Find out which permissions an application requires

Question

I have gone through this document and understand that you can grant user consent on behalf of any user in my tenant.

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-consent-single-user?pivots=msgraph-powershell

In our environment, users cannot grant user consent themselves, they will have to request approval from an admin. If I know beforehand that the user wants to use a third-party app, I could go ahead and set up the user consent beforehand.

There is one application just today that was requested by one of my users. I approved via admin consent in the Azure portal and it added the permissions "profile", "offline_access", "email" and "openid". However, few minutes later another approval request showed up which asked for "User.Read".

Is there any way of knowing which permissions an application will request once it is added as an enterprise application in our tenant? As it is not a registered app there is no manifest which I can check. Or is it all in the code and there is no way of knowing unless you contact the vendor?

Answer 1

Hi @David Trevor

To determine which permissions an application will request, it depends on the functionality required by the application. The necessary permissions are determined by development team of the application. The type of content or data the application needs to be access within M365 will also impact the required permissions.
Currently, to know which permission will be needed, it all depends on the respective application team who will be developing that application to know which permission they required to implement that functionality.
To get details about Microsoft Graph permissions reference, you can refer to this documentation.

Hope this helps.

If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.