This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 52%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJY%3C/text%3E%3C/svg%3E)
Hi team, I'm confused with role assignment for service principal.
It seems there are 2 ways to grant permission to service principal (for example permission to read directory). One way is to assign an Entra role with directory read permission (such as Directory Reader) to the service principal. Another way is to add app role like Directory.Read.All. Are they just two alternative ways? Do they have the same effect?
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
A cloud-based identity and access management service for securing user authentication and resource access
As far as I know ,there is not much difference, and you would only need to grant the SP the Directory reader role when the app you are using doesnt support the Graph Perms.See:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 13%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBB%3C/text%3E%3C/svg%3E)
Hello Mobu,
Thank you for posting your query in the Microsoft Q&A Community.
I understand you would like to know the difference between a Directory Reader role and a Directory.Read.All permission.
Please be informed that the Directory.Read.All permission allows your app to read all the groups, apps, and some policies in your tenant. When this permission is granted, it provides broad access to various resources within the directory.
However, the Directory Reader role provides fewer permissions compared to the Directory.Read.All. If assigned to a service principal or users, they are only able to access basic directory information.
Follow this link to get more information about this.
Let me know if you need more information.
Babafemi