Microsoft Graph permissions reference

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists the delegated and application permissions exposed by Microsoft Graph. For guidance about how to use the permissions, see the Overview of Microsoft Graph permissions.

To read information about all Microsoft Graph permissions programmatically, sign in to an API client such as Graph Explorer using an account that has at least the Application.Read.All permission and run the following request.

GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='00000003-0000-0000-c000-000000000000')?$select=id,appId,displayName,appRoles,oauth2PermissionScopes,resourceSpecificApplicationPermissions

Note

As a best practice, request the least privileged permissions that your app needs in order to access data and function correctly. Requesting permissions with more than the necessary privileges is poor security practice, which may cause users to refrain from consenting and affect your app's usage.

All permissions

AccessReview.Read.All

Category Application Delegated
Identifier d07a8cc0-3d51-4b77-b3b0-32704d1f69fa ebfcd32b-babb-40f4-a14b-42706e83bd28
DisplayText Read all access reviews Read all access reviews that user can access
Description Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user. Allows the app to read access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.
AdminConsentRequired Yes Yes

AccessReview.ReadWrite.All

Category Application Delegated
Identifier ef5f7d5c-338f-44b0-86c3-351f46c8bb5f e4aa47b9-9a69-4109-82ed-36ec70d85ff1
DisplayText Manage all access reviews Manage all access reviews that user can access
Description Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user. Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.
AdminConsentRequired Yes Yes

AccessReview.ReadWrite.Membership

Category Application Delegated
Identifier 18228521-a591-40f1-b215-5fad4488c117 5af8c3f5-baca-439a-97b0-ea58a435e269
DisplayText Manage access reviews for group and app memberships Manage access reviews for group and app memberships
Description Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization for group and app memberships, without a signed-in user. Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings for group and app memberships that the signed-in user has access to in the organization.
AdminConsentRequired Yes Yes

Acronym.Read.All

Category Application Delegated
Identifier 8c0aed2c-0c61-433d-b63c-6370ddc73248 9084c10f-a2d6-4713-8732-348def50fe02
DisplayText Read all acronyms Read all acronyms that the user can access
Description Allows an app to read all acronyms without a signed-in user. Allows an app to read all acronyms that the signed-in user can access.
AdminConsentRequired Yes No

AdministrativeUnit.Read.All

Category Application Delegated
Identifier 134fd756-38ce-4afd-ba33-e9623dbe66c2 3361d15d-be43-4de6-b441-3c746d05163d
DisplayText Read all administrative units Read administrative units
Description Allows the app to read administrative units and administrative unit membership without a signed-in user. Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AdministrativeUnit.ReadWrite.All

Category Application Delegated
Identifier 5eb59dd3-1da2-4329-8733-9dabdc435916 7b8a2d34-6b3f-4542-a343-54651608ad81
DisplayText Read and write all administrative units Read and write administrative units
Description Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Agreement.Read.All

Category Application Delegated
Identifier 2f3e6f8c-093b-4c57-a58b-ba5ce494a169 af2819c9-df71-4dd3-ade7-4d7c9dc653b7
DisplayText Read all terms of use agreements Read all terms of use agreements
Description Allows the app to read terms of use agreements, without a signed in user. Allows the app to read terms of use agreements on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Agreement.ReadWrite.All

Category Application Delegated
Identifier c9090d00-6101-42f0-a729-c41074260d47 ef4b5d93-3104-4664-9053-a5c49ab44218
DisplayText Read and write all terms of use agreements Read and write all terms of use agreements
Description Allows the app to read and write terms of use agreements, without a signed in user. Allows the app to read and write terms of use agreements on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AgreementAcceptance.Read

Category Application Delegated
Identifier - 0b7643bb-5336-476f-80b5-18fbfbc91806
DisplayText - Read user terms of use acceptance statuses
Description - Allows the app to read terms of use acceptance statuses on behalf of the signed-in user.
AdminConsentRequired - Yes

AgreementAcceptance.Read.All

Category Application Delegated
Identifier d8e4ec18-f6c0-4620-8122-c8b1f2bf400e a66a5341-e66e-4897-9d52-c2df58c2bfb9
DisplayText Read all terms of use acceptance statuses Read terms of use acceptance statuses that user can access
Description Allows the app to read terms of use acceptance statuses, without a signed in user. Allows the app to read terms of use acceptance statuses on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Analytics.Read

Category Application Delegated
Identifier - e03cf23f-8056-446a-8994-7d93dfc8b50e
DisplayText - Read user activity statistics
Description - Allows the app to read the signed-in user's activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions.
AdminConsentRequired - No

APIConnectors.Read.All

Category Application Delegated
Identifier b86848a7-d5b1-41eb-a9b4-54a4e6306e97 1b6ff35f-31df-4332-8571-d31ea5a4893f
DisplayText Read API connectors for authentication flows Read API connectors for authentication flows
Description Allows the app to read the API connectors used in user authentication flows, without a signed-in user. Allows the app to read the API connectors used in user authentication flows, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

APIConnectors.ReadWrite.All

Category Application Delegated
Identifier 1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171 c67b52c5-7c69-48b6-9d48-7b3af3ded914
DisplayText Read and write API connectors for authentication flows Read and write API connectors for authentication flows
Description Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user. Allows the app to read, create and manage the API connectors used in user authentication flows, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AppCatalog.Read.All

Category Application Delegated
Identifier e12dae10-5a57-4817-b79d-dfbec5348930 88e58d74-d3df-44f3-ad47-e89edf4472e4
DisplayText Read all app catalogs Read all app catalogs
Description Allows the app to read apps in the app catalogs without a signed-in user. Allows the app to read the apps in the app catalogs.
AdminConsentRequired Yes No

AppCatalog.ReadWrite.All

Category Application Delegated
Identifier dc149144-f292-421e-b185-5953f2e98d7f 1ca167d5-1655-44a1-8adf-1414072e1ef9
DisplayText Read and write to all app catalogs Read and write to all app catalogs
Description Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user. Allows the app to create, read, update, and delete apps in the app catalogs.
AdminConsentRequired Yes Yes

AppCatalog.Submit

Category Application Delegated
Identifier - 3db89e36-7fa6-4012-b281-85f3d9d9fd2e
DisplayText - Submit application packages to the catalog and cancel pending submissions
Description - Allows the app to submit application packages to the catalog and cancel submissions that are pending review on behalf of the signed-in user.
AdminConsentRequired - No

AppCertTrustConfiguration.Read.All

Category Application Delegated
Identifier - af281d3a-030d-4122-886e-146fb30a0413
DisplayText - Read the trusted certificate authority configuration for applications
Description - Allows the app to read the trusted certificate authority configuration which can be used to restrict application certificates based on their issuing authority, on behalf of the signed-in user.
AdminConsentRequired - Yes

AppCertTrustConfiguration.ReadWrite.All

Category Application Delegated
Identifier - 4bae2ed4-473e-4841-a493-9829cfd51d48
DisplayText - Read and write the trusted certificate authority configuration for applications
Description - Allows the app to create, read, update and delete the trusted certificate authority configuration which can be used to restrict application certificates based on their issuing authority, on behalf of the signed-in user.
AdminConsentRequired - Yes

Application.Read.All

Category Application Delegated
Identifier 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 c79f8feb-a9db-4090-85f9-90d820caa0eb
DisplayText Read all applications Read applications
Description Allows the app to read all applications and service principals without a signed-in user. Allows the app to read applications and service principals on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Application.ReadWrite.All

Category Application Delegated
Identifier 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 bdfbf15f-ee85-4955-8675-146e8e5296b5
DisplayText Read and write all applications Read and write all applications
Description Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Does not allow management of consent grants.
AdminConsentRequired Yes Yes

Permissions that allow managing credentials, such as Application.ReadWrite.All, allow an application to act as other entities, and use the privileges they were granted. Use caution when granting any of these permissions.


Application.ReadWrite.OwnedBy

Category Application Delegated
Identifier 18a4783c-866b-4cc7-a460-3d5e5662c884 -
DisplayText Manage apps that this app creates or owns -
Description Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user.  It cannot update any apps that it is not an owner of. -
AdminConsentRequired Yes -

The Application.ReadWrite.OwnedBy permission allows the same operations as Application.ReadWrite.All but only on applications and service principals that the calling app is an owner of.

The Application.ReadWrite.OwnedBy permission allows an app to call GET /applications and GET /servicePrincipals endpoints to list all applications and service principals in the tenant. This scope of access has been allowed for the permission.


Application-RemoteDesktopConfig.ReadWrite.All

Category Application Delegated
Identifier 3be0012a-cc4e-426b-895b-f9c836bf6381 ffa91d43-2ad8-45cc-b592-09caddeb24bb
DisplayText Read and write the remote desktop security configuration for all apps Read and write the remote desktop security configuration for apps
Description Allows the app to read and write the remote desktop security configuration for all apps in your organization, without a signed-in user. Allows the app to read and write other apps' remote desktop security configuration, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AppRoleAssignment.ReadWrite.All

Category Application Delegated
Identifier 06b708a9-e830-4db3-a914-8e69da51d44f 84bccea3-f856-4a8a-967b-dbe0a3d53a64
DisplayText Manage app permission grants and app role assignments Manage app permission grants and app role assignments
Description Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Permissions that allow granting authorization, such as AppRoleAssignment.ReadWrite.All, allow an application to grant additional privileges to itself, other applications, or any user. Use caution when granting any of these permissions.


AttackSimulation.Read.All

Category Application Delegated
Identifier 93283d0a-6322-4fa8-966b-8c121624760d 104a7a4b-ca76-4677-b7e7-2f4bc482f381
DisplayText Read attack simulation data of an organization Read attack simulation data of an organization
Description Allows the app to read attack simulation and training data for an organization without a signed-in user. Allows the app to read attack simulation and training data for an organization for the signed-in user.
AdminConsentRequired Yes Yes

AttackSimulation.ReadWrite.All

Category Application Delegated
Identifier e125258e-8c8a-42a8-8f55-ab502afa52f3 27608d7c-2c66-4cad-a657-951d575f5a60
DisplayText Read, create, and update all attack simulation data of an organization Read, create, and update attack simulation data of an organization
Description Allows the app to read, create, and update attack simulation and training data for an organization without a signed-in user. Allows the app to read, create, and update attack simulation and training data for an organization for the signed-in user.
AdminConsentRequired Yes No

AuditLog.Read.All

Category Application Delegated
Identifier b0afded3-3588-46d8-8b3d-9842eff778da e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20
DisplayText Read all audit log data Read audit log data
Description Allows the app to read and query your audit log activities, without a signed-in user. Allows the app to read and query your audit log activities, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AuditLogsQuery.Read.All

Category Application Delegated
Identifier 5e1e9171-754d-478c-812c-f1755a9a4c2d 1d9e7ac3-0eca-442c-82f9-e92625af6e6d
DisplayText Read audit logs data from all services Read audit logs data from all services
Description Allows the app to read and query audit logs from all services. Allows the app to read and query audit logs from all services, on behalf of a signed-in user
AdminConsentRequired Yes Yes

AuditLogsQuery-CRM.Read.All

Category Application Delegated
Identifier 20e6f8e4-ffac-4cf7-82f7-70ddb7564318 ba78b16f-1e01-41b6-89ca-73e0a32b304c
DisplayText Read audit logs data from Dynamics CRM workload Read audit logs data from Dynamics CRM workload
Description Allows the app to read and query audit logs from Dynamics CRM workload, without a signed-in user Allows the app to read and query audit logs from Dynamics CRM workload, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AuditLogsQuery-Endpoint.Read.All

Category Application Delegated
Identifier 0bc85aed-7b0b-437a-bac8-3b29a1b84c99 ee3409fe-617f-43cf-bd1e-fc8b38049e69
DisplayText Read audit logs data from Endpoint Data Loss Prevention workload Read audit logs data from Endpoint Data Loss Prevention workload
Description Allows the app to read and query audit logs from Endpoint Data Loss Prevention workload, without a signed-in user Allows the app to read and query audit logs from Endpoint Data Loss Precention workload, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AuditLogsQuery-Entra.Read.All

Category Application Delegated
Identifier 7276d950-48fc-4269-8348-f22f2bb296d0 5ff2f415-e0f1-4d11-bfd0-6d87c0f667fd
DisplayText Read audit logs data from Entra (Azure AD) workload Read audit logs data from Entra (Azure AD) workload
Description Allows the app to read and query audit logs from Entra (Azure AD) workload, without a signed-in user Allows the app to read and query audit logs from Entra (Azure AD) workload, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AuditLogsQuery-Exchange.Read.All

Category Application Delegated
Identifier 6b0d2622-d34e-4470-935b-b96550e5ca8d 6c8c71d2-c7e1-45b0-ac6d-1d2724fba6ae
DisplayText Read audit logs data from Exchange workload Read audit logs data from Exchange workload
Description Allows the app to read and query audit logs from Exchange workload, without a signed-in user Allows the app to read and query audit logs from Exchange workload, on behalf of a signed-in user.
AdminConsentRequired Yes Yes

AuditLogsQuery-OneDrive.Read.All

Category Application Delegated
Identifier 8a169a81-841c-45fd-ad43-96aede8801a0 4a72c235-a50d-4870-b598-fd88fd1fa074
DisplayText Read audit logs data from OneDrive workload Read audit logs data from OneDrive workload
Description Allows the app to read and query audit logs from OneDrive workload, without a signed-in user Allows the app to read and query audit logs from OneDrive workload, on behalf of a signed-in user.
AdminConsentRequired Yes Yes

AuditLogsQuery-SharePoint.Read.All

Category Application Delegated
Identifier 91c64a47-a524-4fce-9bf3-3d569a344ecf 30630b65-ed12-4a81-9130-e3a964109fae
DisplayText Read audit logs data from SharePoint workload Read audit logs data from SharePoint workload
Description Allows the app to read and query audit logs from SharePoint workload, without a signed-in user Allows the app to read and query audit logs from SharePoint workload, on behalf of a signed-in user.
AdminConsentRequired Yes Yes

AuthenticationContext.Read.All

Category Application Delegated
Identifier 381f742f-e1f8-4309-b4ab-e3d91ae4c5c1 57b030f1-8c35-469c-b0d9-e4a077debe70
DisplayText Read all authentication context information Read all authentication context information
Description Allows the app to read the authentication context information in your organization without a signed-in user. Allows the app to read all authentication context information in your organization on behalf of the signed-in user.
AdminConsentRequired Yes Yes

AuthenticationContext.ReadWrite.All

Category Application Delegated
Identifier a88eef72-fed0-4bf7-a2a9-f19df33f8b83 ba6d575a-1344-4516-b777-1404f5593057
DisplayText Read and write all authentication context information Read and write all authentication context information
Description Allows the app to read and update the authentication context information in your organization without a signed-in user. Allows the app to read and update all authentication context information in your organization on behalf of the signed-in user.
AdminConsentRequired Yes Yes

BillingConfiguration.ReadWrite.All

Category Application Delegated
Identifier 9e8be751-7eee-4c09-bcfd-d64f6b087fd8 2bf6d319-dfca-4c22-9879-f88dcfaee6be
DisplayText Read and write application billing configuration Read and write application billing configuration
Description Allows the app to read and write the billing configuration on all applications without a signed-in user. Allows the app to read and write the billing configuration on all applications on behalf of the signed-in user.
AdminConsentRequired Yes Yes

BitlockerKey.Read.All

Category Application Delegated
Identifier - b27a61ec-b99c-4d6a-b126-c4375d08ae30
DisplayText - Read BitLocker keys
Description - Allows the app to read BitLocker keys on behalf of the signed-in user, for their owned devices. Allows read of the recovery key.
AdminConsentRequired - Yes

BitlockerKey.ReadBasic.All

Category Application Delegated
Identifier - 5a107bfc-4f00-4e1a-b67e-66451267bc68
DisplayText - Read BitLocker keys basic information
Description - Allows the app to read basic BitLocker key properties on behalf of the signed-in user, for their owned devices. Does not allow read of the recovery key itself.
AdminConsentRequired - Yes

Bookings.Manage.All

Category Application Delegated
Identifier - 7f36b48e-542f-4d3b-9bcb-8406f0ab9fdb
DisplayText - Manage bookings information
Description - Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user.
AdminConsentRequired - No

Bookings.Read.All

Category Application Delegated
Identifier 6e98f277-b046-4193-a4f2-6bf6a78cd491 33b1df99-4b29-4548-9339-7a7b83eaeebc
DisplayText Read all Bookings related resources. Read bookings information
Description Allows an app to read Bookings appointments, businesses, customers, services, and staff without a signed-in user. Allows an app to read bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user.
AdminConsentRequired Yes No

Bookings.ReadWrite.All

Category Application Delegated
Identifier - 948eb538-f19d-4ec5-9ccc-f059e1ea4c72
DisplayText - Read and write bookings information
Description - Allows an app to read and write bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete and publish of booking businesses.
AdminConsentRequired - No

BookingsAppointment.ReadWrite.All

Category Application Delegated
Identifier 9769393e-5a9f-4302-9e3d-7e018ecb64a7 02a5a114-36a6-46ff-a102-954d89d9ab02
DisplayText Read and write all Bookings related resources. Read and write booking appointments
Description Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff without a signed-in user. Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on behalf of the signed-in user.
AdminConsentRequired Yes No

Bookmark.Read.All

Category Application Delegated
Identifier be95e614-8ef3-49eb-8464-1c9503433b86 98b17b35-f3b1-4849-a85f-9f13733002f0
DisplayText Read all bookmarks Read all bookmarks that the user can access
Description Allows an app to read all bookmarks without a signed-in user. Allows an app to read all bookmarks that the signed-in user can access.
AdminConsentRequired Yes No

BrowserSiteLists.Read.All

Category Application Delegated
Identifier c5ee1f21-fc7f-4937-9af0-c91648ff9597 fb9be2b7-a7fc-4182-aec1-eda4597c43d5
DisplayText Read all browser site lists for your organization Read browser site lists for your organization
Description Allows an app to read all browser site lists configured for your organization, without a signed-in user. Allows an app to read the browser site lists configured for your organization, on behalf of the signed-in user.
AdminConsentRequired Yes No

BrowserSiteLists.ReadWrite.All

Category Application Delegated
Identifier 8349ca94-3061-44d5-9bfb-33774ea5e4f9 83b34c85-95bf-497b-a04e-b58eca9d49d0
DisplayText Read and write all browser site lists for your organization Read and write browser site lists for your organization
Description Allows an app to read and write all browser site lists configured for your organization, without a signed-in user. Allows an app to read and write the browser site lists configured for your organization, on behalf of the signed-in user.
AdminConsentRequired Yes No

BusinessScenarioConfig.Read.All

Category Application Delegated
Identifier - d16480b2-e469-4118-846b-d3d177327bee
DisplayText - Read business scenario configurations
Description - Allows the app to read the configurations of your organization's business scenarios, on behalf of the signed-in user.
AdminConsentRequired - Yes

BusinessScenarioConfig.Read.OwnedBy

Category Application Delegated
Identifier acc0fc4d-2cd6-4194-8700-1768d8423d86 c47e7b6e-d6f1-4be9-9ffd-1e00f3e32892
DisplayText Read all business scenario configurations this app creates or owns Read business scenario configurations this app creates or owns
Description Allows the app to read the configurations of business scenarios it owns, without a signed-in user. Allows the app to read the configurations of business scenarios it owns, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

BusinessScenarioConfig.ReadWrite.All

Category Application Delegated
Identifier - 755e785b-b658-446f-bb22-5a46abd029ea
DisplayText - Read and write business scenario configurations
Description - Allows the app to read and write the configurations of your organization's business scenarios, on behalf of the signed-in user.
AdminConsentRequired - Yes

BusinessScenarioConfig.ReadWrite.OwnedBy

Category Application Delegated
Identifier bbea195a-4c47-4a4f-bff2-cba399e11698 b3b7fcff-b4d4-4230-bf6f-90bd91285395
DisplayText Read and write all business scenario configurations this app creates or owns Read and write business scenario configurations this app creates or owns
Description Allows the app to create new business scenarios and fully manage the configurations of scenarios it owns, without a signed-in user. Allows the app to create new business scenarios and fully manage the configurations of scenarios it owns, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

BusinessScenarioData.Read.OwnedBy

Category Application Delegated
Identifier 6c0257fd-cffe-415b-8239-2d0d70fdaa9c 25b265c4-5d34-4e44-952d-b567f6d3b96d
DisplayText Read data for all business scenarios this app creates or owns Read all data for business scenarios this app creates or owns
Description Allows the app to read the data associated with the business scenarios it owns, without a signed-in user. Allows the app to read all data associated with the business scenarios it owns. Data access will be attributed to the signed-in user.
AdminConsentRequired Yes Yes

BusinessScenarioData.ReadWrite.OwnedBy

Category Application Delegated
Identifier f2d21f22-5d80-499e-91cc-0a8a4ce16f54 19932d57-2952-4c60-8634-3655c79fc527
DisplayText Read and write data for all business scenarios this app creates or owns Read and write all data for business scenarios this app creates or owns
Description Allows the app to fully manage the data associated with the business scenarios it owns, without a signed-in user. Allows the app to fully manage all data associated with the business scenarios it owns. Data access and changes will be attributed to the signed-in user.
AdminConsentRequired Yes Yes

Calendars.Read

Category Application Delegated
Identifier 798ee544-9d2d-430c-a058-570e29e34338 465a38f9-76ea-45b9-9f34-9e8b0d4b0b42
DisplayText Read calendars in all mailboxes Read user calendars
Description Allows the app to read events of all calendars without a signed-in user. Allows the app to read events in user calendars .
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Calendars.Read application permission.


