Why is Directory/Group/User.Read.All permission needed for User provisioning?

johan persson 0 Reputation points
2024-01-16T12:11:44.0433333+00:00

Hi! When adding specific users and groups to an app related to user provisioning for an external application, and only those specific users are relevant, why is any XYZ.Read.All permission needed? Only the specifically added users and groups are relevant and not users of the full directory/tenant. Is there any way to avoid adding these permissions? BR /Johan

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,998 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,158 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 152.1K Reputation points MVP
    2024-01-16T12:58:32.41+00:00

    You cant scope those perms to specific objects so you have to read all to view the entire directory.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.