Share via

Default App permissions?

Edward Zheng 61 Reputation points
Dec 19, 2022, 3:13 AM

I created an app in the azure portal, and it only requires one permission: Presence.ReadWrite.All, but in my PoC, the App displayed with two permissions which are 'Presence.ReadWrite.All' and 'Sign in and read user profile'.

Does this 'Sign in and read user profile' permission added by Microsoft? and why?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,572 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. HarmeetSingh7172 4,816 Reputation points
    Dec 19, 2022, 4:28 AM

    Hello @Edward Zheng

    Thanks for reaching out!

    Microsoft Graph exposes granular permissions that allow an app to request only the permissions it requires to function. Granular permissions allow you to apply the principle of least privilege when assigning and granting permissions to an app, by granting the app the minimum permission it needs for the operation.

    'Sign in and read user profile'- The app requires the User.Read permission (the least privileged permission) to access the signed-in user's information.

    Note: As a best practice, request the least privileged permissions that your app needs in order to access data and function correctly. Requesting permissions with more than the necessary privileges is poor security practice, which may cause users to refrain from consenting and affect your app's usage.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.


  2. CarlZhao-MSFT 43,486 Reputation points
    Dec 20, 2022, 8:35 AM

    Hi @Edward Zheng

    The User.Read is a built-in delegated permission that is added by default when you create an application to grant access to the properties and relationships of user objects. Of course, you can also remove it, after which the logged-in user will not have full access to their personal information by calling the graph API, but only the basic profile.

    272451-image.png


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Edward Zheng 61 Reputation points
    Dec 28, 2022, 7:47 AM

    Sorry for the late response, let me add more.

    Here is the OAuth page, 274505-image.png

    But in our app setting page, we don't have a place to remove the permission 'Sign in and read user profile' 274513-image.png

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.