Calendars.Read.Shared

Category Application Delegated
Identifier - 2b9c4092-424d-4249-948d-b43879977640
DisplayText - Read user and shared calendars
Description - Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.
AdminConsentRequired - No

Calendars.ReadBasic

Category Application Delegated
Identifier - 662d75ba-a364-42ad-adee-f5f880ea4878
DisplayText - Read basic details of user calendars
Description - Allows the app to read events in user calendars, except for properties such as body, attachments, and extensions.
AdminConsentRequired - No

Calendars.ReadBasic.All

Category Application Delegated
Identifier 8ba4a692-bc31-4128-9094-475872af8a53 -
DisplayText Read basic details of calendars in all mailboxes -
Description Allows the app to read events of all calendars, except for properties such as body, attachments, and extensions, without a signed-in user. -
AdminConsentRequired Yes -

Calendars.ReadWrite

Category Application Delegated
Identifier ef54d2bf-783f-4e0f-bca1-3210c0444d99 1ec239c2-d7c9-4623-a91a-a9775856bb36
DisplayText Read and write calendars in all mailboxes Have full access to user calendars
Description Allows the app to create, read, update, and delete events of all calendars without a signed-in user. Allows the app to create, read, update, and delete events in user calendars.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Calendars.ReadWrite application permission.


Calendars.ReadWrite.Shared

Category Application Delegated
Identifier - 12466101-c9b8-439a-8589-dd09ee67e8e9
DisplayText - Read and write user and shared calendars
Description - Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars.
AdminConsentRequired - No

CallEvents.Read

Category Application Delegated
Identifier - 43431c03-960e-400f-87c6-8f910321dca3
DisplayText - Read call event data
Description - Allows the app to read call event information for an organization for the signed-in user.
AdminConsentRequired - Yes

CallEvents.Read.All

Category Application Delegated
Identifier 1abb026f-7572-49f6-9ddd-ad61cbba181e -
DisplayText Read all call events -
Description Allows the app to read call event information for all users in your organizatio, without a signed-in user. -
AdminConsentRequired Yes -

CallRecord-PstnCalls.Read.All

Category Application Delegated
Identifier a2611786-80b3-417e-adaa-707d4261a5f0 -
DisplayText Read PSTN and direct routing call log data -
Description Allows the app to read all PSTN and direct routing call log data without a signed-in user. -
AdminConsentRequired Yes -

The CallRecord-PstnCalls.Read.All permission grants an application access to PSTN (calling plans) and direct routing call logs. This includes potentially sensitive information about users as well as calls to and from external phone numbers.

Important

  • Discretion should be used when granting these permissions to applications. Call records can provide insights into the operation of your business, and so can be a target for malicious actors. Only grant these permissions to applications you trust to meet your data protection requirements.
  • Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. Please see the Terms of Use and consult with your legal counsel for more information.

CallRecords.Read.All

Category Application Delegated
Identifier 45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8 -
DisplayText Read all call records -
Description Allows the app to read call records for all calls and online meetings without a signed-in user. -
AdminConsentRequired Yes -

The CallRecords.Read.All permission grants an application privileged access to callRecords for every call and online meeting within your organization, including calls to and from external phone numbers. This includes potentially sensitive details about who participated in the call, as well as technical information pertaining to these calls and meetings that can be used for network troubleshooting, such as IP addresses, device details, and other network information.

Important

  • Discretion should be used when granting these permissions to applications. Call records can provide insights into the operation of your business, and so can be a target for malicious actors. Only grant these permissions to applications you trust to meet your data protection requirements.
  • Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. Please see the Terms of Use and consult with your legal counsel for more information.

Calls.AccessMedia.All

Category Application Delegated
Identifier a7a681dc-756e-4909-b988-f160edc6655f -
DisplayText Access media streams in a call as an app -
Description Allows the app to get direct access to media streams in a call, without a signed-in user. -
AdminConsentRequired Yes -

Calls.Initiate.All

Category Application Delegated
Identifier 284383ee-7f6e-4e40-a2a8-e85dcb029101 -
DisplayText Initiate outgoing 1 to 1 calls from the app -
Description Allows the app to place outbound calls to a single user and transfer calls to users in your organization's directory, without a signed-in user. -
AdminConsentRequired Yes -

Calls.InitiateGroupCall.All

Category Application Delegated
Identifier 4c277553-8a09-487b-8023-29ee378d8324 -
DisplayText Initiate outgoing group calls from the app -
Description Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. -
AdminConsentRequired Yes -

Calls.JoinGroupCall.All

Category Application Delegated
Identifier f6b49018-60ab-4f81-83bd-22caeabfed2d -
DisplayText Join group calls and meetings as an app -
Description Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user.  The app will be joined with the privileges of a directory user to meetings in your organization. -
AdminConsentRequired Yes -

Calls.JoinGroupCallAsGuest.All

Category Application Delegated
Identifier fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4 -
DisplayText Join group calls and meetings as a guest -
Description Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user.  The app will be joined as a guest to meetings in your organization. -
AdminConsentRequired Yes -

Channel.Create

Category Application Delegated
Identifier f3a65bd4-b703-46df-8f7e-0174fea562aa 101147cf-4178-4455-9d58-02b5c164e759
DisplayText Create channels Create channels
Description Create channels in any team, without a signed-in user. Create channels in any team, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Channel.Delete.All

Category Application Delegated
Identifier 6a118a39-1227-45d4-af0c-ea7b40d210bc cc83893a-e232-4723-b5af-bd0b01bcfe65
DisplayText Delete channels Delete channels
Description Delete channels in any team, without a signed-in user. Delete channels in any team, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Channel.ReadBasic.All

Category Application Delegated
Identifier 59a6b24b-4225-4393-8165-ebaec5f55d7a 9d8982ae-4365-4f57-95e9-d6032a4c0b87
DisplayText Read the names and descriptions of all channels Read the names and descriptions of channels
Description Read all channel names and channel descriptions, without a signed-in user. Read channel names and channel descriptions, on behalf of the signed-in user.
AdminConsentRequired Yes No

ChannelMember.Read.All

Category Application Delegated
Identifier 3b55498e-47ec-484f-8136-9013221c06a9 2eadaff8-0bce-4198-a6b9-2cfc35a30075
DisplayText Read the members of all channels Read the members of channels
Description Read the members of all channels, without a signed-in user. Read the members of channels, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ChannelMember.ReadWrite.All

Category Application Delegated
Identifier 35930dcf-aceb-4bd1-b99a-8ffed403c974 0c3e411a-ce45-4cd1-8f30-f99a3efa7b11
DisplayText Add and remove members from all channels Add and remove members from channels
Description Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner. Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner.
AdminConsentRequired Yes Yes

ChannelMessage.Edit

Category Application Delegated
Identifier - 2b61aa8a-6d36-4b2f-ac7b-f29867937c53
DisplayText - Edit user's channel messages
Description - Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user.
AdminConsentRequired - No

ChannelMessage.Read.All

Category Application Delegated
Identifier 7b2449af-6ccd-4f4d-9f78-e550c193f0d1 767156cb-16ae-4d10-8f8b-41b657c8c8c8
DisplayText Read all channel messages Read user channel messages
Description Allows the app to read all channel messages in Microsoft Teams Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ChannelMessage.ReadWrite

Category Application Delegated
Identifier - 5922d31f-46c8-4404-9eaf-2117e390a8a4
DisplayText - Read and write user channel messages
Description - Allows the app to read and write channel messages, on behalf of the signed-in user. This doesn't allow the app to edit the policyViolation of a channel message.
AdminConsentRequired - Yes

ChannelMessage.Send

Category Application Delegated
Identifier - ebf0f66e-9fb1-49e4-a278-222f76911cf4
DisplayText - Send channel messages
Description - Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user.
AdminConsentRequired - No

ChannelMessage.UpdatePolicyViolation.All

Category Application Delegated
Identifier 4d02b0cc-d90b-441f-8d82-4fb55c34d6bb -
DisplayText Flag channel messages for violating policy -
Description Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. -
AdminConsentRequired Yes -

ChannelSettings.Read.All

Category Application Delegated
Identifier c97b873f-f59f-49aa-8a0e-52b32d762124 233e0cf1-dd62-48bc-b65b-b38fe87fcf8e
DisplayText Read the names, descriptions, and settings of all channels Read the names, descriptions, and settings of channels
Description Read all channel names, channel descriptions, and channel settings, without a signed-in user. Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ChannelSettings.ReadWrite.All

Category Application Delegated
Identifier 243cded2-bd16-4fd6-a953-ff8177894c3d d649fb7c-72b4-4eec-b2b4-b15acf79e378
DisplayText Read and write the names, descriptions, and settings of all channels Read and write the names, descriptions, and settings of channels
Description Read and write the names, descriptions, and settings of all channels, without a signed-in user. Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Chat.Create

Category Application Delegated
Identifier d9c48af6-9ad9-47ad-82c3-63757137b9af 38826093-1258-4dea-98f0-00003be2b8d0
DisplayText Create chats Create chats
Description Allows the app to create chats without a signed-in user.  Allows the app to create chats on behalf of the signed-in user.
AdminConsentRequired Yes No

Chat.ManageDeletion.All

Category Application Delegated
Identifier 9c7abde0-eacd-4319-bf9e-35994b1a1717 bb64e6fc-6b6d-4752-aea0-dd922dbba588
DisplayText Delete and recover deleted chats Delete and recover deleted chats
Description Allows the app to delete and recover deleted chats, without a signed-in user. Allows the app to delete and recover deleted chats, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Chat.Read

Category Application Delegated
Identifier - f501c180-9344-439a-bca0-6cbf209fd270
DisplayText - Read user chat messages
Description - Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user.
AdminConsentRequired - No

Chat.Read.All

Category Application Delegated
Identifier 6b7d71aa-70aa-4810-a8d9-5d9fb2830017 -
DisplayText Read all chat messages -
Description Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams. -
AdminConsentRequired Yes -

Chat.Read.WhereInstalled

Category Application Delegated
Identifier 1c1b4c8e-3cc7-4c58-8470-9b92c9d5848b -
DisplayText Read all chat messages for chats where the associated Teams application is installed. -
Description Allows the app to read all one-to-one or group chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user. -
AdminConsentRequired Yes -

Chat.ReadBasic

Category Application Delegated
Identifier - 9547fcb5-d03f-419d-9948-5928bbf71b0f
DisplayText - Read names and members of user chat threads
Description - Allows an app to read the members and descriptions of one-to-one and group chat threads, on behalf of the signed-in user.
AdminConsentRequired - No

Chat.ReadBasic.All

Category Application Delegated
Identifier b2e060da-3baf-4687-9611-f4ebc0f0cbde -
DisplayText Read names and members of all chat threads -
Description Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user. -
AdminConsentRequired Yes -

Chat.ReadBasic.WhereInstalled

Category Application Delegated
Identifier 818ba5bd-5b3e-4fe0-bbe6-aa4686669073 -
DisplayText Read names and members of all chat threads where the associated Teams application is installed. -
Description Allows the app to read names and members of all one-to-one and group chats in Microsoft Teams where the associated Teams application is installed, without a signed-in user. -
AdminConsentRequired Yes -

Chat.ReadWrite

Category Application Delegated
Identifier - 9ff7295e-131b-4d94-90e1-69fde507ac11
DisplayText - Read and write user chat messages
Description - Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user.
AdminConsentRequired - No

Chat.ReadWrite.All

Category Application Delegated
Identifier 294ce7c9-31ba-490a-ad7d-97a7d075e4ed 7e9a077b-3711-42b9-b7cb-5fa5f3f7fea7
DisplayText Read and write all chat messages Read and write all chat messages
Description Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user. Allows an app to read and write all one-to-one and group chats in Microsoft Teams, without a signed-in user. Does not allow sending messages.
AdminConsentRequired Yes Yes

Chat.ReadWrite.WhereInstalled

Category Application Delegated
Identifier ad73ce80-f3cd-40ce-b325-df12c33df713 -
DisplayText Read and write all chat messages for chats where the associated Teams application is installed. -
Description Allows the app to read and write all chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user. -
AdminConsentRequired Yes -

Chat.UpdatePolicyViolation.All

Category Application Delegated
Identifier 7e847308-e030-4183-9899-5235d7270f58 -
DisplayText Flag chat messages for violating policy -
Description Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. -
AdminConsentRequired Yes -

ChatMember.Read

Category Application Delegated
Identifier - c5a9e2b1-faf6-41d4-8875-d381aa549b24
DisplayText - Read the members of chats
Description - Read the members of chats, on behalf of the signed-in user.
AdminConsentRequired - Yes

ChatMember.Read.All

Category Application Delegated
Identifier a3410be2-8e48-4f32-8454-c29a7465209d -
DisplayText Read the members of all chats -
Description Read the members of all chats, without a signed-in user. -
AdminConsentRequired Yes -

ChatMember.Read.WhereInstalled

Category Application Delegated
Identifier 93e7c9e4-54c5-4a41-b796-f2a5adaacda7 -
DisplayText Read the members of all chats where the associated Teams application is installed. -
Description Allows the app to read the members of all chats where the associated Teams application is installed, without a signed-in user. -
AdminConsentRequired Yes -

ChatMember.ReadWrite

Category Application Delegated
Identifier - dea13482-7ea6-488f-8b98-eb5bbecf033d
DisplayText - Add and remove members from chats
Description - Add and remove members from chats, on behalf of the signed-in user.
AdminConsentRequired - Yes

ChatMember.ReadWrite.All

Category Application Delegated
Identifier 57257249-34ce-4810-a8a2-a03adf0c5693 -
DisplayText Add and remove members from all chats -
Description Add and remove members from all chats, without a signed-in user. -
AdminConsentRequired Yes -

ChatMember.ReadWrite.WhereInstalled

Category Application Delegated
Identifier e32c2cd9-0124-4e44-88fc-772cd98afbdb -
DisplayText Add and remove members from all chats where the associated Teams application is installed. -
Description Allows the app to add and remove members from all chats where the associated Teams application is installed, without a signed-in user. -
AdminConsentRequired Yes -

ChatMessage.Read

Category Application Delegated
Identifier - cdcdac3a-fd45-410d-83ef-554db620e5c7
DisplayText - Read user chat messages
Description - Allows an app to read one-to-one and group chat messages, on behalf of the signed-in user.
AdminConsentRequired - No

ChatMessage.Read.All

Category Application Delegated
Identifier b9bb2381-47a4-46cd-aafb-00cb12f68504 -
DisplayText Read all chat messages -
Description Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user. -
AdminConsentRequired Yes -

ChatMessage.Send

Category Application Delegated
Identifier - 116b7235-7cc6-461e-b163-8e55691d839e
DisplayText - Send user chat messages
Description - Allows an app to send one-to-one and group chat messages in Microsoft Teams, on behalf of the signed-in user.
AdminConsentRequired - No

CloudApp-Discovery.Read.All

Category Application Delegated
Identifier 64a59178-dad3-4673-89db-84fdcd622fec ad46d60e-1027-4b75-af88-7c14ccf43a19
DisplayText Read all discovered cloud applications data Read discovered cloud applications data
Description Allows the app to read all details of discovered cloud apps in the organization, without a signed-in user. Allows the app to read details of discovered cloud apps in the organization, on behalf of the signed in user.
AdminConsentRequired Yes No

CloudPC.Read.All

Category Application Delegated
Identifier a9e09520-8ed4-4cde-838e-4fdea192c227 5252ec4e-fd40-4d92-8c68-89dd1d3c6110
DisplayText Read Cloud PCs Read Cloud PCs
Description Allows the app to read the properties of Cloud PCs, without a signed-in user. Allows the app to read the properties of Cloud PCs on behalf of the signed-in user.
AdminConsentRequired Yes No

CloudPC.ReadWrite.All

Category Application Delegated
Identifier 3b4349e1-8cf5-45a3-95b7-69d1751d3e6a 9d77138f-f0e2-47ba-ab33-cd246c8b79d1
DisplayText Read and write Cloud PCs Read and write Cloud PCs
Description Allows the app to read and write the properties of Cloud PCs, without a signed-in user. Allows the app to read and write the properties of Cloud PCs on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Community.Read.All

Category Application Delegated
Identifier 407f0cce-3212-441f-9f55-3bc91342cf86 12ae2e92-14b5-47b2-babb-4e890bbedc0a
DisplayText Read all Viva Engage communities Read all Viva Engage communities
Description Allows the app to list Viva Engage communities, and to read their properties without a signed-in user. Allows the app to list Viva Engage communities, and to read their properties on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Community.ReadWrite.All

Category Application Delegated
Identifier 35d59e32-eab5-4553-9345-abb62b4c703c 9e69467d-e0e2-402b-a926-3d796990197f
DisplayText Read and write all Viva Engage communities Read and write all Viva Engage communities
Description Allows the app to create Viva Engage communities, read all community properties, update community properties, and delete communities without a signed-in user. Allows the app to create Viva Engage communities and read all community properties on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ConsentRequest.Create

Category Application Delegated
Identifier - f2143d35-9b4b-480d-951c-d083e69eeb2c
DisplayText - Create consent requests
Description - Allows the app to read create consent requests on behalf of the signed-in user.
AdminConsentRequired - Yes

ConsentRequest.Read

Category Application Delegated
Identifier - 5942b2f6-5a7b-40af-aa37-4b6ea5447506
DisplayText - Read consent requests created by the user
Description - Allows the app to read consent requests and approvals created by the signed-in user, on behalf of the signed-in user.
AdminConsentRequired - No

ConsentRequest.Read.All

Category Application Delegated
Identifier 1260ad83-98fb-4785-abbb-d6cc1806fd41 f3bfad56-966e-4590-a536-82ecf548ac1e
DisplayText Read all consent requests Read consent requests
Description Allows the app to read consent requests and approvals without a signed-in user. Allows the app to read consent requests and approvals on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ConsentRequest.ReadApprove.All

Category Application Delegated
Identifier - e694a3a1-7878-46d8-8c29-3d195f6589f4
DisplayText - Read and approve consent requests
Description - Allows the app to read and approve consent requests on behalf of the signed in user.
AdminConsentRequired - Yes

ConsentRequest.ReadWrite.All

Category Application Delegated
Identifier 9f1b81a7-0223-4428-bfa4-0bcb5535f27d 497d9dfa-3bd1-481a-baab-90895e54568c
DisplayText Read and write all consent requests Read and write consent requests
Description Allows the app to read app consent requests and approvals, and deny or approve those requests without a signed-in user. Allows the app to read app consent requests and approvals, and deny or approve those requests on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Contacts.Read

Category Application Delegated
Identifier 089fe4d0-434a-44c5-8827-41ba8a0b17f5 ff74d97f-43af-4b68-9f2a-b77ee6968c5d
DisplayText Read contacts in all mailboxes Read user contacts
Description Allows the app to read all contacts in all mailboxes without a signed-in user. Allows the app to read user contacts.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Contacts.Read application permission.


Contacts.Read.Shared

Category Application Delegated
Identifier - 242b9d9e-ed24-4d09-9a52-f43769beb9d4
DisplayText - Read user and shared contacts
Description - Allows the app to read contacts a user has permissions to access, including their own and shared contacts.
AdminConsentRequired - No

Contacts.ReadWrite

Category Application Delegated
Identifier 6918b873-d17a-4dc1-b314-35f528134491 d56682ec-c09e-4743-aaf4-1a3aac4caa21
DisplayText Read and write contacts in all mailboxes Have full access to user contacts
Description Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. Allows the app to create, read, update, and delete user contacts.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Contacts.ReadWrite application permission.


