Microsoft Graph Permission user.read.all and user.readbasic.all

dodoc 21 Reputation points
2021-02-23T18:11:42.183+00:00

It's pretty straight forward as to what's included with user.readbasic.all but if granted user.read.all, what's included in the "full profile" so I can asses the risk of granting this permission? Does it really grant access to everything listed here including password and password policies?

https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#json-representation

https://learn.microsoft.com/en-us/graph/permissions-reference

User.ReadBasic.All Read all users' basic profiles Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.

User.Read.All Read all users' full profiles Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:

displayName
givenName
mail
photo
surname
userPrincipalName

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,149 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Dan Kershaw 416 Reputation points Microsoft Employee
    2021-03-31T13:32:30.743+00:00

    Yes - full profile means all the properties on the user object, including password profile and password policies. NOTE: for password profile, the API never return the user's password. That property is write-only.

    Hope this helps,
    Dan

    0 comments No comments