you should only add the permissions you want the api access token to have. a user can easily get the token and make their own api calls with it. graph user.read is pretty safe, as the user can only get their own profile.
In a web api app registration, should I add the web api "app service" scope in "API permissions"?
Ernesto
61
Reputation points
Web Api App registration has a configured scope in "Expose an API" section
should I add the web api scope in "API permissions" also? what Microsoft Graph permissions should I add?