Contacts.ReadWrite.Shared

Category Application Delegated
Identifier - afb6c84b-06be-49af-80bb-8f3f77004eab
DisplayText - Read and write user and shared contacts
Description - Allows the app to create, read, update, and delete contacts a user has permissions to, including their own and shared contacts.
AdminConsentRequired - No

CrossTenantInformation.ReadBasic.All

Category Application Delegated
Identifier cac88765-0581-4025-9725-5ebc13f729ee 81594d25-e88e-49cf-ac8c-fecbff49f994
DisplayText Read cross-tenant basic information Read cross-tenant basic information
Description Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem without a signed-in user. Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CrossTenantUserProfileSharing.Read

Category Application Delegated
Identifier - cb1ba48f-d22b-4325-a07f-74135a62ee41
DisplayText - Read shared cross-tenant user profile and export data
Description - Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user.  It also permits the application to export external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user.
AdminConsentRequired - Yes

CrossTenantUserProfileSharing.Read.All

Category Application Delegated
Identifier 8b919d44-6192-4f3d-8a3b-f86f8069ae3c 759dcd16-3c90-463c-937e-abf89f991c18
DisplayText Read all shared cross-tenant user profiles and export their data Read all shared cross-tenant user profiles and export their data
Description Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user.  It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user. Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user.  It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CrossTenantUserProfileSharing.ReadWrite

Category Application Delegated
Identifier - eed0129d-dc60-4f30-8641-daf337a39ffd
DisplayText - Read shared cross-tenant user profile and export or delete data
Description - Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user.  It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user.
AdminConsentRequired - Yes

CrossTenantUserProfileSharing.ReadWrite.All

Category Application Delegated
Identifier 306785c5-c09b-4ba0-a4ee-023f3da165cb 64dfa325-cbf8-48e3-938d-51224a0cac01
DisplayText Read all shared cross-tenant user profiles and export or delete their data Read all shared cross-tenant user profiles and export or delete their data
Description Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user.  It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user. Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user.  It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CustomAuthenticationExtension.Read.All

Category Application Delegated
Identifier 88bb2658-5d9e-454f-aacd-a3933e079526 b2052569-c98c-4f36-a5fb-43e5c111e6d0
DisplayText Read all custom authentication extensions Read your oganization's custom authentication extensions
Description Allows the app to read your organization's custom authentication extensions without a signed-in user. Allows the app to read your organization's custom authentication extensions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CustomAuthenticationExtension.ReadWrite.All

Category Application Delegated
Identifier c2667967-7050-4e7e-b059-4cbbb3811d03 8dfcf82f-15d0-43b3-bc78-a958a13a5792
DisplayText Read and write all custom authentication extensions Read and write your organization's custom authentication extensions
Description Allows the app to read or write your organization's custom authentication extensions without a signed-in user. Allows the app to read or write your organization's custom authentication extensions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CustomAuthenticationExtension.Receive.Payload

Category Application Delegated
Identifier 214e810f-fda8-4fd7-a475-29461495eb00 -
DisplayText Receive custom authentication extension HTTP requests -
Description Allows custom authentication extensions associated with the app to receive HTTP requests triggered by an authentication event. The request can include information about a user, client and resource service principals, and other information about the authentication. -
AdminConsentRequired Yes -

CustomDetection.Read.All

Category Application Delegated
Identifier 673a007a-9e0f-4c97-b066-3c0164486909 b13ff42e-f321-4d7d-a462-141c46a1b832
DisplayText Read all custom detection rules Read custom detection rules
Description Allows the app to read custom detection rules without a signed-in user. Allows the app to read custom detection rules on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CustomDetection.ReadWrite.All

Category Application Delegated
Identifier e0fd9c8d-a12e-4cc9-9827-20c8c3cd6fb8 c34088fb-0649-4714-af0b-bcbfec155897
DisplayText Read and write all custom detection rules Read and write custom detection rules
Description Allows the app to read and write custom detection rules without a signed-in user. Allows the app to read and write custom detection rules on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CustomSecAttributeAssignment.Read.All

Category Application Delegated
Identifier 3b37c5a4-1226-493d-bec3-5d6c6b866f3f b46ffa80-fe3d-4822-9a1a-c200932d54d0
DisplayText Read custom security attribute assignments Read custom security attribute assignments
Description Allows the app to read custom security attribute assignments for all principals in the tenant without a signed in user. Allows the app to read custom security attribute assignments for all principals in the tenant on behalf of a signed in user.
AdminConsentRequired Yes Yes

CustomSecAttributeAssignment.ReadWrite.All

Category Application Delegated
Identifier de89b5e4-5b8f-48eb-8925-29c2b33bd8bd ca46335e-8453-47cd-a001-8459884efeae
DisplayText Read and write custom security attribute assignments Read and write custom security attribute assignments
Description Allows the app to read and write custom security attribute assignments for all principals in the tenant without a signed in user. Allows the app to read and write custom security attribute assignments for all principals in the tenant on behalf of a signed in user.
AdminConsentRequired Yes Yes

CustomSecAttributeAuditLogs.Read.All

Category Application Delegated
Identifier 2a4f026d-e829-4e84-bdbf-d981a2703059 1fcdeaab-b519-44dd-bffc-ed1fd15a24e0
DisplayText Read all custom security attribute audit logs Read custom security attribute audit logs
Description Allows the app to read all audit logs for events that contain information about custom security attributes, without a signed-in user. Allows the app to read audit logs for events that contain information about custom security attributes, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

CustomSecAttributeDefinition.Read.All

Category Application Delegated
Identifier b185aa14-d8d2-42c1-a685-0f5596613624 ce026878-a0ff-4745-a728-d4fedd086c07
DisplayText Read custom security attribute definitions Read custom security attribute definitions
Description Allows the app to read custom security attribute definitions for the tenant without a signed in user. Allows the app to read custom security attribute definitions for the tenant on behalf of a signed in user.
AdminConsentRequired Yes Yes

CustomSecAttributeDefinition.ReadWrite.All

Category Application Delegated
Identifier 12338004-21f4-4896-bf5e-b75dfaf1016d 8b0160d4-5743-482b-bb27-efc0a485ca4a
DisplayText Read and write custom security attribute definitions Read and write custom security attribute definitions
Description Allows the app to read and write custom security attribute definitions for the tenant without a signed in user. Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user.
AdminConsentRequired Yes Yes

CustomTags.Read.All

Category Application Delegated
Identifier ab8a5872-7c88-47a6-8141-7becce939190 de6ea87d-10bd-467c-8682-d525a0c61b89
DisplayText Read all custom tags data Read all custom tags data
Description Read custom tags data, without a signed-in user Read custom tags data on behalf of the signed-in user
AdminConsentRequired Yes Yes

CustomTags.ReadWrite.All

Category Application Delegated
Identifier 2f503208-e509-4e39-974c-8cc16e5785c9 2f1bbe0a-f34b-4efb-9edb-8db8dcb50eca
DisplayText Read and write custom tags data Read and write custom tags data
Description Read and write custom tags data, without a signed-in user Read and write custom tags data on behalf of the signed-in user
AdminConsentRequired Yes Yes

DelegatedAdminRelationship.Read.All

Category Application Delegated
Identifier f6e9e124-4586-492f-adc0-c6f96e4823fd 0c0064ea-477b-4130-82a5-4c2cc4ff68aa
DisplayText Read Delegated Admin relationships with customers Read Delegated Admin relationships with customers
Description Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups without a signed-in user. Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups on behalf of the signed-in user.
AdminConsentRequired Yes Yes

DelegatedAdminRelationship.ReadWrite.All

Category Application Delegated
Identifier cc13eba4-8cd8-44c6-b4d4-f93237adce58 885f682f-a990-4bad-a642-36736a74b0c7
DisplayText Manage Delegated Admin relationships with customers Manage Delegated Admin relationships with customers
Description Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user. Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers as well as role assignments to security groups for active Delegated Admin relationships on behalf of the signed-in user.
AdminConsentRequired Yes Yes

DelegatedPermissionGrant.Read.All

Category Application Delegated
Identifier 81b4724a-58aa-41c1-8a55-84ef97466587 a197cdc4-a8e8-4d49-9d35-4ca7c83887b4
DisplayText Read all delegated permission grants Read delegated permission grants
Description Allows the app to read all delegated permission grants, without a signed-in user. Allows the app to read delegated permission grants, on behalf of the signed in user.
AdminConsentRequired Yes Yes

DelegatedPermissionGrant.ReadWrite.All

Category Application Delegated
Identifier 8e8e4742-1d95-4f68-9d56-6ee75648c72a 41ce6ca6-6826-4807-84f1-1c82854f7ee5
DisplayText Manage all delegated permission grants Manage all delegated permission grants
Description Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user. Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on behalf of the signed in user.
AdminConsentRequired Yes Yes

Device.Command

Category Application Delegated
Identifier - bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804
DisplayText - Communicate with user devices
Description - Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user.
AdminConsentRequired - No

Device.Read

Category Application Delegated
Identifier - 11d4cd79-5ba5-460f-803f-e22c8ab85ccd
DisplayText - Read user devices
Description - Allows the app to read a user's list of devices on behalf of the signed-in user.
AdminConsentRequired - No

Device.Read.All

Category Application Delegated
Identifier 7438b122-aefc-4978-80ed-43db9fcc7715 951183d1-1a61-466f-a6d1-1fde911bfd95
DisplayText Read all devices Read all devices
Description Allows the app to read your organization's devices' configuration information without a signed-in user. Allows the app to read your organization's devices' configuration information on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Device.ReadWrite.All

Category Application Delegated
Identifier 1138cb37-bd11-4084-a2b7-9f71582aeddb -
DisplayText Read and write devices -
Description Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers. -
AdminConsentRequired Yes -

Before December 3rd, 2020, when the application permission Device.ReadWrite.All was granted, the Device Managers directory role was also assigned to the app's service principal. This directory role assignment is not removed automatically when the associated application permissions is revoked. To ensure that an application's access to read or write to devices is removed, customers must also remove any related directory roles that were granted to the application.

A service update disabling this behavior began rolling out on December 3rd, 2020. Deployment to all customers completed on January 11th, 2021. Directory roles are no longer automatically assigned when application permissions are granted.


DeviceLocalCredential.Read.All

Category Application Delegated
Identifier 884b599e-4d48-43a5-ba94-15c414d00588 280b3b69-0437-44b1-bc20-3b2fca1ee3e9
DisplayText Read device local credential passwords Read device local credential passwords
Description Allows the app to read device local credential properties including passwords, without a signed-in user. Allows the app to read device local credential properties including passwords, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

DeviceLocalCredential.ReadBasic.All

Category Application Delegated
Identifier db51be59-e728-414b-b800-e0f010df1a79 9917900e-410b-4d15-846e-42a357488545
DisplayText Read device local credential properties Read device local credential properties
Description Allows the app to read device local credential properties excluding passwords, without a signed-in user. Allows the app to read device local credential properties excluding passwords, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

DeviceManagementApps.Read.All

Category Application Delegated
Identifier 7a6ee1e7-141e-4cec-ae74-d9db155731ff 4edf5f54-4666-44af-9de9-0144fb4b6e8c
DisplayText Read Microsoft Intune apps Read Microsoft Intune apps
Description Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementApps.ReadWrite.All

Category Application Delegated
Identifier 78145de6-330d-4800-a6ce-494ff2d33d07 7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af
DisplayText Read and write Microsoft Intune apps Read and write Microsoft Intune apps
Description Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementConfiguration.Read.All

Category Application Delegated
Identifier dc377aa6-52d8-4e23-b271-2a7ae04cedf3 f1493658-876a-4c87-8fa7-edb559b3476a
DisplayText Read Microsoft Intune device configuration and policies Read Microsoft Intune Device Configuration and Policies
Description Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementConfiguration.ReadWrite.All

Category Application Delegated
Identifier 9241abd9-d0e6-425a-bd4f-47ba86e767a4 0883f392-0a7a-443d-8c76-16a6d39c7b63
DisplayText Read and write Microsoft Intune device configuration and policies Read and write Microsoft Intune Device Configuration and Policies
Description Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementManagedDevices.PrivilegedOperations.All

Category Application Delegated
Identifier 5b07b0dd-2377-4e44-a38d-703f09a0dc3c 3404d2bf-2b13-457e-a330-c24615765193
DisplayText Perform user-impacting remote actions on Microsoft Intune devices Perform user-impacting remote actions on Microsoft Intune devices
Description Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementManagedDevices.Read.All

Category Application Delegated
Identifier 2f51be20-0bb4-4fed-bf7b-db946066c75e 314874da-47d6-4978-88dc-cf0d37f0bb82
DisplayText Read Microsoft Intune devices Read Microsoft Intune devices
Description Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. Allows the app to read the properties of devices managed by Microsoft Intune.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementManagedDevices.ReadWrite.All

Category Application Delegated
Identifier 243333ab-4d21-40cb-a475-36241daa0842 44642bfe-8385-4adc-8fc6-fe3cb2c375c3
DisplayText Read and write Microsoft Intune devices Read and write Microsoft Intune devices
Description Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device's owner Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device's owner.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementRBAC.Read.All

Category Application Delegated
Identifier 58ca0d9a-1575-47e1-a3cb-007ef2e4583b 49f0cc30-024c-4dfd-ab3e-82e137ee5431
DisplayText Read Microsoft Intune RBAC settings Read Microsoft Intune RBAC settings
Description Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementRBAC.ReadWrite.All

Category Application Delegated
Identifier e330c4f0-4170-414e-a55a-2f022ec2b57b 0c5e8a55-87a6-4556-93ab-adc52c4d862d
DisplayText Read and write Microsoft Intune RBAC settings Read and write Microsoft Intune RBAC settings
Description Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementServiceConfig.Read.All

Category Application Delegated
Identifier 06a5fe6d-c49d-46a7-b082-56b1b14103c7 8696daa5-bce5-4b2e-83f9-51b6defc4e1e
DisplayText Read Microsoft Intune configuration Read Microsoft Intune configuration
Description Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


DeviceManagementServiceConfig.ReadWrite.All

Category Application Delegated
Identifier 5ac13192-7ace-4fcf-b828-1a26f28068ee 662ed50a-ac44-4eef-ad86-62eed9be2a29
DisplayText Read and write Microsoft Intune configuration Read and write Microsoft Intune configuration
Description Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.
AdminConsentRequired Yes Yes

Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions aren't supported for personal Microsoft accounts.


Directory.AccessAsUser.All

Category Application Delegated
Identifier - 0e263e50-5827-48a4-b97c-d940288653c7
DisplayText - Access directory as the signed in user
Description - Allows the app to have the same access to information in the directory as the signed-in user.
AdminConsentRequired - Yes

Directory permissions provide the highest level of privilege for accessing directory resources such as user, group, and device in an organization.

They also exclusively control access to other directory resources like: organizational contacts and schema extensions, as well as many directory resources including administrative units, directory roles, directory settings, and policies.


Directory.Read.All

Category Application Delegated
Identifier 7ab1d382-f21e-4acd-a863-ba3e13f7da61 06da0dbc-49e2-44d2-8312-53f166ab848a
DisplayText Read directory data Read directory data
Description Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. Allows the app to read data in your organization's directory, such as users, groups and apps.
AdminConsentRequired Yes Yes

Directory permissions provide the highest level of privilege for accessing directory resources such as user, group, and device in an organization.

They also exclusively control access to other directory resources like: organizational contacts and schema extensions, as well as many directory resources including administrative units, directory roles, directory settings, and policies.

Note

Before December 3rd, 2020, when the application permission Directory.Read.All was granted, the Directory Readers directory role was also assigned to the app's service principal. This directory role isn't removed automatically when the associated application permissions are revoked. To remove an application's access to read or write to the directory, customers must also remove any directory roles that were granted to the application.

A service update disabling this behavior began rolling out on December 3rd, 2020. Deployment to all customers completed on January 11th, 2021. Directory roles are no longer automatically assigned when application permissions are granted.


Directory.ReadWrite.All

Category Application Delegated
Identifier 19dbc75e-c2e2-444c-a770-ec69d8559fc7 c5366453-9fb0-48a5-a156-24f0c49a4b84
DisplayText Read and write directory data Read and write directory data
Description Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.
AdminConsentRequired Yes Yes

Directory permissions are not recommended for use and might be deprecated in the future.

Directory.ReadWrite.All grants access that is broadly equivalent to a global tenant admin. Apps that are granted Directory.ReadWrite.All can manage the full range of directory resources, and they can manage authorization for other apps and users to access resources across the organization. This includes directory resources like users, groups, applications, and devices, and nondirectory resources in Exchange, SharePoint, Teams, and other services.

Before December 3rd, 2020, when the application permission Directory.ReadWrite.All was granted, the Directory Writers directory role was also assigned. This directory role isn't removed automatically when the associated application permissions are revoked. To remove an application's access to read or write to the directory, customers must also remove any directory roles that were granted to the application.

A service update disabling this behavior began rolling out on December 3rd, 2020. Deployment to all customers completed on January 11, 2021. Directory roles are no longer automatically assigned when application permissions are granted.


Directory.Write.Restricted

Category Application Delegated
Identifier f20584af-9290-4153-9280-ff8bb2c0ea7f cba5390f-ed6a-4b7f-b657-0efc2210ed20
DisplayText Manage restricted resources in the directory Manage restricted resources in the directory
Description Allows the app to manage restricted resources based on the other permissions granted to the app, without a signed-in user. Allows the app to manage restricted resources based on the other permissions granted to the app, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

DirectoryRecommendations.Read.All

Category Application Delegated
Identifier ae73097b-cb2a-4447-b064-5d80f6093921 34d3bd24-f6a6-468c-b67c-0c365c1d6410
DisplayText Read all Azure AD recommendations Read Azure AD recommendations
Description Allows the app to read all Azure AD recommendations, without a signed-in user. Allows the app to read Azure AD recommendations, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

DirectoryRecommendations.ReadWrite.All

Category Application Delegated
Identifier 0e9eea12-4f01-45f6-9b8d-3ea4c8144158 f37235e8-90a0-4189-93e2-e55b53867ccd
DisplayText Read and update all Azure AD recommendations Read and update Azure AD recommendations
Description Allows the app to read and update all Azure AD recommendations, without a signed-in user. Allows the app to read and update Azure AD recommendations, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Domain.Read.All

Category Application Delegated
Identifier dbb9058a-0e50-45d7-ae91-66909b5d4664 2f9ee017-59c1-4f1d-9472-bd5529a7b311
DisplayText Read domains Read domains.
Description Allows the app to read all domain properties without a signed-in user. Allows the app to read all domain properties on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Domain.ReadWrite.All

Category Application Delegated
Identifier 7e05723c-0bb0-42da-be95-ae9f08a6e53c 0b5d694c-a244-4bde-86e6-eb5cd07730fe
DisplayText Read and write domains Read and write domains
Description Allows the app to read and write all domain properties without a signed in user.  Also allows the app to add,  verify and remove domains. Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify and remove domains.
AdminConsentRequired Yes Yes

EAS.AccessAsUser.All

Category Application Delegated
Identifier - ff91d191-45a0-43fd-b837-bd682c4a0b0f
DisplayText - Access mailboxes via Exchange ActiveSync
Description - Allows the app to have the same access to mailboxes as the signed-in user via Exchange ActiveSync.
AdminConsentRequired - No

eDiscovery.Read.All

Category Application Delegated
Identifier 50180013-6191-4d1e-a373-e590ff4e66af 99201db3-7652-4d5a-809a-bdb94f85fe3c
DisplayText Read all eDiscovery objects Read all eDiscovery objects
Description Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user. Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user.
AdminConsentRequired Yes Yes

eDiscovery.ReadWrite.All

Category Application Delegated
Identifier b2620db1-3bf7-4c5b-9cb9-576d29eac736 acb8f680-0834-4146-b69e-4ab1b39745ad
DisplayText Read and write all eDiscovery objects Read and write all eDiscovery objects
Description Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user. Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user.
AdminConsentRequired Yes Yes

EduAdministration.Read

Category Application Delegated
Identifier - 8523895c-6081-45bf-8a5d-f062a2f12c9f
DisplayText - Read education app settings
Description - Read the state and settings of all Microsoft education apps on behalf of the user.
AdminConsentRequired - Yes

EduAdministration.Read.All

Category Application Delegated
Identifier 7c9db06a-ec2d-4e7b-a592-5a1e30992566 -
DisplayText Read Education app settings -
Description Read the state and settings of all Microsoft education apps. -
AdminConsentRequired Yes -

EduAdministration.ReadWrite

Category Application Delegated
Identifier - 63589852-04e3-46b4-bae9-15d5b1050748
DisplayText - Manage education app settings
Description - Manage the state and settings of all Microsoft education apps on behalf of the user.
AdminConsentRequired - Yes

EduAdministration.ReadWrite.All

Category Application Delegated
Identifier 9bc431c3-b8bc-4a8d-a219-40f10f92eff6 -
DisplayText Manage education app settings -
Description Manage the state and settings of all Microsoft education apps. -
AdminConsentRequired Yes -

EduAssignments.Read

Category Application Delegated
Identifier - 091460c9-9c4a-49b2-81ef-1f3d852acce2
DisplayText - Read users' class assignments and their grades
Description - Allows the app to read assignments and their grades on behalf of the user.
AdminConsentRequired - Yes

EduAssignments.Read.All

Category Application Delegated
Identifier 4c37e1b6-35a1-43bf-926a-6f30f2cdf585 -
DisplayText Read all class assignments with grades -
Description Allows the app to read all class assignments with grades for all users without a signed-in user. -
AdminConsentRequired Yes -

EduAssignments.ReadBasic

Category Application Delegated
Identifier - c0b0103b-c053-4b2e-9973-9f3a544ec9b8
DisplayText - Read users' class assignments without grades
Description - Allows the app to read assignments without grades on behalf of the user.
AdminConsentRequired - Yes

EduAssignments.ReadBasic.All

Category Application Delegated
Identifier 6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e -
DisplayText Read all class assignments without grades -
Description Allows the app to read all class assignments without grades for all users without a signed-in user. -
AdminConsentRequired Yes -

EduAssignments.ReadWrite

Category Application Delegated
Identifier - 2f233e90-164b-4501-8bce-31af2559a2d3
DisplayText - Read and write users' class assignments and their grades
Description - Allows the app to read and write assignments and their grades on behalf of the user.
AdminConsentRequired - Yes

EduAssignments.ReadWrite.All

Category Application Delegated
Identifier 0d22204b-6cad-4dd0-8362-3e3f2ae699d9 -
DisplayText Create, read, update and delete all class assignments with grades -
Description Allows the app to create, read, update and delete all class assignments with grades for all users without a signed-in user. -
AdminConsentRequired Yes -

EduAssignments.ReadWriteBasic

Category Application Delegated
Identifier - 2ef770a1-622a-47c4-93ee-28d6adbed3a0
DisplayText - Read and write users' class assignments without grades
Description - Allows the app to read and write assignments without grades on behalf of the user.
AdminConsentRequired - Yes

EduAssignments.ReadWriteBasic.All

Category Application Delegated
Identifier f431cc63-a2de-48c4-8054-a34bc093af84 -
DisplayText Create, read, update and delete all class assignments without grades -
Description Allows the app to create, read, update and delete all class assignments without grades for all users without a signed-in user. -
AdminConsentRequired Yes -

EduCurricula.Read

Category Application Delegated
Identifier - 484859e8-b9e2-4e92-b910-84db35dadd29
DisplayText - Read the user's class modules and resources
Description - Allows the app to read the user's modules and resources on behalf of the signed-in user.
AdminConsentRequired - Yes

EduCurricula.Read.All

Category Application Delegated
Identifier 6cdb464c-3a03-40f8-900b-4cb7ea1da9c0 -
DisplayText Read all class modules and resources -
Description Allows the app to read all modules and resources, without a signed-in user. -
AdminConsentRequired Yes -

EduCurricula.ReadWrite

Category Application Delegated
Identifier - 4793c53b-df34-44fd-8d26-d15c517732f5
DisplayText - Read and write the user's class modules and resources
Description - Allows the app to read and write user's modules and resources on behalf of the signed-in user.
AdminConsentRequired - Yes

EduCurricula.ReadWrite.All

Category Application Delegated
Identifier 6a0c2318-d59d-4c7d-bf2e-5f3902dc2593 -
DisplayText Read and write all class modules and resources -
Description Allows the app to read and write all modules and resources, without a signed-in user. -
AdminConsentRequired Yes -

EduReports-Reading.Read.All

Category Application Delegated
Identifier ad248c30-1919-40c8-b3d2-304481894e88 -
DisplayText Read all tenant reading assignments submissions data -
Description Allows the app to read all tenant users reading assignments submissions data without a signed-in user. -
AdminConsentRequired Yes -

EduReports-Reading.ReadAnonymous.All

Category Application Delegated
Identifier 040330d7-be7e-4130-b349-a6eb3a56e2f8 -
DisplayText Read all tenant reading assignments submissions data -
Description Allows the app to read all tenant users reading assignments submissions data (excludes student-identifying information) without a signed-in user. -
AdminConsentRequired Yes -

EduReports-Reflect.Read.All

Category Application Delegated
Identifier c5debf73-bdc8-473d-bf07-f4074ad05f71 -
DisplayText Read all tenant reflect check-ins submissions data -
Description Allows the app to read all tenant users reflect check-ins submissions data without a signed-in user. -
AdminConsentRequired Yes -

EduReports-Reflect.ReadAnonymous.All

Category Application Delegated
Identifier f5d05dba-7ef0-46fc-b62c-a7282555f428 -
DisplayText Read all tenant reflect check-ins submissions data -
Description Allows the app to read all tenant users reflect check-ins submissions data (excludes responder-identifying information) without a signed-in user. -
AdminConsentRequired Yes -

EduRoster.Read

Category Application Delegated
Identifier - a4389601-22d9-4096-ac18-36a927199112
DisplayText - Read users' view of the roster
Description - Allows the app to read the structure of schools and classes in an organization's roster and education-specific information about users to be read on behalf of the user.
AdminConsentRequired - Yes

EduRoster.Read.All

Category Application Delegated
Identifier e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648 -
DisplayText Read the organization's roster -
Description Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about all users to be read. -
AdminConsentRequired Yes -

EduRoster.ReadBasic

Category Application Delegated
Identifier - 5d186531-d1bf-4f07-8cea-7c42119e1bd9
DisplayText - Read a limited subset of users' view of the roster
Description - Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization's roster and a limited subset of properties about users to be read on behalf of the user. Includes name, status, education role, email address and photo.
AdminConsentRequired - Yes

EduRoster.ReadBasic.All

Category Application Delegated
Identifier 0d412a8c-a06c-439f-b3ec-8abcf54d2f96 -
DisplayText Read a limited subset of the organization's roster -
Description Allows the app to read a limited subset of properties from both the structure of schools and classes in the organization's roster and education-specific information about all users. Includes name, status, role, email address and photo. -
AdminConsentRequired Yes -

EduRoster.ReadWrite

Category Application Delegated
Identifier - 359e19a6-e3fa-4d7f-bcab-d28ec592b51e
DisplayText - Read and write users' view of the roster
Description - Allows the app to read and write the structure of schools and classes in an organization's roster and education-specific information about users to be read and written on behalf of the user.
AdminConsentRequired - Yes

EduRoster.ReadWrite.All

Category Application Delegated
Identifier d1808e82-ce13-47af-ae0d-f9b254e6d58a -
DisplayText Read and write the organization's roster -
Description Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written. -
AdminConsentRequired Yes -

email

Category Application Delegated
Identifier - 64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0
DisplayText - View users' email address
Description - Allows the app to read your users' primary email address
AdminConsentRequired - No

email is an OpenID Connect (OIDC) scope.

