Seeking Clarification on Microsoft Graph Permissions Overlaps and Hierarchical Relationships

Lars Peter Sørensen 0 Reputation points
2024-03-11T13:39:35.53+00:00

Hello Azure Community,

I'm currently diving into the intricacies of Microsoft Graph Permissions and have encountered some overlaps and hierarchical relationships among them. However, I'm struggling to find a comprehensive description or hierarchy tree that outlines which permissions are covered by others and the overall structure.

Could anyone point me in the right direction or provide insights into where I can find detailed information regarding these permission overlaps? I'm particularly interested in understanding how certain permissions may encompass or affect others within the Microsoft Graph ecosystem.

Any documentation, references, or personal experiences you could share would be greatly appreciated!

Thank you in advance for your assistance.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,002 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Carolyne-3676 211 Reputation points
    2024-04-08T16:12:56.85+00:00

    Hello Lars Peter!

    Ideally the MS Graph API permissions determine the scope of access that an application or user has over user’s data. Indeed by design some permissions are more privileged than others, and some permissions are subsets of others. Microsoft Graph API permissions are hierarchical, with some permissions being more privileged than others. For example, the Directory.Read.All permission is more privileged than the Directory.Read permission because it grants access to all directories in the organization.

    Given there are a myriad of endpoints exposed, I would advise that you refer to the documentation page that lists all of the permissions, descriptions and the resources they can access. You can find it here: https://docs.microsoft.com/en-us/graph/permissions-reference

    You can also find a detailed documentation on the Microsoft Graph permissions relationships and dependencies, which explains how some permissions are subsets of others and which permissions require admin consent. You can find it here: https://docs.microsoft.com/en-us/graph/permissions-reference#permissions-dependencies-and-delegations

    I hope this helps.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.