Share via

Application Policy.Read.All Permission to Retrieve Service Principal Custom Claims Policy

Ruslan Guk (rguk) 20 Reputation points
2025-01-27T20:22:11.92+00:00

Hi,

According to the documentation https://learn.microsoft.com/en-us/graph/api/customclaimspolicy-get?view=graph-rest-beta&tabs=http

Policy.Read.ApplicationConfiguration or Policy.ReadWrite.ApplicationConfiguration is required to retrieve the service principal custom claims policy using the following method:

GET /servicePrincipals/{servicePrincipalId}/claimsPolicy

Our tests show that Policy.Read.All also works. Is this by design, and does this indicate a bug in the documentation?

Could you confirm the following officially?

The higher privileged permissions (Policy.Read.All or Policy.ReadWrite.ApplicationConfiguration) are required to successfully perform the GET operation using the application permission type.

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. Raja Pothuraju 23,800 Reputation points Microsoft External Staff Moderator
    2025-01-28T01:58:53.4133333+00:00

    Hello @Ruslan Guk (rguk),

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you are testing the GET /servicePrincipals/{servicePrincipalId}/claimsPolicy request and have noticed that the response can be retrieved using the Policy.Read.All permission, rather than the Policy.Read.ApplicationConfiguration or Policy.ReadWrite.ApplicationConfiguration permissions mentioned in the documentation.

    This behavior is expected and by design. The Policy.Read.All scope provides read access to all policies in Entra ID. For instance, with this scope, you can call the following policies:

    • GET /identity/conditionalAccess/policies
    • GET /policies/authenticationMethodsPolicy
    • GET /identityGovernance/accessReviews/policy
    • GET /policies/appManagementPolicies
    • GET /policies/authenticationStrengthPolicies
    • GET /policies/claimsMappingPolicies
    • GET /policies/mobileDeviceManagementPolicies, and more.

    In contrast, the Policy.Read.ApplicationConfiguration scope is limited to application configuration-related requests, such as:

    • GET /policies/appManagementPolicies
    • GET /policies/claimsMappingPolicies/{id}
    • GET /policies/homeRealmDiscoveryPolicies
    • GET /policies/tokenLifetimePolicies

    As for why the documentation does not mention Policy.Read.All, it is because the focus is on the specific request being discussed, and the least privileged and most relevant permissions for application configuration are highlighted.

    The Policy.Read.All scope provides broader access to all policies within Entra ID, while the Policy.Read.ApplicationConfiguration scope is intentionally limited to a specific subset of application configuration-related requests.

    For more details on the supported requests for each permission, please refer to the following resources:

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

    2 people found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.