You can use the OIDC scopes to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.

With the Azure AD v1.0 endpoint, only the openid scope is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.

With the Azure AD v2.0 endpoint, you specify the offline_access scope in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid scope to request an ID token. You can also specify the email scope, profile scope, or both to return additional claims in the ID token. You do not need to specify the User.Read permission to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.

The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these scopes explicitly, Azure AD may return an error.


EntitlementManagement.Read.All

Category Application Delegated
Identifier c74fd47d-ed3c-45c3-9a9e-b8676de685d2 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2
DisplayText Read all entitlement management resources Read all entitlement management resources
Description Allows the app to read access packages and related entitlement management resources without a signed-in user. Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user.
AdminConsentRequired Yes Yes

EntitlementManagement.ReadWrite.All

Category Application Delegated
Identifier 9acd699f-1e81-4958-b001-93b1d2506e19 ae7a573d-81d7-432b-ad44-4ed5c9d89038
DisplayText Read and write all entitlement management resources Read and write entitlement management resources
Description Allows the app to read and write access packages and related entitlement management resources without a signed-in user. Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user.
AdminConsentRequired Yes Yes

EntitlementMgmt-SubjectAccess.ReadWrite

Category Application Delegated
Identifier - e9fdcbbb-8807-410f-b9ec-8d5468c7c2ac
DisplayText - Read and write entitlement management resources related to self-service operations
Description - Allows the app to manage self-service entitlement management resources on behalf of the signed-in user. This includes operations such as requesting access and approving access of others.
AdminConsentRequired - No

EventListener.Read.All

Category Application Delegated
Identifier b7f6385c-6ce6-4639-a480-e23c42ed9784 f7dd3bed-5eec-48da-bc73-1c0ef50bc9a1
DisplayText Read all authentication event listeners Read your organization's authentication event listeners
Description Allows the app to read your organization's authentication event listeners without a signed-in user. Allows the app to read your organization's authentication event listeners on behalf of the signed-in user.
AdminConsentRequired Yes Yes

EventListener.ReadWrite.All

Category Application Delegated
Identifier 0edf5e9e-4ce8-468a-8432-d08631d18c43 d11625a6-fe21-4fc6-8d3d-063eba5525ad
DisplayText Read and write all authentication event listeners Read and write your organization's authentication event listeners
Description Allows the app to read or write your organization's authentication event listeners without a signed-in user. Allows the app to read or write your organization's authentication event listeners on behalf of the signed-in user.
AdminConsentRequired Yes Yes

EWS.AccessAsUser.All

Category Application Delegated
Identifier - 9769c687-087d-48ac-9cb3-c37dde652038
DisplayText - Access mailboxes as the signed-in user via Exchange Web Services
Description - Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.
AdminConsentRequired - No

ExternalConnection.Read.All

Category Application Delegated
Identifier 1914711b-a1cb-4793-b019-c2ce0ed21b8c a38267a5-26b6-4d76-9493-935b7599116b
DisplayText Read all external connections Read all external connections
Description Allows the app to read all external connections without a signed-in user. Allows the app to read all external connections on behalf of a signed-in user. The signed-in user must be an administrator.
AdminConsentRequired Yes Yes

ExternalConnection.ReadWrite.All

Category Application Delegated
Identifier 34c37bc0-2b40-4d5e-85e1-2365cd256d79 bbbbd9b3-3566-4931-ac37-2b2180d9e334
DisplayText Read and write all external connections Read and write all external connections
Description Allows the app to read and write all external connections without a signed-in user. Allows the app to read and write all external connections on behalf of a signed-in user. The signed-in user must be an administrator.
AdminConsentRequired Yes Yes

ExternalConnection.ReadWrite.OwnedBy

Category Application Delegated
Identifier f431331c-49a6-499f-be1c-62af19c34a9d 4082ad95-c812-4f02-be92-780c4c4f1830
DisplayText Read and write external connections Read and write external connections
Description Allows the app to read and write external connections without a signed-in user. The app can only read and write external connections that it is authorized to, or it can create new external connections. Allows the app to read and write settings of external connections on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read and write settings of connections that it is authorized to.
AdminConsentRequired Yes Yes

ExternalItem.Read.All

Category Application Delegated
Identifier 7a7cffad-37d2-4f48-afa4-c6ab129adcc2 922f9392-b1b7-483c-a4be-0089be7704fb
DisplayText Read all external items Read items in external datasets
Description Allows the app to read all external items without a signed-in user. Allow the app to read external datasets and content, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ExternalItem.ReadWrite.All

Category Application Delegated
Identifier 38c3d6ee-69ee-422f-b954-e17819665354 b02c54f8-eb48-4c50-a9f0-a149e5a2012f
DisplayText Read and write items in external datasets Read and write all external items
Description Allow the app to read or write items in all external datasets that the app is authorized to access Allows the app to read and write all external items on behalf of a signed-in user. The signed-in user must be an administrator.
AdminConsentRequired Yes Yes

ExternalItem.ReadWrite.OwnedBy

Category Application Delegated
Identifier 8116ae0f-55c2-452d-9944-d18420f5b2c8 4367b9d7-cee7-4995-853c-a0bdfe95c1f9
DisplayText Read and write external items Read and write external items
Description Allows the app to read and write external items without a signed-in user. The app can only read external items of the connection that it is authorized to. Allows the app to read and write external items on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read external items of the connection that it is authorized to.
AdminConsentRequired Yes Yes

ExternalUserProfile.Read.All

Category Application Delegated
Identifier 1987d7a0-d602-4262-ab90-cfdd43b37545 47167bec-55a7-4caf-9ecc-8d4566e3cfb1
DisplayText Read all external user profiles Read external user profiles
Description Allows the app to read available properties of external user profiles, without a signed-in user. Allows the app to read available properties of external user profiles, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ExternalUserProfile.ReadWrite.All

Category Application Delegated
Identifier 761327c9-d819-4c08-9a5f-874cd2826608 c6068dc7-a791-46a4-a811-b8228e6649ab
DisplayText Read and write all external user profiles Read and write external user profiles
Description Allows the app to read and write available properties of external user profiles, without a signed-in user. Allows the app to read and write available properties of external user profiles, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Family.Read

Category Application Delegated
Identifier - 3a1e4806-a744-4c70-80fc-223bf8582c46
DisplayText - Read your family info
Description - Allows the app to read your family information, members and their basic profile.
AdminConsentRequired - No

Files.Read

Category Application Delegated
Identifier - 10465720-29dd-4523-a11a-6a75c743c9d9
DisplayText - Read user files
Description - Allows the app to read the signed-in user's files.
AdminConsentRequired - No

For personal accounts, Files.Read also grant access to files shared with the signed-in user.


Files.Read.All

Category Application Delegated
Identifier 01d4889c-1287-42c6-ac1f-5d1e02578ef6 df85f4d6-205c-4ac5-a5ea-6bf408dba283
DisplayText Read files in all site collections Read all files that user can access
Description Allows the app to read all files in all site collections without a signed in user. Allows the app to read all files the signed-in user can access.
AdminConsentRequired Yes No

Files.Read.Selected

Category Application Delegated
Identifier - 5447fe39-cb82-4c1a-b977-520e67e724eb
DisplayText - Read files that the user selects (preview)
Description - (Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file.
AdminConsentRequired - No

The Files.Read.Selected delegated permission is only valid on work or school accounts and is only exposed for working with Office 365 file handlers (v1.0). It should not be used for directly calling Microsoft Graph APIs.


Files.ReadWrite

Category Application Delegated
Identifier - 5c28f0bf-8a70-41f1-8ab2-9032436ddb65
DisplayText - Have full access to user files
Description - Allows the app to read, create, update and delete the signed-in user's files.
AdminConsentRequired - No

For personal accounts, Files.ReadWrite also grant access to files shared with the signed-in user.


Files.ReadWrite.All

Category Application Delegated
Identifier 75359482-378d-4052-8f01-80520e7db3cd 863451e7-0667-486c-a5d6-d135439485f0
DisplayText Read and write files in all site collections Have full access to all files user can access
Description Allows the app to read, create, update and delete all files in all site collections without a signed in user. Allows the app to read, create, update and delete all files the signed-in user can access.
AdminConsentRequired Yes No

Files.ReadWrite.AppFolder

Category Application Delegated
Identifier - 8019c312-3263-48e6-825e-2b833497195b
DisplayText - Have full access to the application's folder (preview)
Description - (Preview) Allows the app to read, create, update and delete files in the application's folder.
AdminConsentRequired - No

Files.ReadWrite.Selected

Category Application Delegated
Identifier - 17dde5bd-8c17-420f-a486-969730c1b827
DisplayText - Read and write files that the user selects (preview)
Description - (Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file.
AdminConsentRequired - No

The Files.ReadWrite.Selected delegated permission is only valid on work or school accounts and is only exposed for working with Office 365 file handlers (v1.0). It should not be used for directly calling Microsoft Graph APIs.


Financials.ReadWrite.All

Category Application Delegated
Identifier - f534bf13-55d4-45a9-8f3c-c92fe64d6131
DisplayText - Read and write financials data
Description - Allows the app to read and write financials data on behalf of the signed-in user.
AdminConsentRequired - No

Goals-Export.Read.All

Category Application Delegated
Identifier - 092211d9-ca1a-427b-813e-b79c7653fe71
DisplayText - Read all goals and export jobs that a user can access
Description - Allows the app to read all goals and export jobs that the signed-in user can access.
AdminConsentRequired - Yes

Goals-Export.ReadWrite.All

Category Application Delegated
Identifier - 2edeb9fd-4228-480c-a26d-2ed52011cf3d
DisplayText - Have full access to all goals and export jobs a user can access
Description - Allows the app to read goals, create and read export jobs that the signed-in user can access.
AdminConsentRequired - Yes

Group.Create

Category Application Delegated
Identifier bf7b1a76-6e77-406b-b258-bf5c7720e98f -
DisplayText Create groups -
Description Allows the app to create groups without a signed-in user. -
AdminConsentRequired Yes -

Group.Read.All

Category Application Delegated
Identifier 5b567255-7703-4780-807c-7be8301ae99b 5f8c59db-677d-491f-a6b8-5f174b11ec1d
DisplayText Read all groups Read all groups
Description Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.
AdminConsentRequired Yes Yes

For Microsoft 365 groups, Group permissions grant the app access to the contents of the group; for example, conversations, files, notes, and so on.

In some cases, an app may need additional properties to read some group properties like member and memberOf. For example, if a group has a one or more servicePrincipals as members, the app will also need permissions to read service principals, otherwise Microsoft Graph will return an error or limited information. In delegated scenarios, the signed-in user will also need permissions in the organization to read service principals. For more information, see Limited information returned for inaccessible member objects.

Group permissions are used to control access to Microsoft Teams resources and APIs. Personal Microsoft accounts are not supported.

Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are not supported.


Group.ReadWrite.All

Category Application Delegated
Identifier 62a82d76-70ea-41e2-9197-370581804d09 4e46008b-f24c-477d-8fff-7bb4ec7aafe0
DisplayText Read and write all groups Read and write all groups
Description Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.
AdminConsentRequired Yes Yes

For Microsoft 365 groups, Group permissions grant the app access to the contents of the group; for example, conversations, files, notes, and so on.

In some cases, an app may need additional properties to update some group properties and relationships like member and memberOf. For example, to add a servicePrincipal object as a member, the app will also need permissions to write the service principal, otherwise Microsoft Graph will return an error. In delegated scenarios, the signed-in user will also need permissions in the organization to write service principals. For more information, see Limited information returned for inaccessible member objects.

Group permissions are used to control access to Microsoft Teams resources and APIs. Personal Microsoft accounts are not supported.

Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are not supported.


GroupMember.Read.All

Category Application Delegated
Identifier 98830695-27a2-44f7-8c18-0c3ebc9698f6 bc024368-1153-4739-b217-4326f2e966d0
DisplayText Read all group memberships Read group memberships
Description Allows the app to read memberships and basic group properties for all groups without a signed-in user. Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
AdminConsentRequired Yes Yes

GroupMember.ReadWrite.All

Category Application Delegated
Identifier dbaae8cf-10b5-4b86-a4a1-f871c94c6695 f81125ac-d3b7-4573-a3b2-7099cc39df9e
DisplayText Read and write all group memberships Read and write group memberships
Description Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.
AdminConsentRequired Yes Yes

IdentityProvider.Read.All

Category Application Delegated
Identifier e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0 43781733-b5a7-4d1b-98f4-e8edff23e1a9
DisplayText Read identity providers Read identity providers
Description Allows the app to read your organization's identity (authentication) providers' properties without a signed in user. Allows the app to read your organization's identity (authentication) providers' properties on behalf of the user.
AdminConsentRequired Yes Yes

IdentityProvider.ReadWrite.All

Category Application Delegated
Identifier 90db2b9a-d928-4d33-a4dd-8442ae3d41e4 f13ce604-1677-429f-90bd-8a10b9f01325
DisplayText Read and write identity providers Read and write identity providers
Description Allows the app to read and write your organization's identity (authentication) providers' properties without a signed in user. Allows the app to read and write your organization's identity (authentication) providers' properties on behalf of the user.
AdminConsentRequired Yes Yes

IdentityRiskEvent.Read.All

Category Application Delegated
Identifier 6e472fd1-ad78-48da-a0f0-97ab2c6b769e 8f6a01e7-0391-4ee5-aa22-a3af122cef27
DisplayText Read all identity risk event information Read identity risk event information
Description Allows the app to read the identity risk event information for your organization without a signed in user. Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IdentityRiskEvent.ReadWrite.All

Category Application Delegated
Identifier db06fb33-1953-4b7b-a2ac-f1e2c854f7ae 9e4862a5-b68f-479e-848a-4e07e25c9916
DisplayText Read and write all risk detection information Read and write risk event information
Description Allows the app to read and update identity risk detection information for your organization without a signed-in user. Update operations include confirming risk event detections.  Allows the app to read and update identity risk event information for all users in your organization on behalf of the signed-in user. Update operations include confirming risk event detections. 
AdminConsentRequired Yes Yes

IdentityRiskyServicePrincipal.Read.All

Category Application Delegated
Identifier 607c7344-0eed-41e5-823a-9695ebe1b7b0 ea5c4ab0-5a73-4f35-8272-5d5337884e5d
DisplayText Read all identity risky service principal information Read all identity risky service principal information
Description Allows the app to read all risky service principal information for your organization, without a signed-in user. Allows the app to read all identity risky service principal information for your organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IdentityRiskyServicePrincipal.ReadWrite.All

Category Application Delegated
Identifier cb8d6980-6bcb-4507-afec-ed6de3a2d798 bb6f654c-d7fd-4ae3-85c3-fc380934f515
DisplayText Read and write all identity risky service principal information Read and write all identity risky service principal information
Description Allows the app to read and update identity risky service principal for your organization, without a signed-in user. Allows the app to read and update identity risky service principal information for all service principals in your organization, on behalf of the signed-in user. Update operations include dismissing risky service principals.
AdminConsentRequired Yes Yes

IdentityRiskyUser.Read.All

Category Application Delegated
Identifier dc5007c0-2d7d-4c42-879c-2dab87571379 d04bb851-cb7c-4146-97c7-ca3e71baf56c
DisplayText Read all identity risky user information Read identity risky user information
Description Allows the app to read the identity risky user information for your organization without a signed in user. Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IdentityRiskyUser.ReadWrite.All

Category Application Delegated
Identifier 656f6061-f9fe-4807-9708-6a2e0934df76 e0a7cdbb-08b0-4697-8264-0069786e9674
DisplayText Read and write all risky user information Read and write risky user information
Description Allows the app to read and update identity risky user information for your organization without a signed-in user.  Update operations include dismissing risky users. Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user. Update operations include dismissing risky users.
AdminConsentRequired Yes Yes

IdentityUserFlow.Read.All

Category Application Delegated
Identifier 1b0c317f-dd31-4305-9932-259a8b6e8099 2903d63d-4611-4d43-99ce-a33f3f52e343
DisplayText Read all identity user flows Read all identity user flows
Description Allows the app to read your organization's user flows, without a signed-in user. Allows the app to read your organization's user flows, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IdentityUserFlow.ReadWrite.All

Category Application Delegated
Identifier 65319a09-a2be-469d-8782-f6b07debf789 281892cc-4dbf-4e3a-b6cc-b21029bb4e82
DisplayText Read and write all identity user flows Read and write all identity user flows
Description Allows the app to read or write your organization's user flows, without a signed-in user. Allows the app to read or write your organization's user flows, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IMAP.AccessAsUser.All

Category Application Delegated
Identifier - 652390e4-393a-48de-9484-05f9b1212954
DisplayText - Read and write access to mailboxes via IMAP.
Description - Allows the app to have the same access to mailboxes as the signed-in user via IMAP protocol.
AdminConsentRequired - No

IndustryData.ReadBasic.All

Category Application Delegated
Identifier 4f5ac95f-62fd-472c-b60f-125d24ca0bc5 60382b96-1f5e-46ea-a544-0407e489e588
DisplayText View basic service and resource information Read basic Industry Data service and resource definitions
Description Allows the app to read basic service and resource information without a signed-in user. Allows the app to read basic Industry Data service and resource information on behalf of the signed-in user.
AdminConsentRequired Yes No

IndustryData-DataConnector.Read.All

Category Application Delegated
Identifier 7ab52c2f-a2ee-4d98-9ebc-725e3934aae2 d19c0de5-7ecb-4aba-b090-da35ebcd5425
DisplayText View data connector definitions View data connector definitions
Description Allows the app to read data connectors without a signed-in user. Allows the app to read data connectors on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-DataConnector.ReadWrite.All

Category Application Delegated
Identifier eda0971c-482e-4345-b28f-69c309cb8a34 5ce933ac-3997-4280-aed0-cc072e5c062a
DisplayText Manage data connector definitions Manage data connector definitions
Description Allows the app to read and write data connectors without a signed-in user. Allows the app to read and write data connectors on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-DataConnector.Upload

Category Application Delegated
Identifier 9334c44b-a7c6-4350-8036-6bf8e02b4c1f fc47391d-ab2c-410f-9059-5600f7af660d
DisplayText Upload files to a data connector Upload files to a data connector
Description Allows the app to upload data files to a data connector without a signed-in user. Allows the app to upload data files to a data connector on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-InboundFlow.Read.All

Category Application Delegated
Identifier 305f6ba2-049a-4b1b-88bb-fe7e08758a00 cb0774da-a605-42af-959c-32f438fb38f4
DisplayText View inbound flow definitions View inbound flow definitions
Description Allows the app to read inbound data flows without a signed-in user. Allows the app to read inbound data flows on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-InboundFlow.ReadWrite.All

Category Application Delegated
Identifier e688c61f-d4c6-4d64-a197-3bcf6ba1d6ad 97044676-2cec-40ee-bd70-38df444c9e70
DisplayText Manage inbound flow definitions Manage inbound flow definitions
Description Allows the app to read and write inbound data flows without a signed-in user. Allows the app to read and write inbound data flows on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-ReferenceDefinition.Read.All

