How is the scope of the permission defined? GroupMember.ReadWrite.All

Ingling, Allen 0 Reputation points


The application permission is defined as:

Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.

How do I determine/define what groups the App has access to? It's not clear to me.

Thank you!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,135 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 143.8K Reputation points MVP

    If you are leveraging application permission, then it will have access to all the groups in the tenant.

    1 person found this answer helpful.
    0 comments No comments

  2. Akshay-MSFT 17,006 Reputation points Microsoft Employee

    @Ingling, Allen

    Thak you for posting your query on Microsoft Q&A. From above description I could understand that you have assigned GroupMember.ReadWrite.All permissions to an application and are now looking for a way to list the groups through the application.

    Please do correct me if this is not the ask by responding in the comments section.

    You need to run the following graph query.


    To call Microsoft Graph, an app must obtain an access token from the Microsoft identity platform. This access token includes information about whether the app is authorized to access Microsoft Graph on behalf of a signed-in user or with its own identity. This article provides guidance on how an app can access Microsoft Graph with its own identity, also called app-only accesss.

    Kindly follow Authentication and authorization steps to achieve this:For an app to get authorization and access to Microsoft Graph using the client credentials flow, you must follow these five steps:

    • Register the app with Microsoft Entra ID.
    • Configure Microsoft Graph application permissions on the app.
    • Request administrator consent.
    • Request an access token.
    • Call Microsoft Graph using the access token.
    • Apps that call Microsoft Graph under their own identity fall into one of two categories:
    1. Background services (daemons) that run on a server without a signed-in user.
    2. Apps that have a signed-in user but also call Microsoft Graph with their own identity. For example, to use functionality that requires more elevated privileges than the user has.


    • I'm looking to confirm if by granting this permission, the application now has access to all groups in the tenant, which appears it does.

    Yes, the app now has access to all the groups, and you could list the groups with application by following the actions in the answer above.

    • Is there a way to limit the groups it has access to?

    No, graph permissions are tenant wide permissions hence there is no way to restrict them to specific group. However, you could submit a feature request idea which will be monitored by Microsoft service engineering and would be acted based upon the business impact justification and demand

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well. Do let me know if you need further help.


    Akshay Kaushik