@Sanjay Nipane , In any case (application/delegated permission), when you give Directory.ReadAll permission it does require Admin consent for it to work. In case you are just trying to list users or list users from groups and want the users to consent while performing this activity then you would need to provide delegated permissions and you can refer to the following docs for the permissions:
- For Listing users: https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#permissions
- For listing Groups: https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http#permissions
- For listing members in a group: https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http#permissions
In all the three urls listed above you would find that the least permission required is either User.ReadBasic.All and for groups its Group.ReadAll. But here also, Group.ReadAll needs admin consent and only User.ReadBasic.All would work with user consent.
Hence it all depends how your app performs the tasks and what type of OAuth flow you have chosen in your code and based on that you can apply the permissions.
For eg: if the application is going to make the graph calls and fetch the user details, then it has to make a Client Credential Flow and use the Application Permissions [most Application Permissions require Admin Consent] and if the user would go ahead and make graph api call then you would need to choose Authorization Code Grant Flow and use the Delegated permissions.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.