Category Application Delegated
Identifier 6ee891c3-74a4-4148-8463-0c834375dfaf a3f96ffe-cb84-40a8-ac85-582d7ef97c2a
DisplayText View reference definitions View reference definitions
Description Allows the app to read reference definitions without a signed-in user. Allows the app to read reference definitions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-Run.Read.All

Category Application Delegated
Identifier f6f5d10b-3024-4d1d-b674-aae4df4a1a73 92685235-50c4-4702-b2c8-36043db6fa79
DisplayText View current and previous runs View current and previous runs
Description Allows the app to read current and previous IndustryData runs without a signed-in user. Allows the app to read current and previous IndustryData runs on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-SourceSystem.Read.All

Category Application Delegated
Identifier bc167a60-39fe-4865-8b44-78400fc6ed03 49b7016c-89ae-41e7-bd6f-b7170c5490bf
DisplayText View source system definitions View source system definitions
Description Allows the app to read source system definitions without a signed-in user. Allows the app to read source system definitions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-SourceSystem.ReadWrite.All

Category Application Delegated
Identifier 7d866958-e06e-4dd6-91c6-a086b3f5cfeb 9599f005-05d6-4ea7-b1b1-4929768af5d0
DisplayText Manage source system definitions Manage source system definitions
Description Allows the app to read and write source system definitions without a signed-in user. Allows the app to read and write source system definitions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-TimePeriod.Read.All

Category Application Delegated
Identifier 7c55c952-b095-4c23-a522-022bce4cc1e3 c9d51f28-8ccd-42b2-a836-fd8fe9ebf2ae
DisplayText Read time period definitions Read time period definitions
Description Allows the app to read time period definitions without a signed-in user. Allows the app to read time period definitions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

IndustryData-TimePeriod.ReadWrite.All

Category Application Delegated
Identifier 7afa7744-a782-4a32-b8c2-e3db637e8de7 b6d56528-3032-4f9d-830f-5a24a25e6661
DisplayText Manage time period definitions Manage time period definitions
Description Allows the app to read and write time period definitions without a signed-in user. Allows the app to read and write time period definitions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

InformationProtectionConfig.Read

Category Application Delegated
Identifier - 12f4bffb-b598-413c-984b-db99728f8b54
DisplayText - Read configurations for protecting organizational data applicable to the user
Description - Allows the app to read the configurations applicable to the signed-in user for protecting organizational data, on behalf of the signed-in user.
AdminConsentRequired - Yes

InformationProtectionConfig.Read.All

Category Application Delegated
Identifier 14f49b9f-4bf2-4d24-b80e-b27ec58409bd -
DisplayText Read all configurations for protecting organizational data applicable to users -
Description Allows the app to read all configurations applicable to users for protecting organizational data, without a signed-in user. -
AdminConsentRequired Yes -

InformationProtectionContent.Sign.All

Category Application Delegated
Identifier cbe6c7e4-09aa-4b8d-b3c3-2dbb59af4b54 -
DisplayText Sign digests for data -
Description Allows an app to sign digests for data without a signed-in user. -
AdminConsentRequired Yes -

InformationProtectionContent.Write.All

Category Application Delegated
Identifier 287bd98c-e865-4e8c-bade-1a85523195b9 -
DisplayText Create protected content -
Description Allows the app to create protected content without a signed-in user. -
AdminConsentRequired Yes -

InformationProtectionPolicy.Read

Category Application Delegated
Identifier - 4ad84827-5578-4e18-ad7a-86530b12f884
DisplayText - Read user sensitivity labels and label policies.
Description - Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user.
AdminConsentRequired - No

InformationProtectionPolicy.Read.All

Category Application Delegated
Identifier 19da66cb-0fb0-4390-b071-ebc76a349482 -
DisplayText Read all published labels and label policies for an organization. -
Description Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user. -
AdminConsentRequired Yes -

Insights-UserMetric.Read.All

Category Application Delegated
Identifier 34cbd96c-d824-4755-90d3-1008ef47efc1 7d249730-51a3-4180-8ec1-214f144f1bff
DisplayText Read all user metrics insights Read user metrics insights
Description Allows an app to read all user metrics insights, such as daily and monthly active users, without a signed-in user. Allows an app to read user metrics insights, such as daily and monthly active users, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

LearningAssignedCourse.Read

Category Application Delegated
Identifier - ac08cdae-e845-41db-adf9-5899a0ec9ef6
DisplayText - Read user's assignments
Description - Allows the app to read data for the learner's assignments in the organization's directory, on behalf of the signed-in user.
AdminConsentRequired - No

LearningAssignedCourse.Read.All

Category Application Delegated
Identifier 535e6066-2894-49ef-ab33-e2c6d064bb81 -
DisplayText Read all assignments -
Description Allows the app to read data for all assignments in the organization's directory, without a signed-in user. -
AdminConsentRequired Yes -

LearningAssignedCourse.ReadWrite.All

Category Application Delegated
Identifier 236c1cbd-1187-427f-b0f5-b1852454973b -
DisplayText Read and write all assignments -
Description Allows the app to create, update, read and delete all assignments in the organization's directory, without a signed-in user. -
AdminConsentRequired Yes -

LearningContent.Read.All

Category Application Delegated
Identifier 8740813e-d8aa-4204-860e-2a0f8f84dbc8 ea4c1fd9-6a9f-4432-8e5d-86e06cc0da77
DisplayText Read all learning content Read learning content
Description Allows the app to read all learning content in the organization's directory, without a signed-in user. Allows the app to read learning content in the organization's directory, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

LearningContent.ReadWrite.All

Category Application Delegated
Identifier 444d6fcb-b738-41e5-b103-ac4f2a2628a3 53cec1c4-a65f-4981-9dc1-ad75dbf1c077
DisplayText Manage all learning content Manage learning content
Description Allows the app to manage all learning content in the organization's directory, without a signed-in user. Allows the app to manage learning content in the organization's directory, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

LearningProvider.Read

Category Application Delegated
Identifier - dd8ce36f-9245-45ea-a99e-8ac398c22861
DisplayText - Read learning provider
Description - Allows the app to read data for the learning provider in the organization's directory, on behalf of the signed-in user.
AdminConsentRequired - Yes

LearningProvider.ReadWrite

Category Application Delegated
Identifier - 40c2eb57-abaf-49f5-9331-e90fd01f7130
DisplayText - Manage learning provider
Description - Allows the app to create, update, read, and delete data for the learning provider in the organization's directory, on behalf of the signed-in user.
AdminConsentRequired - Yes

LearningSelfInitiatedCourse.Read

Category Application Delegated
Identifier - f6403ef7-4a96-47be-a190-69ba274c3f11
DisplayText - Read user's self-initiated courses
Description - Allows the app to read data for the learner's self-initiated courses in the organization's directory, on behalf of the signed-in user.
AdminConsentRequired - No

LearningSelfInitiatedCourse.Read.All

Category Application Delegated
Identifier 467524fc-ed22-4356-a910-af61191e3503 -
DisplayText Read all self-initiated courses -
Description Allows the app to read data for all self-initiated courses in the organization's directory, without a signed-in user. -
AdminConsentRequired Yes -

LearningSelfInitiatedCourse.ReadWrite.All

Category Application Delegated
Identifier 7654ed61-8965-4025-846a-0856ec02b5b0 -
DisplayText Read and write all self-initiated courses -
Description Allows the app to create, update, read and delete all self-initiated courses in the organization's directory, without a signed-in user. -
AdminConsentRequired Yes -

LicenseAssignment.ReadWrite.All

Category Application Delegated
Identifier 5facf0c1-8979-4e95-abcf-ff3d079771c0 f55016cc-149c-447e-8f21-7cf3ec1d6350
DisplayText Manage all license assignments Manage all license assignments
Description Allows an app to manage license assignments for users and groups, without a signed-in user. Allows an app to manage license assignments for users and groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

LifecycleWorkflows.Read.All

Category Application Delegated
Identifier 7c67316a-232a-4b84-be22-cea2c0906404 9bcb9916-765a-42af-bf77-02282e26b01a
DisplayText Read all lifecycle workflows resources Read all lifecycle workflows resources
Description Allows the app to list and read all workflows, tasks and related lifecycle workflows resources without a signed-in user. Allows the app to list and read all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user.
AdminConsentRequired Yes Yes

LifecycleWorkflows.ReadWrite.All

Category Application Delegated
Identifier 5c505cf4-8424-4b8e-aa14-ee06e3bb23e3 84b9d731-7db8-4454-8c90-fd9e95350179
DisplayText Read and write all lifecycle workflows resources Read and write all lifecycle workflows resources
Description Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources without a signed-in user. Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Mail.Read

Category Application Delegated
Identifier 810c84a8-4a9e-49e6-bf7d-12d183f40d01 570282fd-fa5c-430d-a7fd-fc8dc98a9dca
DisplayText Read mail in all mailboxes Read user mail
Description Allows the app to read mail in all mailboxes without a signed-in user. Allows the app to read the signed-in user's mailbox.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Mail.Read application permission.

Mail.Read is valid valid for both Microsoft accounts and work or school accounts.


Mail.Read.Shared

Category Application Delegated
Identifier - 7b9103a5-4610-446b-9670-80643382c1fa
DisplayText - Read user and shared mail
Description - Allows the app to read mail a user can access, including their own and shared mail.
AdminConsentRequired - No

Mail.Read.Shared is only valid for work or school accounts.


Mail.ReadBasic

Category Application Delegated
Identifier 6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a a4b8392a-d8d1-4954-a029-8e668a39a170
DisplayText Read basic mail in all mailboxes Read user basic mail
Description Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties. Allows the app to read email in the signed-in user's mailbox except body, previewBody, attachments and any extended properties.
AdminConsentRequired Yes No

Mail.ReadBasic.All

Category Application Delegated
Identifier 693c5e45-0940-467d-9b8a-1022fb9d42ef -
DisplayText Read basic mail in all mailboxes -
Description Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties. -
AdminConsentRequired Yes -

Mail.ReadBasic.Shared

Category Application Delegated
Identifier - b11fa0e7-fdb7-4dc9-b1f1-59facd463480
DisplayText - Read user and shared basic mail
Description - Allows the app to read mail the signed-in user can access, including their own and shared mail, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties.
AdminConsentRequired - No

Mail.ReadWrite

Category Application Delegated
Identifier e2a3a72e-5f79-4c64-b1b1-878b674786c9 024d486e-b451-40bb-833d-3e66d98c5c73
DisplayText Read and write mail in all mailboxes Read and write access to user mail
Description Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Mail.ReadWrite application permission.

Mail.ReadWrite is valid valid for both Microsoft accounts and work or school accounts.


Mail.ReadWrite.Shared

Category Application Delegated
Identifier - 5df07973-7d5d-46ed-9847-1271055cbd51
DisplayText - Read and write user and shared mail
Description - Allows the app to create, read, update, and delete mail a user has permission to access, including their own and shared mail. Does not include permission to send mail.
AdminConsentRequired - No

Mail.ReadWrite.Shared is only valid for work or school accounts.


Mail.Send

Category Application Delegated
Identifier b633e1c5-b582-4048-a93e-9f11b44c7e96 e383f46e-2787-4529-855e-0e479a3ffac0
DisplayText Send mail as any user Send mail as a user
Description Allows the app to send mail as any user without a signed-in user. Allows the app to send mail as users in the organization.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the Mail.Send application permission.

Mail.Send is valid valid for both Microsoft accounts and work or school accounts.

With the Mail.Send permission, an app can send mail and save a copy to the user's Sent Items folder, even if the app isn't granted the Mail.ReadWrite or Mail.ReadWrite.Shared permission.


Mail.Send.Shared

Category Application Delegated
Identifier - a367ab51-6b49-43bf-a716-a1fb06d2a174
DisplayText - Send mail on behalf of others
Description - Allows the app to send mail as the signed-in user, including sending on-behalf of others.
AdminConsentRequired - No

Mail.Send.Shared is only valid for work or school accounts.

With the Mail.Send.Shared permission, an app can send mail and save a copy to the user's Sent Items folder, even if the app isn't granted the Mail.ReadWrite or Mail.ReadWrite.Shared permission.


MailboxSettings.Read

Category Application Delegated
Identifier 40f97065-369a-49f4-947c-6a255697ae91 87f447af-9fa4-4c32-9dfa-4a57a73d18ce
DisplayText Read all user mailbox settings Read user mailbox settings
Description Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. Allows the app to the read user's mailbox settings. Does not include permission to send mail.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the MailboxSettings.Read application permission.

MailboxSettings.Read is valid valid for both Microsoft accounts and work or school accounts.


MailboxSettings.ReadWrite

Category Application Delegated
Identifier 6931bccd-447a-43d1-b442-00a195474933 818c620a-27a9-40bd-a6a5-d96f7d610b4b
DisplayText Read and write all user mailbox settings Read and write user mailbox settings
Description Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail. Allows the app to create, read, update, and delete user's mailbox settings. Does not include permission to send mail.
AdminConsentRequired Yes No

Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the MailboxSettings.ReadWrite application permission.

MailboxSettings.ReadWrite is valid valid for both Microsoft accounts and work or school accounts.


ManagedTenants.Read.All

Category Application Delegated
Identifier - dc34164e-6c4a-41a0-be89-3ae2fbad7cd3
DisplayText - Read all managed tenant information
Description - Allows the app to read all managed tenant information on behalf of the signed-in user.
AdminConsentRequired - Yes

ManagedTenants.ReadWrite.All

Category Application Delegated
Identifier - b31fa710-c9b3-4d9e-8f5e-8036eecddab9
DisplayText - Read and write all managed tenant information
Description - Allows the app to read and write all managed tenant information on behalf of the signed-in user.
AdminConsentRequired - Yes

Member.Read.Hidden

Category Application Delegated
Identifier 658aa5d8-239f-45c4-aa12-864f4fc7e490 f6a3db3e-f7e8-4ed2-a414-557c8c9830be
DisplayText Read all hidden memberships Read hidden memberships
Description Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to.
AdminConsentRequired Yes Yes

MultiTenantOrganization.Read.All

Category Application Delegated
Identifier 4f994bc0-31bb-44bb-b480-7a7c1be8c02e 526aa72a-5878-49fe-bf4e-357973af9b06
DisplayText Read all multi-tenant organization details and tenants Read multi-tenant organization details and tenants
Description Allows the app to read all multi-tenant organization details and tenants, without a signed-in user. Allows the app to read multi-tenant organization details and tenants on behalf of the signed-in user.
AdminConsentRequired Yes Yes

MultiTenantOrganization.ReadBasic.All

Category Application Delegated
Identifier f9c2b2a7-3895-4b2e-80f6-c924b456e50b 225db56b-15b2-4daa-acb3-0eec2bbe4849
DisplayText Read multi-tenant organization basic details and active tenants Read multi-tenant organization basic details and active tenants
Description Allows the app to read multi-tenant organization basic details and active tenants, without a signed-in user. Allows the app to read multi-tenant organization basic details and active tenants on behalf of the signed-in user.
AdminConsentRequired Yes No

MultiTenantOrganization.ReadWrite.All

Category Application Delegated
Identifier 920def01-ca61-4d2d-b3df-105b46046a70 77af1528-84f3-4023-8d90-d219cd433108
DisplayText Read and write all multi-tenant organization details and tenants Read and write multi-tenant organization details and tenants
Description Allows the app to read and write all multi-tenant organization details and tenants, without a signed-in user. Allows the app to read and write multi-tenant organization details and tenants on behalf of the signed-in user.
AdminConsentRequired Yes Yes

NetworkAccess.Read.All

Category Application Delegated
Identifier e30060de-caa5-4331-99d3-6ac6c966a9a4 2f7013e0-ab4e-447f-a5e1-5d419950692d
DisplayText Read all network access information Read all network access information
Description Allows the app to read all network access information and configuration settings without a signed-in user. Allows the app to read all network access information on behalf of the signed-in user.
AdminConsentRequired Yes Yes

NetworkAccess.ReadWrite.All

Category Application Delegated
Identifier b10642fc-a6cf-4c46-87f9-e1f96c2a18aa ae2df9c5-f18d-4ec4-a51b-bdeb807f177b
DisplayText Read and write all network access information Read and write all network access information
Description Allows the app to read and write all network access information and configuration settings without a signed-in user. Allows the app to read and write all network access information and configuration settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

NetworkAccessBranch.Read.All

Category Application Delegated
Identifier 39ae4a24-1ef0-49e8-9d63-2a66f5c39edd 4051c7fc-b429-4804-8d80-8f1f8c24a6f7
DisplayText Read properties of all branches for network access Read properties of branches for network access
Description Allows the app to read your organization's network access braches, without a signed-in user. Allows the app to read your organization's branches for network access on behalf of the signed-in user.
AdminConsentRequired Yes No

NetworkAccessBranch.ReadWrite.All

Category Application Delegated
Identifier 8137102d-ec16-4191-aaf8-7aeda8026183 b8a36cc2-b810-461a-baa4-a7281e50bd5c
DisplayText Read and write properties of all branches for network access Read and write properties of branches for network access
Description Allows the app to read and write your organization's network access braches, without a signed-in user. Allows the app to read and write your organization's branches for network access on behalf of the signed-in user.
AdminConsentRequired Yes Yes

NetworkAccessPolicy.Read.All

Category Application Delegated
Identifier 8a3d36bf-cb46-4bcc-bec9-8d92829dab84 ba22922b-752c-446f-89d7-a2d92398fceb
DisplayText Read all security and routing policies for network access Read security and routing policies for network access
Description Allows the app to read your organization's network access policies, without a signed-in user. Allows the app to read your organization's security and routing network access policies on behalf of the signed-in user.
AdminConsentRequired Yes No

NetworkAccessPolicy.ReadWrite.All

Category Application Delegated
Identifier f0c341be-8348-4989-8e43-660324294538 b1fbad0f-ef6e-42ed-8676-bca7fa3e7291
DisplayText Read and write all security and routing policies for network access Read and write security and routing policies for network access
Description Allows the app to read and write your organization's network access policies, without a signed-in user. Allows the app to read and write your organization's security and routing network access policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

NetworkAccess-Reports.Read.All

Category Application Delegated
Identifier 40049381-3cc1-42af-94ec-5ce755db4b0d b0c61509-cfc3-42bd-9bd4-66d81785fee4
DisplayText Read all network access reports Read all network access reports
Description Allows the app to read all network access reports without a signed-in user. Allows the app to read all network access reports on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Notes.Create

Category Application Delegated
Identifier - 9d822255-d64d-4b7a-afdb-833b9a97ed02
DisplayText - Create user OneNote notebooks
Description - Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user.
AdminConsentRequired - No

Notes.Read

Category Application Delegated
Identifier - 371361e4-b9e2-4a3f-8315-2a301a3b0a3d
DisplayText - Read user OneNote notebooks
Description - Allows the app to read OneNote notebooks on behalf of the signed-in user.
AdminConsentRequired - No

Notes.Read.All

Category Application Delegated
Identifier 3aeca27b-ee3a-4c2b-8ded-80376e2134a4 dfabfca6-ee36-4db2-8208-7a28381419b3
DisplayText Read all OneNote notebooks Read all OneNote notebooks that user can access
Description Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. Allows the app to read OneNote notebooks that the signed-in user has access to in the organization.
AdminConsentRequired Yes No

Notes.ReadWrite

Category Application Delegated
Identifier - 615e26af-c38a-4150-ae3e-c3b0d4cb1d6a
DisplayText - Read and write user OneNote notebooks
Description - Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user.
AdminConsentRequired - No

Notes.ReadWrite.All

Category Application Delegated
Identifier 0c458cef-11f3-48c2-a568-c66751c238c0 64ac0503-b4fa-45d9-b544-71a463f05da0
DisplayText Read and write all OneNote notebooks Read and write all OneNote notebooks that user can access
Description Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization.
AdminConsentRequired Yes No

Notes.ReadWrite.CreatedByApp

Category Application Delegated
Identifier - ed68249d-017c-4df5-9113-e684c7f8760b
DisplayText - Limited notebook access (deprecated)
Description - This is deprecated! Do not use! This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app.
AdminConsentRequired - No

Notifications.ReadWrite.CreatedByApp

Category Application Delegated
Identifier - 89497502-6e42-46a2-8cb2-427fd3df970a
DisplayText - Deliver and manage user notifications for this app
Description - Allows the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user's notification items for this app.
AdminConsentRequired - No

offline_access

Category Application Delegated
Identifier - 7427e0e9-2fba-42fe-b0c0-848c9e6a8182
DisplayText - Maintain access to data you have given it access to
Description - Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.
AdminConsentRequired - No

offline_access is an OpenID Connect (OIDC) scope.

You can use the OIDC scopes to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.

With the Azure AD v1.0 endpoint, only the openid scope is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.

With the Azure AD v2.0 endpoint, you specify the offline_access scope in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid scope to request an ID token. You can also specify the email scope, profile scope, or both to return additional claims in the ID token. You do not need to specify the User.Read permission to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.

The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these scopes explicitly, Azure AD may return an error.


OnlineMeetingArtifact.Read.All

Category Application Delegated
Identifier df01ed3b-eb61-4eca-9965-6b3d789751b2 110e5abb-a10c-4b59-8b55-9b4daa4ef743
DisplayText Read online meeting artifacts Read user's online meeting artifacts
Description Allows the app to read online meeting artifacts in your organization, without a signed-in user. Allows the app to read online meeting artifacts on behalf of the signed-in user.
AdminConsentRequired Yes No

Administrators can configure application access policy to allow apps to access online meetings on behalf of a user.


OnlineMeetingRecording.Read.All

Category Application Delegated
Identifier a4a08342-c95d-476b-b943-97e100569c8d 190c2bb6-1fdd-4fec-9aa2-7d571b5e1fe3
DisplayText Read all recordings of online meetings. Read all recordings of online meetings.
Description Allows the app to read all recordings of all online meetings, without a signed-in user. Allows the app to read all recordings of online meetings, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Administrators can configure application access policy to allow apps to access online meetings on behalf of a user.


