $user): array {
+		$credentials["username"] = $user ? $this->featureContext->getActualUsername($user) : $this->featureContext->getAdminUsername();
+		$credentials["password"] = $user ? $this->featureContext->getPasswordForUser($user) : $this->featureContext->getAdminPassword();
+		return $credentials;
+	}
+	/**
+	 *
+	 * @param string|null $user
+	 *
+	 * @return ResponseInterface
 	 * @throws GuzzleException
 	 */
-	public function adminHasRetrievedGroupListUsingTheGraphApi(): array {
-		$response =  GraphHelper::getGroups(
+	public function listGroups(?string $user = null): ResponseInterface {
+		$credentials = $this->getAdminOrUserCredentials($user);
+
+		return GraphHelper::getGroups(
 			$this->featureContext->getBaseUrl(),
 			$this->featureContext->getStepLineRef(),
-			$this->featureContext->getAdminUsername(),
-			$this->featureContext->getAdminPassword()
+			$credentials["username"],
+			$credentials["password"]
 		);
+	}
+
+	/**
+	 * returns list of groups
+	 *
+	 * @param ResponseInterface $response
+	 *
+	 * @return array
+	 * @throws Exception
+	 */
+	public function getArrayOfGroupsResponded(ResponseInterface $response): array {
 		if ($response->getStatusCode() === 200) {
 			$jsonResponseBody = $this->featureContext->getJsonDecodedResponse($response);
 			return $jsonResponseBody["value"];
@@ -340,29 +406,64 @@ public function adminHasRetrievedGroupListUsingTheGraphApi(): array {
 	}
 
 	/**
-	 * returns a list of members in group
-	 *
-	 * @param string $group
 	 *
 	 * @return array
 	 * @throws Exception
 	 * @throws GuzzleException
 	 */
-	public function theAdminHasRetrievedMembersListOfGroupUsingTheGraphApi(string $group): array {
-		$response = GraphHelper::getMembersList(
+	public function adminHasRetrievedGroupListUsingTheGraphApi(): array {
+		return  $this->getArrayOfGroupsResponded($this->listGroups());
+	}
+
+	/**
+	 *
+	 * @param string $group
+	 * @param string|null $user
+	 *
+	 * @return ResponseInterface
+	 * @throws GuzzleException
+	 */
+	public function listGroupMembers(string $group, ?string $user = null): ResponseInterface {
+		$credentials = $this->getAdminOrUserCredentials($user);
+
+		return GraphHelper::getMembersList(
 			$this->featureContext->getBaseUrl(),
 			$this->featureContext->getStepLineRef(),
-			$this->featureContext->getAdminUsername(),
-			$this->featureContext->getAdminPassword(),
+			$credentials["username"],
+			$credentials["password"],
 			$this->featureContext->getAttributeOfCreatedGroup($group, 'id')
 		);
+	}
+
+	/**
+	 * returns list of users of a group
+	 *
+	 * @param ResponseInterface $response
+	 *
+	 * @return array
+	 * @throws Exception
+	 */
+	public function getArrayOfUsersResponded(ResponseInterface $response): array {
 		if ($response->getStatusCode() === 200) {
 			return $this->featureContext->getJsonDecodedResponse($response);
 		} else {
-			$this->throwHttpException($response, "Could not retrieve members list for group $group.");
+			$this->throwHttpException($response, "Could not retrieve group members list.");
 		}
 	}
 
+	/**
+	 * returns a list of members in group
+	 *
+	 * @param string $group
+	 *
+	 * @return array
+	 * @throws Exception
+	 * @throws GuzzleException
+	 */
+	public function theAdminHasRetrievedMembersListOfGroupUsingTheGraphApi(string $group): array {
+		return $this->getArrayOfUsersResponded($this->listGroupMembers($group));
+	}
+
 	/**
 	 * creates a user with provided data
 	 * actor: the administrator
@@ -476,18 +577,13 @@ public function adminHasAddedUserToGroupUsingTheGraphApi(
 	 * @throws GuzzleException
 	 */
 	public function createGroup(string $group, ?string $user = null): ResponseInterface {
-		if ($user) {
-			$username = $user;
-			$password = $this->featureContext->getPasswordForUser($user);
-		} else {
-			$username = $this->featureContext->getAdminUsername();
-			$password = $this->featureContext->getAdminPassword();
-		}
+		$credentials = $this->getAdminOrUserCredentials($user);
+
 		return GraphHelper::createGroup(
 			$this->featureContext->getBaseUrl(),
 			$this->featureContext->getStepLineRef(),
-			$username,
-			$password,
+			$credentials["username"],
+			$credentials["password"],
 			$group,
 		);
 	}
@@ -615,4 +711,44 @@ public function userChangesOwnPassword(string $user, string $currentPassword, st
 		);
 		$this->featureContext->setResponse($response);
 	}
+
+	/**
+	 * @When user :user gets all the groups using the Graph API
+	 *
+	 * @param string $user
+	 *
+	 * @return void
+	 */
+	public function userGetsAllTheGroupsUsingTheGraphApi(string $user): void {
+		$this->featureContext->setResponse($this->listGroups($user));
+	}
+
+	/**
+	 * @When user :user gets all the members of group :group using the Graph API
+	 *
+	 * @param string $user
+	 * @param string $group
+	 *
+	 * @return void
+	 */
+	public function userGetsAllTheMembersOfGroupUsingTheGraphApi($user, $group): void {
+		$this->featureContext->setResponse($this->listGroupMembers($group, $user));
+	}
+
+	/**
+	 * @Then the last response should be an unauthorized response
+	 *
+	 * @return void
+	 */
+	public function theLastResponseShouldBeUnauthorizedReponse(): void {
+		$response = $this->featureContext->getJsonDecodedResponse($this->featureContext->getResponse());
+		$errorText = $response['error']['message'];
+
+		Assert::assertEquals(
+			'Unauthorized',
+			$errorText,
+			__METHOD__
+			. "\nExpected unauthorized message but got '" . $errorText . "'"
+		);
+	}
 }