OnlineMeetings.Read

Category Application Delegated
Identifier - 9be106e1-f4e3-4df5-bdff-e4bc531cbe43
DisplayText - Read user's online meetings
Description - Allows the app to read online meeting details on behalf of the signed-in user.
AdminConsentRequired - No

Administrators can configure application access policy to allow apps to access online meetings on behalf of a user.


OnlineMeetings.Read.All

Category Application Delegated
Identifier c1684f21-1984-47fa-9d61-2dc8c296bb70 -
DisplayText Read online meeting details -
Description Allows the app to read online meeting details in your organization, without a signed-in user. -
AdminConsentRequired Yes -

OnlineMeetings.ReadWrite

Category Application Delegated
Identifier - a65f2972-a4f8-4f5e-afd7-69ccb046d5dc
DisplayText - Read and create user's online meetings
Description - Allows the app to read and create online meetings on behalf of the signed-in user.
AdminConsentRequired - No

Administrators can configure application access policy to allow apps to access online meetings on behalf of a user.


OnlineMeetings.ReadWrite.All

Category Application Delegated
Identifier b8bb2037-6e08-44ac-a4ea-4674e010e2a4 -
DisplayText Read and create online meetings -
Description Allows the app to read and create online meetings as an application in your organization. -
AdminConsentRequired Yes -

OnlineMeetingTranscript.Read.All

Category Application Delegated
Identifier a4a80d8d-d283-4bd8-8504-555ec3870630 30b87d18-ebb1-45db-97f8-82ccb1f0190c
DisplayText Read all transcripts of online meetings. Read all transcripts of online meetings.
Description Allows the app to read all transcripts of all online meetings, without a signed-in user. Allows the app to read all transcripts of online meetings, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Administrators can configure application access policy to allow apps to access online meetings on behalf of a user.


OnPremDirectorySynchronization.Read.All

Category Application Delegated
Identifier bb70e231-92dc-4729-aff5-697b3f04be95 f6609722-4100-44eb-b747-e6ca0536989d
DisplayText Read all on-premises directory synchronization information Read all on-premises directory synchronization information
Description Allows the app to read all on-premises directory synchronization information for the organization, without a signed-in user. Allows the app to read all on-premises directory synchronization information for the organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OnPremDirectorySynchronization.ReadWrite.All

Category Application Delegated
Identifier c22a92cc-79bf-4bb1-8b6c-e0a05d3d80ce c2d95988-7604-4ba1-aaed-38a5f82a51c7
DisplayText Read and write all on-premises directory synchronization information Read and write all on-premises directory synchronization information
Description Allows the app to read and write all on-premises directory synchronization information for the organization, without a signed-in user. Allows the app to read and write all on-premises directory synchronization information for the organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OnPremisesPublishingProfiles.ReadWrite.All

Category Application Delegated
Identifier 0b57845e-aa49-4e6f-8109-ce654fffa618 8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42
DisplayText Manage on-premises published resources Manage on-premises published resources
Description Allows the app to create, view, update and delete on-premises published resources, on-premises agents and agent groups, as part of a hybrid identity configuration, without a signed in user. Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

openid

Category Application Delegated
Identifier - 37f7f235-527c-4136-accd-4a02d197296e
DisplayText - Sign users in
Description - Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.
AdminConsentRequired - No

openid is an OpenID Connect (OIDC) scope.

You can use the OIDC scopes to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.

With the Azure AD v1.0 endpoint, only the openid scope is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.

With the Azure AD v2.0 endpoint, you specify the offline_access scope in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid scope to request an ID token. You can also specify the email scope, profile scope, or both to return additional claims in the ID token. You do not need to specify the User.Read permission to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.

The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these scopes explicitly, Azure AD may return an error.


Organization.Read.All

Category Application Delegated
Identifier 498476ce-e0fe-48b0-b801-37ba7e2685c6 4908d5b9-3fb2-4b1e-9336-1888b7937185
DisplayText Read organization information Read organization information
Description Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information. Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed skus and tenant branding information.
AdminConsentRequired Yes Yes

Organization.ReadWrite.All

Category Application Delegated
Identifier 292d869f-3427-49a8-9dab-8c70152b74e9 46ca0847-7e6b-426e-9775-ea810a948356
DisplayText Read and write organization information Read and write organization information
Description Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information. Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed skus and tenant branding information.
AdminConsentRequired Yes Yes

OrganizationalBranding.Read.All

Category Application Delegated
Identifier eb76ac34-0d62-4454-b97c-185e4250dc20 9082f138-6f02-4f3a-9f4d-5f3c2ce5c688
DisplayText Read organizational branding information Read organizational branding information
Description Allows the app to read the organizational branding information, without a signed-in user. Allows the app to read the organizational branding information, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrganizationalBranding.ReadWrite.All

Category Application Delegated
Identifier d2ebfbc1-a5f8-424b-83a6-56ab5927a73c 15ce63de-b141-4c9a-a9a5-241bf27c6aaf
DisplayText Read and write organizational branding information Read and write organizational branding information
Description Allows the app to read and write the organizational branding information, without a signed-in user. Allows the app to read and write the organizational branding information, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgContact.Read.All

Category Application Delegated
Identifier e1a88a34-94c4-4418-be12-c87b00e26bea 08432d1b-5911-483c-86df-7980af5cdee0
DisplayText Read organizational contacts Read organizational contacts
Description Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user's personal contacts. Allows the app to read all organizational contacts on behalf of the signed-in user.  These contacts are managed by the organization and are different from a user's personal contacts.
AdminConsentRequired Yes Yes

OrgSettings-AppsAndServices.Read.All

Category Application Delegated
Identifier 56c84fa9-ea1f-4a15-90f2-90ef41ece2c9 1e9b7a7e-4d64-44ff-acf5-2e9651c1519f
DisplayText Read organization-wide apps and services settings Read organization-wide apps and services settings
Description Allows the app to read organization-wide apps and services settings, without a signed-in user. Allows the app to read organization-wide apps and services settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-AppsAndServices.ReadWrite.All

Category Application Delegated
Identifier 4a8e4191-c1c8-45f8-b801-f9a1a5ee6ad3 c167b0e7-47c0-48e8-9eee-9892f58018fa
DisplayText Read and write organization-wide apps and services settings Read and write organization-wide apps and services settings
Description Allows the app to read and write organization-wide apps and services settings, without a signed-in user. Allows the app to read and write organization-wide apps and services settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-DynamicsVoice.Read.All

Category Application Delegated
Identifier c18ae2dc-d9f3-4495-a93f-18980a0e159f 9862d930-5aec-4a98-8d4f-7277a8db9bcb
DisplayText Read organization-wide Dynamics customer voice settings Read organization-wide Dynamics customer voice settings
Description Allows the app to read organization-wide Dynamics customer voice settings, without a signed-in user. Allows the app to read organization-wide Dynamics customer voice settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-DynamicsVoice.ReadWrite.All

Category Application Delegated
Identifier c3f1cc32-8bbd-4ab6-bd33-f270e0d9e041 4cea26fb-6967-4234-82c4-c044414743f8
DisplayText Read and write organization-wide Dynamics customer voice settings Read and write organization-wide Dynamics customer voice settings
Description Allows the app to read and write organization-wide Dynamics customer voice settings, without a signed-in user. Allows the app to read and write organization-wide Dynamics customer voice settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-Forms.Read.All

Category Application Delegated
Identifier 434d7c66-07c6-4b1f-ab21-417cf2cdaaca 210051a0-1ffc-435c-ae76-02d226d05752
DisplayText Read organization-wide Microsoft Forms settings Read organization-wide Microsoft Forms settings
Description Allows the app to read organization-wide Microsoft Forms settings, without a signed-in user. Allows the app to read organization-wide Microsoft Forms settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-Forms.ReadWrite.All

Category Application Delegated
Identifier 2cb92fee-97a3-4034-8702-24a6f5d0d1e9 346c19ff-3fb2-4e81-87a0-bac9e33990c1
DisplayText Read and write organization-wide Microsoft Forms settings Read and write organization-wide Microsoft Forms settings
Description Allows the app to read and write organization-wide Microsoft Forms settings, without a signed-in user. Allows the app to read and write organization-wide Microsoft Forms settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-Microsoft365Install.Read.All

Category Application Delegated
Identifier 6cdf1fb1-b46f-424f-9493-07247caa22e2 8cbdb9f6-9c2e-451a-814d-ec606e5d0212
DisplayText Read organization-wide Microsoft 365 apps installation settings Read organization-wide Microsoft 365 apps installation settings
Description Allows the app to read organization-wide Microsoft 365 apps installation settings, without a signed-in user. Allows the app to read organization-wide Microsoft 365 apps installation settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-Microsoft365Install.ReadWrite.All

Category Application Delegated
Identifier 83f7232f-763c-47b2-a097-e35d2cbe1da5 1ff35e91-19eb-42d8-aa2d-cc9891127ae5
DisplayText Read and write organization-wide Microsoft 365 apps installation settings Read and write organization-wide Microsoft 365 apps installation settings
Description Allows the app to read and write organization-wide Microsoft 365 apps installation settings, without a signed-in user. Allows the app to read and write organization-wide Microsoft 365 apps installation settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-Todo.Read.All

Category Application Delegated
Identifier e4d9cd09-d858-4363-9410-abb96737f0cf 7ff96f41-f022-45ba-acd8-ef3f03063d6b
DisplayText Read organization-wide Microsoft To Do settings Read organization-wide Microsoft To Do settings
Description Allows the app to read organization-wide Microsoft To Do settings, without a signed-in user. Allows the app to read organization-wide Microsoft To Do settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

OrgSettings-Todo.ReadWrite.All

Category Application Delegated
Identifier 5febc9da-e0d0-4576-bd13-ae70b2179a39 087502c2-5263-433e-abe3-8f77231a0627
DisplayText Read and write organization-wide Microsoft To Do settings Read and write organization-wide Microsoft To Do settings
Description Allows the app to read and write organization-wide Microsoft To Do settings, without a signed-in user. Allows the app to read and write organization-wide Microsoft To Do settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PartnerBilling.Read.All

Category Application Delegated
Identifier 7c3e1994-38ff-4412-a99b-9369f6bb7706 8804798e-5934-4e30-8ce3-ef88257cecd4
DisplayText Read all billing data for your company's tenant Read all billing data for your company's tenant
Description Allows the app to read all of billing data from Microsoft for your company's tenant, without a signed-in user. This includes reading billed and unbilled azure usage and invoice reconciliation data. Allows the app to read all of billing data from Microsoft for your company's tenant, on behalf of the signed-in user. This includes reading billed and unbilled Usage and Invoice reconciliation data.
AdminConsentRequired Yes Yes

PendingExternalUserProfile.Read.All

Category Application Delegated
Identifier bdfb26d9-bb36-49be-9b4c-b8cbf4b05808 d88fd3fb-53d3-4c1c-8c39-787fcac2ed7a
DisplayText Read all pending external user profiles Read pending external user profiles
Description Allows the app to read available properties of pending external user profiles, without a signed-in user. Allows the app to read available properties of pending external user profiles, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PendingExternalUserProfile.ReadWrite.All

Category Application Delegated
Identifier 8363c2b8-6ff7-420b-9966-c5884c2d48bc 93a1fb28-c908-4826-904e-0c74ad352b73
DisplayText Read and write all pending external user profiles Read and write pending external user profiles
Description Allows the app to read and write available properties of pending external user profiles, without a signed-in user. Allows the app to read and write available properties of pending external user profiles, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

People.Read

Category Application Delegated
Identifier - ba47897c-39ec-4d83-8086-ee8256fa737d
DisplayText - Read users' relevant people lists
Description - Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).
AdminConsentRequired - No

People.Read.All

Category Application Delegated
Identifier b528084d-ad10-4598-8b93-929746b4d7d6 b89f9189-71a5-4e70-b041-9887f0bc7e4a
DisplayText Read all users' relevant people lists Read all users' relevant people lists
Description Allows the app to read any user's scored list of relevant people, without a signed-in user. The list can include local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype). Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking, your organization's directory, and people from recent communications (such as email and Skype).
AdminConsentRequired Yes Yes

PeopleSettings.Read.All

Category Application Delegated
Identifier ef02f2e7-e22d-4c77-8614-8f765683b86e ec762c5f-388b-4b16-8693-ac1efbc611bc
DisplayText Read all tenant-wide people settings Read tenant-wide people settings
Description Allows the application to read tenant-wide people settings without a signed-in user. Allows the application to read tenant-wide people settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PeopleSettings.ReadWrite.All

Category Application Delegated
Identifier b6890674-9dd5-4e42-bb15-5af07f541ae1 e67e6727-c080-415e-b521-e3f35d5248e9
DisplayText Read and write all tenant-wide people settings Read and write tenant-wide people settings
Description Allows the application to read and write tenant-wide people settings without a signed-in user. Allows the application to read and write tenant-wide people settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Place.Read.All

Category Application Delegated
Identifier 913b9306-0ce1-42b8-9137-6a7df690a760 cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec
DisplayText Read all company places Read all company places
Description Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user. Allows the app to read your company's places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Place.ReadWrite.All

Category Application Delegated
Identifier - 4c06a06a-098a-4063-868e-5dfee3827264
DisplayText - Read and write organization places
Description - Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.
AdminConsentRequired - Yes

Policy.Read.All

Category Application Delegated
Identifier 246dd0d5-5bd0-4def-940b-0421030a5b68 572fea84-0151-49b2-9301-11cb16974376
DisplayText Read your organization's policies Read your organization's policies
Description Allows the app to read all your organization's policies without a signed in user. Allows the app to read your organization's policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.Read.ConditionalAccess

Category Application Delegated
Identifier 37730810-e9ba-4e46-b07e-8ca78d182097 633e0fce-8c58-4cfb-9495-12bbd5a24f7c
DisplayText Read your organization's conditional access policies Read your organization's conditional access policies
Description Allows the app to read your organization's conditional access policies, without a signed-in user. Allows the app to read your organization's conditional access policies on behalf of the signed-in user.
AdminConsentRequired Yes No

Policy.Read.IdentityProtection

Category Application Delegated
Identifier b21b72f6-4e6a-4533-9112-47eea9f97b28 d146432f-b803-4ed4-8d42-ba74193a6ede
DisplayText Read your organization's identity protection policy Read your organization's identity protection policy
Description Allows the app to read your organization's identity protection policy without a signed-in user. Allows the app to read your organization's identity protection policy on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.Read.PermissionGrant

Category Application Delegated
Identifier 9e640839-a198-48fb-8b9a-013fd6f6cbcd 414de6ea-2d92-462f-b120-6e2a809a6d01
DisplayText Read consent and permission grant policies Read consent and permission grant policies
Description Allows the app to read policies related to consent and permission grants for applications, without a signed-in user. Allows the app to read policies related to consent and permission grants for applications, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.AccessReview

Category Application Delegated
Identifier 77c863fd-06c0-47ce-a7eb-49773e89d319 4f5bc9c8-ea54-4772-973a-9ca119cb0409
DisplayText Read and write your organization's directory access review default policy Read and write your organization's directory access review default policy
Description Allows the app to read and write your organization's directory access review default policy without a signed-in user. Allows the app to read and write your organization's directory access review default policy on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.ApplicationConfiguration

Category Application Delegated
Identifier be74164b-cff1-491c-8741-e671cb536e13 b27add92-efb2-4f16-84f5-8108ba77985c
DisplayText Read and write your organization's application configuration policies Read and write your organization's application configuration policies
Description Allows the app to read and write your organization's application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. Allows the app to read and write your organization's application configuration policies on behalf of the signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.
AdminConsentRequired Yes Yes

Policy.ReadWrite.AuthenticationFlows

Category Application Delegated
Identifier 25f85f3c-f66c-4205-8cd5-de92dd7f0cec edb72de9-4252-4d03-a925-451deef99db7
DisplayText Read and write authentication flow policies Read and write authentication flow policies
Description Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user. Allows the app to read and write the authentication flow policies, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.AuthenticationMethod

Category Application Delegated
Identifier 29c18626-4985-4dcd-85c0-193eef327366 7e823077-d88e-468f-a337-e18f1f0e6c7c
DisplayText Read and write all authentication method policies  Read and write authentication method policies
Description Allows the app to read and write all authentication method policies for the tenant, without a signed-in user.  Allows the app to read and write the authentication method policies, on behalf of the signed-in user. 
AdminConsentRequired Yes Yes

Policy.ReadWrite.Authorization

Category Application Delegated
Identifier fb221be6-99f2-473f-bd32-01c6a0e9ca3b edd3c878-b384-41fd-95ad-e7407dd775be
DisplayText Read and write your organization's authorization policy Read and write your organization's authorization policy
Description Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. Allows the app to read and write your organization's authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.
AdminConsentRequired Yes Yes

Policy.ReadWrite.ConditionalAccess

Category Application Delegated
Identifier 01c0a623-fc9b-48e9-b794-0756f8e8f067 ad902697-1014-4ef5-81ef-2b4301988e8c
DisplayText Read and write your organization's conditional access policies Read and write your organization's conditional access policies
Description Allows the app to read and write your organization's conditional access policies, without a signed-in user. Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.ConsentRequest

Category Application Delegated
Identifier 999f8c63-0a38-4f1b-91fd-ed1947bdd1a9 4d135e65-66b8-41a8-9f8b-081452c91774
DisplayText Read and write your organization's consent request policy Read and write consent request policy
Description Allows the app to read and write your organization's consent requests policy without a signed-in user. Allows the app to read and write your organization's consent requests policy on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.CrossTenantAccess

Category Application Delegated
Identifier 338163d7-f101-4c92-94ba-ca46fe52447c 014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85
DisplayText Read and write your organization's cross tenant access policies Read and write your organization's cross tenant access policies
Description Allows the app to read and write your organization's cross tenant access policies without a signed-in user. Allows the app to read and write your organization's cross tenant access policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.DeviceConfiguration

Category Application Delegated
Identifier - 40b534c3-9552-4550-901b-23879c90bcf9
DisplayText - Read and write your organization's device configuration policies
Description - Allows the app to read and write your organization's device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.
AdminConsentRequired - Yes

Policy.ReadWrite.ExternalIdentities

Category Application Delegated
Identifier 03cc4f92-788e-4ede-b93f-199424d144a5 b5219784-1215-45b5-b3f1-88fe1081f9c0
DisplayText Read and write your organization's external identities policy Read and write your organization's external identities policy
Description Allows the application to read and update the organization's external identities policy without a signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave. Allows the application to read and update the organization's external identities policy on behalf of the signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave.
AdminConsentRequired Yes Yes

Policy.ReadWrite.FeatureRollout

Category Application Delegated
Identifier 2044e4f1-e56c-435b-925c-44cd8f6ba89a 92a38652-f13b-4875-bc77-6e1dbb63e1b2
DisplayText Read and write feature rollout policies Read and write your organization's feature rollout policies
Description Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. Allows the app to read and write your organization's feature rollout policies on behalf of the signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature.
AdminConsentRequired Yes Yes

Policy.ReadWrite.FedTokenValidation

Category Application Delegated
Identifier 90bbca0b-227c-4cdc-8083-1c6cfb95bac6 be1be369-4540-4ac9-8928-79de99f70d8f
DisplayText Read and write your organization's federated token validation policy Read and write your organization's federated token validation policy
Description Allows the application to read and update the organization's federated token validation policy without a signed-in user. Allows the application to read and update the organization's federated token validation policy on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.IdentityProtection

Category Application Delegated
Identifier 2dcf8603-09eb-4078-b1ec-d30a1a76b873 7256e131-3efb-4323-9854-cf41c6021770
DisplayText Read and write your organization's identity protection policy Read and write your organization's identity protection policy
Description Allows the app to read and write your organization's identity protection policy without a signed-in user. Allows the app to read and write your organization's identity protection policy on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.MobilityManagement

Category Application Delegated
Identifier - a8ead177-1889-4546-9387-f25e658e2a79
DisplayText - Read and write your organization's mobility management policies
Description - Allows the app to read and write your organization's mobility management policies on behalf of the signed-in user. For example, a mobility management policy can set the enrollment scope for a given mobility management application.
AdminConsentRequired - Yes

Policy.ReadWrite.PermissionGrant

Category Application Delegated
Identifier a402ca1c-2696-4531-972d-6e5ee4aa11ea 2672f8bb-fd5e-42e0-85e1-ec764dd2614e
DisplayText Manage consent and permission grant policies Manage consent and permission grant policies
Description Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user. Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.SecurityDefaults

Category Application Delegated
Identifier 1c6e93a6-28e2-4cbb-9f64-1a46a821124d 0b2a744c-2abf-4f1e-ad7e-17a087e2be99
DisplayText Read and write your organization's security defaults policy Read and write your organization's security defaults policy
Description Allows the app to read and write your organization's security defaults policy, without a signed-in user. Allows the app to read and write your organization's security defaults policy on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Policy.ReadWrite.TrustFramework

Category Application Delegated
Identifier 79a677f7-b79d-40d0-a36a-3e6f8688dd7a cefba324-1a70-4a6e-9c1d-fd670b7ae392
DisplayText Read and write your organization's trust framework policies Read and write your organization's trust framework policies
Description Allows the app to read and write your organization's trust framework policies without a signed in user. Allows the app to read and write your organization's trust framework policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

POP.AccessAsUser.All

Category Application Delegated
Identifier - d7b7f2d9-0f45-4ea1-9d42-e50810c06991
DisplayText - Read and write access to mailboxes via POP.
Description - Allows the app to have the same access to mailboxes as the signed-in user via POP protocol.
AdminConsentRequired - No

Presence.Read

Category Application Delegated
Identifier - 76bc735e-aecd-4a1d-8b4c-2b915deabb79
DisplayText - Read user's presence information
Description - Allows the app to read presence information on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.
AdminConsentRequired - No

Presence.Read.All

Category Application Delegated
Identifier - 9c7a330d-35b3-4aa1-963d-cb2b9f927841
DisplayText - Read presence information of all users in your organization
Description - Allows the app to read presence information of all users in the directory on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.
AdminConsentRequired - No

Presence.ReadWrite

Category Application Delegated
Identifier - 8d3c54a7-cf58-4773-bf81-c0cd6ad522bb
DisplayText - Read and write a user's presence information
Description - Allows the app to read the presence information and write activity and availability on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.
AdminConsentRequired - No

Presence.ReadWrite.All

Category Application Delegated
Identifier 83cded22-8297-4ff6-a7fa-e97e9545a259 -
DisplayText Read and write presence information for all users -
Description Allows the app to read all presence information and write activity and availability of all users in the directory without a signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, time zone and location. -
AdminConsentRequired Yes -

PrintConnector.Read.All

Category Application Delegated
Identifier - d69c2d6d-4f72-4f99-a6b9-663e32f8cf68
DisplayText - Read print connectors
Description - Allows the application to read print connectors on behalf of the signed-in user.
AdminConsentRequired - Yes

PrintConnector.ReadWrite.All

Category Application Delegated
Identifier - 79ef9967-7d59-4213-9c64-4b10687637d8
DisplayText - Read and write print connectors
Description - Allows the application to read and write print connectors on behalf of the signed-in user.
AdminConsentRequired - Yes

Printer.Create

Category Application Delegated
Identifier - 90c30bed-6fd1-4279-bf39-714069619721
DisplayText - Register printers  
Description - Allows the application to create (register) printers on behalf of the signed-in user. 
AdminConsentRequired - Yes

Printer.FullControl.All

Category Application Delegated
Identifier - 93dae4bd-43a1-4a23-9a1a-92957e1d9121
DisplayText - Register, read, update, and unregister printers
Description - Allows the application to create (register), read, update, and delete (unregister) printers on behalf of the signed-in user. 
AdminConsentRequired - Yes

Printer.Read.All

Category Application Delegated
Identifier 9709bb33-4549-49d4-8ed9-a8f65e45bb0f 3a736c8a-018e-460a-b60c-863b2683e8bf
DisplayText Read printers Read printers
Description Allows the application to read printers without a signed-in user.  Allows the application to read printers on behalf of the signed-in user. 
AdminConsentRequired Yes Yes

Printer.ReadWrite.All

Category Application Delegated
Identifier f5b3f73d-6247-44df-a74c-866173fddab0 89f66824-725f-4b8f-928e-e1c5258dc565
DisplayText Read and update printers Read and update printers
Description Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting (unregistering) printers. Allows the application to read and update printers on behalf of the signed-in user. Does not allow creating (registering) or deleting (unregistering) printers.
AdminConsentRequired Yes Yes

PrinterShare.Read.All

Category Application Delegated
Identifier - ed11134d-2f3f-440d-a2e1-411efada2502
DisplayText - Read printer shares
Description - Allows the application to read printer shares on behalf of the signed-in user. 
AdminConsentRequired - No

PrinterShare.ReadBasic.All

Category Application Delegated
Identifier - 5fa075e9-b951-4165-947b-c63396ff0a37
DisplayText - Read basic information about printer shares
Description - Allows the application to read basic information about printer shares on behalf of the signed-in user. Does not allow reading access control information.
AdminConsentRequired - No

PrinterShare.ReadWrite.All

Category Application Delegated
Identifier - 06ceea37-85e2-40d7-bec3-91337a46038f
DisplayText - Read and write printer shares
Description - Allows the application to read and update printer shares on behalf of the signed-in user. 
AdminConsentRequired - Yes

PrintJob.Create

Category Application Delegated
Identifier - 21f0d9c0-9f13-48b3-94e0-b6b231c7d320
DisplayText - Create print jobs
Description - Allows the application to create print jobs on behalf of the signed-in user and upload document content to print jobs that the signed-in user created.
AdminConsentRequired - No

In this to PrintJob.Create, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.Manage.All

Category Application Delegated
Identifier 58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8 -
DisplayText Perform advanced operations on print jobs -
Description Allows the application to perform advanced operations like redirecting a print job to another printer without a signed-in user. Also allows the application to read and update the metadata of print jobs. -
AdminConsentRequired Yes -

PrintJob.Read

Category Application Delegated
Identifier - 248f5528-65c0-4c88-8326-876c7236df5e
DisplayText - Read user's print jobs
Description - Allows the application to read the metadata and document content of print jobs that the signed-in user created.
AdminConsentRequired - No

In this to PrintJob.Read, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.Read.All

Category Application Delegated
Identifier ac6f956c-edea-44e4-bd06-64b1b4b9aec9 afdd6933-a0d8-40f7-bd1a-b5d778e8624b
DisplayText Read print jobs Read print jobs
Description Allows the application to read the metadata and document content of print jobs without a signed-in user.  Allows the application to read the metadata and document content of print jobs on behalf of the signed-in user. 
AdminConsentRequired Yes Yes

In this to PrintJob.Read.All, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.ReadBasic

Category Application Delegated
Identifier - 6a71a747-280f-4670-9ca0-a9cbf882b274
DisplayText - Read basic information of user's print jobs
Description - Allows the application to read the metadata of print jobs that the signed-in user created. Does not allow access to print job document content.
AdminConsentRequired - No

In this to PrintJob.ReadBasic, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.ReadBasic.All

Category Application Delegated
Identifier fbf67eee-e074-4ef7-b965-ab5ce1c1f689 04ce8d60-72ce-4867-85cf-6d82f36922f3
DisplayText Read basic information for print jobs Read basic information of print jobs
Description Allows the application to read the metadata of print jobs without a signed-in user. Does not allow access to print job document content. Allows the application to read the metadata of print jobs on behalf of the signed-in user. Does not allow access to print job document content.
AdminConsentRequired Yes Yes

In this to PrintJob.ReadBasic.All, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.ReadWrite

Category Application Delegated
Identifier - b81dd597-8abb-4b3f-a07a-820b0316ed04
DisplayText - Read and write user's print jobs
Description - Allows the application to read and update the metadata and document content of print jobs that the signed-in user created.
AdminConsentRequired - No

In this to PrintJob.ReadWrite, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.ReadWrite.All

Category Application Delegated
Identifier 5114b07b-2898-4de7-a541-53b0004e2e13 036b9544-e8c5-46ef-900a-0646cc42b271
DisplayText Read and write print jobs Read and write print jobs
Description Allows the application to read and update the metadata and document content of print jobs without a signed-in user. Allows the application to read and update the metadata and document content of print jobs on behalf of the signed-in user. 
AdminConsentRequired Yes Yes

In this to PrintJob.ReadWrite.All, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.ReadWriteBasic

Category Application Delegated
Identifier - 6f2d22f2-1cb6-412c-a17c-3336817eaa82
DisplayText - Read and write basic information of user's print jobs
Description - Allows the application to read and update the metadata of print jobs that the signed-in user created. Does not allow access to print job document content.
AdminConsentRequired - No

In this to PrintJob.ReadWriteBasic, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintJob.ReadWriteBasic.All

Category Application Delegated
Identifier 57878358-37f4-4d3a-8c20-4816e0d457b1 3a0db2f6-0d2a-4c19-971b-49109b19ad3d
DisplayText Read and write basic information for print jobs Read and write basic information of print jobs
Description Allows the application to read and update the metadata of print jobs without a signed-in user. Does not allow access to print job document content. Allows the application to read and update the metadata of print jobs on behalf of the signed-in user. Does not allow access to print job document content.
AdminConsentRequired Yes Yes

In this to PrintJob.ReadWriteBasic.All, the app requires at least the Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.


PrintSettings.Read.All

Category Application Delegated
Identifier b5991872-94cf-4652-9765-29535087c6d8 490f32fd-d90f-4dd7-a601-ff6cdc1a3f6c
DisplayText Read tenant-wide print settings Read tenant-wide print settings
Description Allows the application to read tenant-wide print settings without a signed-in user. Allows the application to read tenant-wide print settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrintSettings.ReadWrite.All

Category Application Delegated
Identifier - 9ccc526a-c51c-4e5c-a1fd-74726ef50b8f
DisplayText - Read and write tenant-wide print settings
Description - Allows the application to read and write tenant-wide print settings on behalf of the signed-in user.
AdminConsentRequired - Yes

PrintTaskDefinition.ReadWrite.All

Category Application Delegated
Identifier 456b71a7-0ee0-4588-9842-c123fcc8f664 -
DisplayText Read, write and update print task definitions -
Description Allows the application to read and update print task definitions without a signed-in user.  -
AdminConsentRequired Yes -

PrivilegedAccess.Read.AzureAD

Category Application Delegated
Identifier 4cdc2547-9148-4295-8d11-be0db1391d6b b3a539c9-59cb-4ad5-825a-041ddbdc2bdb
DisplayText Read privileged access to Azure AD roles Read privileged access to Azure AD
Description Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrivilegedAccess.Read.AzureADGroup

Category Application Delegated
Identifier 01e37dc9-c035-40bd-b438-b2879c4870a6 d329c81c-20ad-4772-abf9-3f6fdb7e5988
DisplayText Read privileged access to Azure AD groups Read privileged access to Azure AD groups
Description Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user. Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrivilegedAccess.Read.AzureResources

Category Application Delegated
Identifier 5df6fe86-1be0-44eb-b916-7bd443a71236 1d89d70c-dcac-4248-b214-903c457af83a
DisplayText Read privileged access to Azure resources Read privileged access to Azure resources
Description Allows the app to read time-based assignment and just-in-time elevation of user privileges to audit Azure resources in your organization, without a signed-in user. Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrivilegedAccess.ReadWrite.AzureAD

Category Application Delegated
Identifier 854d9ab1-6657-4ec8-be45-823027bcd009 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37
DisplayText Read and write privileged access to Azure AD roles Read and write privileged access to Azure AD
Description Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users.
AdminConsentRequired Yes Yes

PrivilegedAccess.ReadWrite.AzureADGroup

Category Application Delegated
Identifier 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e 32531c59-1f32-461f-b8df-6f8a3b89f73b
DisplayText Read and write privileged access to Azure AD groups Read and write privileged access to Azure AD groups
Description Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user. Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrivilegedAccess.ReadWrite.AzureResources

Category Application Delegated
Identifier 6f9d5abc-2db6-400b-a267-7de22a40fb87 a84a9652-ffd3-496e-a991-22ba5529156a
DisplayText Read and write privileged access to Azure resources Read and write privileged access to Azure resources
Description Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) in your organization, without a signed-in user. Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users.
AdminConsentRequired Yes Yes

PrivilegedAssignmentSchedule.Read.AzureADGroup

Category Application Delegated
Identifier cd4161cb-f098-48f8-a884-1eda9a42434c 02a32cc4-7ab5-4b58-879a-0586e0f7c495
DisplayText Read assignment schedules for access to Azure AD groups Read assignment schedules for access to Azure AD groups
Description Allows the app to read time-based assignment schedules for access to Azure AD groups, without a signed-in user. Allows the app to read time-based assignment schedules for access to Azure AD groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup

Category Application Delegated
Identifier 41202f2c-f7ab-45be-b001-85c9728b9d69 06dbc45d-6708-4ef0-a797-f797ee68bf4b
DisplayText Read, create, and delete assignment schedules for access to Azure AD groups Read, create, and delete assignment schedules for access to Azure AD groups
Description Allows the app to read, create, and delete time-based assignment schedules for access to Azure AD groups, without a signed-in user. Allows the app to read, create, and delete time-based assignment schedules for access to Azure AD groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrivilegedEligibilitySchedule.Read.AzureADGroup

Category Application Delegated
Identifier edb419d6-7edc-42a3-9345-509bfdf5d87c 8f44f93d-ecef-46ae-a9bf-338508d44d6b
DisplayText Read eligibility schedules for access to Azure AD groups Read eligibility schedules for access to Azure AD groups
Description Allows the app to read time-based eligibility schedules for access to Azure AD groups, without a signed-in user. Allows the app to read time-based eligibility schedules for access to Azure AD groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup

Category Application Delegated
Identifier 618b6020-bca8-4de6-99f6-ef445fa4d857 ba974594-d163-484e-ba39-c330d5897667
DisplayText Read, create, and delete eligibility schedules for access to Azure AD groups Read, create, and delete eligibility schedules for access to Azure AD groups
Description Allows the app to read, create, and delete time-based eligibility schedules for access to Azure AD groups, without a signed-in user. Allows the app to read, create, and delete time-based eligibility schedules for access to Azure AD groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

profile

Category Application Delegated
Identifier - 14dad69e-099b-42c9-810b-d002981feec1
DisplayText - View users' basic profile
Description - Allows the app to see your users' basic profile (e.g., name, picture, user name, email address)
AdminConsentRequired - No

profile is an OpenID Connect (OIDC) scope.

You can use the OIDC scopes to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.

With the Azure AD v1.0 endpoint, only the openid scope is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.

With the Azure AD v2.0 endpoint, you specify the offline_access scope in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid scope to request an ID token. You can also specify the email scope, profile scope, or both to return additional claims in the ID token. You do not need to specify the User.Read permission to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.

The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these scopes explicitly, Azure AD may return an error.


ProgramControl.Read.All

Category Application Delegated
Identifier eedb7fdd-7539-4345-a38b-4839e4a84cbd c492a2e1-2f8f-4caa-b076-99bbf6e40fe4
DisplayText Read all programs Read all programs that user can access
Description Allows the app to read programs and program controls in the organization, without a signed-in user. Allows the app to read programs and program controls that the signed-in user has access to in the organization.
AdminConsentRequired Yes Yes

ProgramControl.ReadWrite.All

Category Application Delegated
Identifier 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36 50fd364f-9d93-4ae1-b170-300e87cccf84
DisplayText Manage all programs Manage all programs that user can access
Description Allows the app to read, update, delete and perform actions on programs and program controls in the organization, without a signed-in user. Allows the app to read, update, delete and perform actions on programs and program controls that the signed-in user has access to in the organization.
AdminConsentRequired Yes Yes

QnA.Read.All

Category Application Delegated
Identifier ee49e170-1dd1-4030-b44c-61ad6e98f743 f73fa04f-b9a5-4df9-8843-993ce928925e
DisplayText Read all Question and Answers Read all Questions and Answers that the user can access.
Description Allows an app to read all question and answers, without a signed-in user. Allows an app to read all question and answer sets that the signed-in user can access.
AdminConsentRequired Yes No

RecordsManagement.Read.All

Category Application Delegated
Identifier ac3a2b8e-03a3-4da9-9ce0-cbe28bf1accd 07f995eb-fc67-4522-ad66-2b8ca8ea3efd
DisplayText Read Records Management configuration, labels and policies Read Records Management configuration, labels, and policies
Description Allows the application to read any data from Records Management, such as configuration, labels, and policies without the signed in user. Allows the application to read any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

RecordsManagement.ReadWrite.All

Category Application Delegated
Identifier eb158f57-df43-4751-8b21-b8932adb3d34 f2833d75-a4e6-40ab-86d4-6dfe73c97605
DisplayText Read and write Records Management configuration, labels and policies Read and write Records Management configuration, labels, and policies
Description Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user. Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Reports.Read.All

Category Application Delegated
Identifier 230c1aed-a721-4c5d-9cb4-a90514e508ef 02e97553-ed7b-43d0-ab3c-f8bace0d040c
DisplayText Read all usage reports Read all usage reports
Description Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
AdminConsentRequired Yes Yes

ReportSettings.Read.All

Category Application Delegated
Identifier ee353f83-55ef-4b78-82da-555bfa2b4b95 84fac5f4-33a9-4100-aa38-a20c6d29e5e7
DisplayText Read all admin report settings Read admin report settings
Description Allows the app to read all admin report settings, such as whether to display concealed information in reports, without a signed-in user. Allows the app to read admin report settings, such as whether to display concealed information in reports, on behalf of the signed-in user
AdminConsentRequired Yes Yes

ReportSettings.ReadWrite.All

Category Application Delegated
Identifier 2a60023f-3219-47ad-baa4-40e17cd02a1d b955410e-7715-4a88-a940-dfd551018df3
DisplayText Read and write all admin report settings Read and write admin report settings
Description Allows the app to read and update all admin report settings, such as whether to display concealed information in reports, without a signed-in user. Allows the app to read and update admin report settings, such as whether to display concealed information in reports, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ResourceSpecificPermissionGrant.ReadForUser

Category Application Delegated
Identifier - f1d91a8f-88e7-4774-8401-b668d5bca0c5
DisplayText - Read resource specific permissions granted on a user account
Description - Allows the app to read the resource specific permissions granted on a user account, on behalf of the signed-in user.
AdminConsentRequired - Yes

ResourceSpecificPermissionGrant.ReadForUser.All

Category Application Delegated
Identifier acfca4d5-f49f-40ed-9648-84068b474c73 -
DisplayText Read all resource specific permissions granted on user accounts -
Description Allows the app to read all resource specific permissions granted on user accounts, without a signed-in user. -
AdminConsentRequired Yes -

RoleAssignmentSchedule.Read.Directory

Category Application Delegated
Identifier d5fe8ce8-684c-4c83-a52c-46e882ce4be1 344a729c-0285-42c6-9014-f12b9b8d6129
DisplayText Read all active role assignments and role schedules for your company's directory Read all active role assignments for your company's directory
Description Allows the app to read the active role-based access control (RBAC) assignments and schedules for your company's directory, without a signed-in user. This includes reading directory role templates, and directory roles. Allows the app to read the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles.
AdminConsentRequired Yes Yes

RoleAssignmentSchedule.ReadWrite.Directory

Category Application Delegated
Identifier dd199f4a-f148-40a4-a2ec-f0069cc799ec 8c026be3-8e26-4774-9372-8d5d6f21daff
DisplayText Read, update, and delete all policies for privileged role assignments of your company's directory Read, update, and delete all active role assignments for your company's directory
Description Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user. Allows the app to read and manage the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.
AdminConsentRequired Yes Yes

RoleEligibilitySchedule.Read.Directory

Category Application Delegated
Identifier ff278e11-4a33-4d0c-83d2-d01dc58929a5 eb0788c2-6d4e-4658-8c9e-c0fb8053f03d
DisplayText Read all eligible role assignments and role schedules for your company's directory Read all eligible role assignments for your company's directory
Description Allows the app to read the eligible role-based access control (RBAC) assignments and schedules for your company's directory, without a signed-in user. This includes reading directory role templates, and directory roles. Allows the app to read the eligible role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles.
AdminConsentRequired Yes Yes

RoleEligibilitySchedule.ReadWrite.Directory

Category Application Delegated
Identifier fee28b28-e1f3-4841-818e-2704dc62245f 62ade113-f8e0-4bf9-a6ba-5acb31db32fd
DisplayText Read, update, and delete all eligible role assignments and schedules for your company's directory Read, update, and delete all eligible role assignments for your company's directory
Description Allows the app to read and manage the eligible role-based access control (RBAC) assignments and schedules for your company's directory, without a signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships. Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships.
AdminConsentRequired Yes Yes

RoleManagement.Read.All

Category Application Delegated
Identifier c7fbd983-d9aa-4fa7-84b8-17382c103bc4 48fec646-b2ba-4019-8681-8eb31435aded
DisplayText Read role management data for all RBAC providers Read role management data for all RBAC providers
Description Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes reading role definitions and role assignments. Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments.
AdminConsentRequired Yes Yes

RoleManagement.Read.CloudPC

Category Application Delegated
Identifier 031a549a-bb80-49b6-8032-2068448c6a3c 9619b88a-8a25-48a7-9571-d23be0337a79
DisplayText Read Cloud PC RBAC settings Read Cloud PC RBAC settings
Description Allows the app to read the Cloud PC role-based access control (RBAC) settings, without a signed-in user. Allows the app to read the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user.  This includes reading Cloud PC role definitions and role assignments.
AdminConsentRequired Yes Yes

RoleManagement.Read.Directory

Category Application Delegated
Identifier 483bed4a-2ad3-4361-a73b-c83ccdbdc53c 741c54c3-0c1e-44a1-818b-3f97ab4e8c83
DisplayText Read all directory RBAC settings Read directory RBAC settings
Description Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships. Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, directory roles and memberships.
AdminConsentRequired Yes Yes

RoleManagement.Read.Exchange

Category Application Delegated
Identifier c769435f-f061-4d0b-8ff1-3d39870e5f85 3bc15058-7858-4141-b24f-ae43b4e80b52
DisplayText Read Exchange Online RBAC configuration Read Exchange Online RBAC configuration
Description Allows the app to read the role-based access control (RBAC) configuration for your organization's Exchange Online service, without a signed-in user. This includes reading Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies. Allows the app to read the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.
AdminConsentRequired Yes Yes

RoleManagement.ReadWrite.CloudPC

Category Application Delegated
Identifier 274d0592-d1b6-44bd-af1d-26d259bcb43a 501d06f8-07b8-4f18-b5c6-c191a4af7a82
DisplayText Read and write all Cloud PC RBAC settings Read and write Cloud PC RBAC settings
Description Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, without a signed-in user. This includes reading and managing Cloud PC role definitions and memberships. Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user. This includes reading and managing Cloud PC role definitions and role assignments.
AdminConsentRequired Yes Yes

RoleManagement.ReadWrite.Directory

Category Application Delegated
Identifier 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 d01b97e9-cbc0-49fe-810a-750afd5527a3
DisplayText Read and write all directory RBAC settings Read and write directory RBAC settings
Description Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.
AdminConsentRequired Yes Yes

Permissions that allow granting authorization, such as RoleManagement.ReadWrite.Directory, allow an application to grant additional privileges to itself, other applications, or any user. Use caution when granting any of these permissions.

With the RoleManagement.ReadWrite.Directory permission an application can read and write /directoryRoles and /roleManagement/directory/*. This includes adding and removing members to and from directory roles, and working with PIM for Azure AD roles APIs.


RoleManagement.ReadWrite.Exchange

Category Application Delegated
Identifier 025d3225-3f02-4882-b4c0-cd5b541a4e80 c1499fe0-52b1-4b22-bed2-7a244e0e879f
DisplayText Read and write Exchange Online RBAC configuration Read and write Exchange Online RBAC configuration
Description Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, without a signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies. Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies.
AdminConsentRequired Yes Yes

RoleManagementAlert.Read.Directory

Category Application Delegated
Identifier ef31918f-2d50-4755-8943-b8638c0a077e cce71173-f76d-446e-97ff-efb2d82e11b1
DisplayText Read all alert data for your company's directory Read all alert data for your company's directory
Description Allows the app to read all role-based access control (RBAC) alerts for your company's directory, without a signed-in user. This includes reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert. Allows the app to read the role-based access control (RBAC) alerts for your company's directory, on behalf of the signed-in user. This includes reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert.
AdminConsentRequired Yes Yes

RoleManagementAlert.ReadWrite.Directory

Category Application Delegated
Identifier 11059518-d6a6-4851-98ed-509268489c4a 435644c6-a5b1-40bf-8f52-fe8e5b53e19c
DisplayText Read all alert data, configure alerts, and take actions on all alerts for your company's directory Read all alert data, configure alerts, and take actions on all alerts for your company's directory
Description Allows the app to read and manage all role-based access control (RBAC) alerts for your company's directory, without a signed-in user. This includes managing alert settings, initiating alert scans, dimissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert. Allows the app to read and manage the role-based access control (RBAC) alerts for your company's directory, on behalf of the signed-in user. This includes managing alert settings, initiating alert scans, dimissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert.
AdminConsentRequired Yes Yes

RoleManagementPolicy.Read.AzureADGroup

Category Application Delegated
Identifier 69e67828-780e-47fd-b28c-7b27d14864e6 7e26fdff-9cb1-4e56-bede-211fe0e420e8
DisplayText Read all policies in PIM for Groups Read all policies in PIM for Groups
Description Allows the app to read policies in Privileged Identity Management for Groups, without a signed-in user. Allows the app to read policies in Privileged Identity Management for Groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

RoleManagementPolicy.Read.Directory

Category Application Delegated
Identifier fdc4c997-9942-4479-bfcb-75a36d1138df 3de2cdbe-0ff5-47d5-bdee-7f45b4749ead
DisplayText Read all policies for privileged role assignments of your company's directory Read all policies for privileged role assignments of your company's directory
Description Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user. Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company's directory, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

RoleManagementPolicy.ReadWrite.AzureADGroup

Category Application Delegated
Identifier b38dcc4d-a239-4ed6-aa84-6c65b284f97c 0da165c7-3f15-4236-b733-c0b0f6abe41d
DisplayText Read, update, and delete all policies in PIM for Groups Read, update, and delete all policies in PIM for Groups
Description Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, without a signed-in user. Allows the app to read, update, and delete policies in Privileged Identity Management for Groups, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

RoleManagementPolicy.ReadWrite.Directory

Category Application Delegated
Identifier 31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad 1ff1be21-34eb-448c-9ac9-ce1f506b2a68
DisplayText Read, update, and delete all policies for privileged role assignments of your company's directory Read, update, and delete all policies for privileged role assignments of your company's directory
Description Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, without a signed-in user. Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company's directory, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Schedule.Read.All

Category Application Delegated
Identifier 7b2ebf90-d836-437f-b90d-7b62722c4456 fccf6dd8-5706-49fa-811f-69e2e1b585d0
DisplayText Read all schedule items Read user schedule items
Description Allows the app to read all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user. Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Schedule.ReadWrite.All

Category Application Delegated
Identifier b7760610-0545-4e8a-9ec3-cce9e63db01c 63f27281-c9d9-4f29-94dd-6942f7f1feb0
DisplayText Read and write all schedule items Read and write user schedule items
Description Allows the app to manage all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user. Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SchedulePermissions.ReadWrite.All

Category Application Delegated
Identifier 7239b71d-b402-4150-b13d-78ecfe8df441 07919803-6073-4cd8-bc55-28077db0ee10
DisplayText Read/Write schedule permissions for a role Read/Write schedule permissions for a role.
Description Allows the app to read/write schedule permissions for a specific role in Shifts application without a signed-in user. Allows the app to read/write schedule permissions for a specific role in Shifts application on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SearchConfiguration.Read.All

Category Application Delegated
Identifier ada977a5-b8b1-493b-9a91-66c206d76ecf 7d307522-aa38-4cd0-bd60-90c6f0ac50bd
DisplayText Read your organization's search configuration Read your organization's search configuration
Description Allows the app to read search configurations, without a signed-in user. Allows the app to read search configuration, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SearchConfiguration.ReadWrite.All

Category Application Delegated
Identifier 0e778b85-fefa-466d-9eec-750569d92122 b1a7d408-cab0-47d2-a2a5-a74a3733600d
DisplayText Read and write your organization's search configuration Read and write your organization's search configuration
Description Allows the app to read and write search configurations, without a signed-in user. Allows the app to read and write search configuration, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityActions.Read.All

Category Application Delegated
Identifier 5e0edab9-c148-49d0-b423-ac253e121825 1638cddf-07a4-4de2-8645-69c96cacad73
DisplayText Read your organization's security actions Read your organization's security actions
Description Allows the app to read security actions, without a signed-in user. Allows the app to read security actions, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityActions.ReadWrite.All

Category Application Delegated
Identifier f2bf083f-0179-402a-bedb-b2784de8a49b dc38509c-b87d-4da0-bd92-6bec988bac4a
DisplayText Read and update your organization's security actions Read and update your organization's security actions
Description Allows the app to read or update security actions, without a signed-in user. Allows the app to read or update security actions, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityAlert.Read.All

Category Application Delegated
Identifier 472e4a4d-bb4a-4026-98d1-0b0d74cb74a5 bc257fb8-46b4-4b15-8713-01e91bfbe4ea
DisplayText Read all security alerts Read all security alerts
Description Allows the app to read all security alerts, without a signed-in user. Allows the app to read all security alerts, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityAlert.ReadWrite.All

Category Application Delegated
Identifier ed4fca05-be46-441f-9803-1873825f8fdb 471f2a7f-2a42-4d45-a2bf-594d0838070d
DisplayText Read and write to all security alerts Read and write to all security alerts
Description Allows the app to read and write to all security alerts, without a signed-in user. Allows the app to read and write to all security alerts, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityAnalyzedMessage.Read.All

Category Application Delegated
Identifier b48f7ac2-044d-4281-b02f-75db744d6f5f 53e6783e-b127-4a35-ab3a-6a52d80a9077
DisplayText Read metadata and detection details for all emails in your organization Read metadata and detection details for emails in your organization
Description Read email metadata and security detection details, without a signed-in user. Read email metadata and security detection details on behalf of the signed in user.
AdminConsentRequired Yes Yes

SecurityAnalyzedMessage.ReadWrite.All

Category Application Delegated
Identifier 04c55753-2244-4c25-87fc-704ab82a4f69 48eb8c83-6e58-46e7-a6d3-8805822f5940
DisplayText Read metadata, detection details, and execute remediation actions on all emails in your organization Read metadata, detection details, and execute remediation actions on emails in your organization
Description Read email metadata and security detection details, and execute remediation actions like deleting an email, without a signed-in user. Read email metadata, security detection details, and execute remediation actions like deleting an email, on behalf of the signed in user.
AdminConsentRequired Yes Yes

SecurityEvents.Read.All

Category Application Delegated
Identifier bf394140-e372-4bf9-a898-299cfc7564e5 64733abd-851e-478a-bffb-e47a14b18235
DisplayText Read your organization's security events Read your organization's security events
Description Allows the app to read your organization's security events without a signed-in user. Allows the app to read your organization's security events on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityEvents.ReadWrite.All

Category Application Delegated
Identifier d903a879-88e0-4c09-b0c9-82f6a1333f84 6aedf524-7e1c-45a7-bd76-ded8cab8d0fc
DisplayText Read and update your organization's security events Read and update your organization's security events
Description Allows the app to read your organization's security events without a signed-in user. Also allows the app to update editable properties in security events. Allows the app to read your organization's security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityIdentitiesHealth.Read.All

Category Application Delegated
Identifier f8dcd971-5d83-4e1e-aa95-ef44611ad351 a0d0da43-a6df-4416-b63d-99c79991aae8
DisplayText Read all identity security health issues Read identity security health issues
Description Allows the app to read all the identity security health issues without a signed-in user. Allows the app to read all the identity security health issues of signed user
AdminConsentRequired Yes Yes

SecurityIdentitiesHealth.ReadWrite.All

Category Application Delegated
Identifier ab03ddd5-7ae4-4f2e-8af8-86654f7e0a27 53e51eec-2d9b-4990-97f3-c9aa5d5652c3
DisplayText Read and write all identity security health issues Read and write identity security health issues
Description Allows the app to read and write identity security health issues without a signed-in user. Allows the app to read and write identity security health issues on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityIncident.Read.All

Category Application Delegated
Identifier 45cc0394-e837-488b-a098-1918f48d186c b9abcc4f-94fc-4457-9141-d20ce80ec952
DisplayText Read all security incidents Read incidents
Description Allows the app to read all security incidents, without a signed-in user. Allows the app to read security incidents, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SecurityIncident.ReadWrite.All

Category Application Delegated
Identifier 34bf0e97-1971-4929-b999-9e2442d941d7 128ca929-1a19-45e6-a3b8-435ec44a36ba
DisplayText Read and write to all security incidents Read and write to incidents
Description Allows the app to read and write to all security incidents, without a signed-in user. Allows the app to read and write security incidents, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ServiceActivity-Exchange.Read.All

Category Application Delegated
Identifier 2b655018-450a-4845-81e7-d603b1ebffdb 1fe7aa48-9373-4a47-8df3-168335e0f4c9
DisplayText Read all Exchange service activity Read all Exchange service activity
Description Allows the app to read all Exchange service activity, without a signed-in user. Allows the app to read all Exchange service activity, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ServiceActivity-Microsoft365Web.Read.All

Category Application Delegated
Identifier c766cb16-acc4-4663-ba09-6eedef5876c5 d74c75b1-d5a9-479d-902d-92f8f99182c1
DisplayText Read all Microsoft 365 Web service activity Read all Microsoft 365 Web service activity
Description Allows the app to read all Microsoft 365 Web service activity, without a signed-in user. Allows the app to read all Microsoft 365 Web service activity, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ServiceActivity-OneDrive.Read.All

Category Application Delegated
Identifier 57b4f899-b8c5-47c7-bdd3-c410c55602b7 347e3c16-30f3-4ac7-9b52-fc3c053de9c9
DisplayText Read all One Drive service activity Read all One Drive service activity
Description Allows the app to read all One Drive service activity, without a signed-in user. Allows the app to read all One Drive service activity, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ServiceActivity-Teams.Read.All

Category Application Delegated
Identifier 4dfee10b-fa4a-41b5-b34d-ccf54cc0c394 404d76f0-e10e-460a-92be-ef19600c54d1
DisplayText Read all Teams service activity Read all Teams service activity
Description Allows the app to read all Teams service activity, without a signed-in user. Allows the app to read all Teams service activity, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ServiceHealth.Read.All

Category Application Delegated
Identifier 79c261e0-fe76-4144-aad5-bdc68fbe4037 55896846-df78-47a7-aa94-8d3d4442ca7f
DisplayText Read service health Read service health
Description Allows the app to read your tenant's service health information, without a signed-in user. Health information may include service issues or service health overviews. Allows the app to read your tenant's service health information on behalf of the signed-in user. Health information may include service issues or service health overviews.
AdminConsentRequired Yes Yes

ServiceMessage.Read.All

Category Application Delegated
Identifier 1b620472-6534-4fe6-9df2-4680e8aa28ec eda39fa6-f8cf-4c3c-a909-432c683e4c9b
DisplayText Read service messages Read service announcement messages
Description Allows the app to read your tenant's service announcement messages, without a signed-in user. Messages may include information about new or changed features. Allows the app to read your tenant's service announcement messages on behalf of the signed-in user. Messages may include information about new or changed features.
AdminConsentRequired Yes Yes

ServiceMessageViewpoint.Write

Category Application Delegated
Identifier - 636e1b0b-1cc2-4b1c-9aa9-4eeed9b9761b
DisplayText - Update user status on service announcement messages
Description - Allows the app to update service announcement messages' user status on behalf of the signed-in user. The message status can be marked as read, archive, or favorite.
AdminConsentRequired - Yes

ServicePrincipalEndpoint.Read.All

Category Application Delegated
Identifier 5256681e-b7f6-40c0-8447-2d9db68797a0 9f9ce928-e038-4e3b-8faf-7b59049a8ddc
DisplayText Read service principal endpoints Read service principal endpoints
Description Allows the app to read service principal endpoints Allows the app to read service principal endpoints
AdminConsentRequired Yes Yes

ServicePrincipalEndpoint.ReadWrite.All

Category Application Delegated
Identifier 89c8469c-83ad-45f7-8ff2-6e3d4285709e 7297d82c-9546-4aed-91df-3d4f0a9b3ff0
DisplayText Read and update service principal endpoints Read and update service principal endpoints
Description Allows the app to update service principal endpoints Allows the app to update service principal endpoints
AdminConsentRequired Yes Yes

SharePointTenantSettings.Read.All

Category Application Delegated
Identifier 83d4163d-a2d8-4d3b-9695-4ae3ca98f888 2ef70e10-5bfd-4ede-a5f6-67720500b258
DisplayText Read SharePoint and OneDrive tenant settings Read SharePoint and OneDrive tenant settings
Description Allows the application to read the tenant-level settings of SharePoint and OneDrive, without a signed-in user. Allows the application to read the tenant-level settings in SharePoint and OneDrive on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SharePointTenantSettings.ReadWrite.All

Category Application Delegated
Identifier 19b94e34-907c-4f43-bde9-38b1909ed408 aa07f155-3612-49b8-a147-6c590df35536
DisplayText Read and change SharePoint and OneDrive tenant settings Read and change SharePoint and OneDrive tenant settings
Description Allows the application to read and change the tenant-level settings of SharePoint and OneDrive, without a signed-in user. Allows the application to read and change the tenant-level settings of SharePoint and OneDrive on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ShortNotes.Read

Category Application Delegated
Identifier - 50f66e47-eb56-45b7-aaa2-75057d9afe08
DisplayText - Read short notes of the signed-in user
Description - Allows the app to read all the short notes a sign-in user has access to.
AdminConsentRequired - No

ShortNotes.Read.All

Category Application Delegated
Identifier 0c7d31ec-31ca-4f58-b6ec-9950b6b0de69 -
DisplayText Read all users' short notes -
Description Allows the app to read all the short notes without a signed-in user. -
AdminConsentRequired Yes -

ShortNotes.ReadWrite

Category Application Delegated
Identifier - 328438b7-4c01-4c07-a840-e625a749bb89
DisplayText - Read, create, edit, and delete short notes of the signed-in user
Description - Allows the app to read, create, edit, and delete short notes of a signed-in user.
AdminConsentRequired - No

ShortNotes.ReadWrite.All

Category Application Delegated
Identifier 842c284c-763d-4a97-838d-79787d129bab -
DisplayText Read, create, edit, and delete all users' short notes -
Description Allows the app to read, create, edit, and delete all the short notes without a signed-in user. -
AdminConsentRequired Yes -

Sites.FullControl.All

Category Application Delegated
Identifier a82116e5-55eb-4c41-a434-62fe8a61c773 5a54b8b3-347c-476d-8f8e-42d5c7424d29
DisplayText Have full control of all site collections Have full control of all site collections
Description Allows the app to have full control of all site collections without a signed in user. Allows the application to have full control of all site collections on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Sites.Manage.All

Category Application Delegated
Identifier 0c0bf378-bf22-4481-8f81-9e89a9b4960a 65e50fdc-43b7-4915-933e-e8138f11f40a
DisplayText Create, edit, and delete items and lists in all site collections Create, edit, and delete items and lists in all site collections
Description Allows the app to create or delete document libraries and lists in all site collections without a signed in user. Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.
AdminConsentRequired Yes No

Sites.Read.All

Category Application Delegated
Identifier 332a536c-c7ef-4017-ab91-336970924f0d 205e70e5-aba6-4c52-a976-6d2d46c48043
DisplayText Read items in all site collections Read items in all site collections
Description Allows the app to read documents and list items in all site collections without a signed in user. Allows the application to read documents and list items in all site collections on behalf of the signed-in user
AdminConsentRequired Yes No

Sites.ReadWrite.All

Category Application Delegated
Identifier 9492366f-7969-46a4-8d15-ed1a20078fff 89fe6a52-be36-487e-b7d8-d061c450a026
DisplayText Read and write items in all site collections Edit or delete items in all site collections
Description Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.
AdminConsentRequired Yes No

Sites.Selected

Category Application Delegated
Identifier 883ea226-0bf2-4a8f-9f9d-92c9162a727d f89c84ef-20d0-4b54-87e9-02e856d66d53
DisplayText Access selected site collections Access selected Sites, on behalf of the signed-in user
Description Allow the application to access a subset of site collections without a signed in user.  The specific site collections and the permissions granted will be configured in SharePoint Online. Allow the application to access a subset of site collections on behalf of the signed-in user. The specific site collections and the permissions granted will be configured in SharePoint Online.
AdminConsentRequired Yes No

SMTP.Send

Category Application Delegated
Identifier - 258f6531-6087-4cc4-bb90-092c5fb3ed3f
DisplayText - Send emails from mailboxes using SMTP AUTH.
Description - Allows the app to be able to send emails from the user's mailbox using the SMTP AUTH client submission protocol.
AdminConsentRequired - No

SubjectRightsRequest.Read.All

Category Application Delegated
Identifier ee1460f0-368b-4153-870a-4e1ca7e72c42 9c3af74c-fd0f-4db4-b17a-71939e2a9d77
DisplayText Read all subject rights requests Read subject rights requests
Description Allows the app to read subject rights requests without a signed-in user. Allows the app to read subject rights requests on behalf of the signed-in user
AdminConsentRequired Yes Yes

SubjectRightsRequest.ReadWrite.All

Category Application Delegated
Identifier 8387eaa4-1a3c-41f5-b261-f888138e6041 2b8fcc74-bce1-4ae3-a0e8-60c53739299d
DisplayText Read and write all subject rights requests Read and write subject rights requests
Description Allows the app to read and write subject rights requests without a signed in user. Allows the app to read and write subject rights requests on behalf of the signed-in user
AdminConsentRequired Yes Yes

Subscription.Read.All

Category Application Delegated
Identifier - 5f88184c-80bb-4d52-9ff2-757288b2e9b7
DisplayText - Read all webhook subscriptions
Description - Allows the app to read all webhook subscriptions on behalf of the signed-in user.
AdminConsentRequired - Yes

Synchronization.Read.All

Category Application Delegated
Identifier 5ba43d2f-fa88-4db2-bd1c-a67c5f0fb1ce 7aa02aeb-824f-4fbe-a3f7-611f751f5b55
DisplayText Read all Azure AD synchronization data. Read all Azure AD synchronization data
Description Allows the application to read Azure AD synchronization information, without a signed-in user. Allows the app to read Azure AD synchronization information, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Synchronization.ReadWrite.All

Category Application Delegated
Identifier 9b50c33d-700f-43b1-b2eb-87e89b703581 7bb27fa3-ea8f-4d67-a916-87715b6188bd
DisplayText Read and write all Azure AD synchronization data. Read and write all Azure AD synchronization data
Description Allows the application to configure the Azure AD synchronization service, without a signed-in user. Allows the app to configure the Azure AD synchronization service, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

SynchronizationData-User.Upload

Category Application Delegated
Identifier db31e92a-b9ea-4d87-bf6a-75a37a9ca35a 1a2e7420-4e92-4d2b-94cb-fb2952e9ddf7
DisplayText Upload user data to the identity synchronization service Upload user data to the identity synchronization service
Description Allows the application to upload bulk user data to the identity synchronization service, without a signed-in user. Allows the app to upload bulk user data to the identity synchronization service, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Tasks.Read

Category Application Delegated
Identifier - f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb
DisplayText - Read user's tasks and task lists
Description - Allows the app to read the signed-in user's tasks and task lists, including any shared with the user. Doesn't include permission to create, delete, or update anything.
AdminConsentRequired - No

Tasks.Read.All

Category Application Delegated
Identifier f10e1f91-74ed-437f-a6fd-d6ae88e26c1f -
DisplayText Read all users' tasks and tasklist -
Description Allows the app to read all users' tasks and task lists in your organization, without a signed-in user. -
AdminConsentRequired Yes -

Tasks.Read.Shared

Category Application Delegated
Identifier - 88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72
DisplayText - Read user and shared tasks
Description - Allows the app to read tasks a user has permissions to access, including their own and shared tasks.
AdminConsentRequired - No

Tasks.ReadWrite

Category Application Delegated
Identifier - 2219042f-cab5-40cc-b0d2-16b1540b4c5f
DisplayText - Create, read, update, and delete user's tasks and task lists
Description - Allows the app to create, read, update, and delete the signed-in user's tasks and task lists, including any shared with the user.
AdminConsentRequired - No

Tasks.ReadWrite.All

Category Application Delegated
Identifier 44e666d1-d276-445b-a5fc-8815eeb81d55 -
DisplayText Read and write all users' tasks and tasklists -
Description Allows the app to create, read, update and delete all users' tasks and task lists in your organization, without a signed-in user -
AdminConsentRequired Yes -

Tasks.ReadWrite.Shared

Category Application Delegated
Identifier - c5ddf11b-c114-4886-8558-8a4e557cd52b
DisplayText - Read and write user and shared tasks
Description - Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks.
AdminConsentRequired - No

Team.Create

Category Application Delegated
Identifier 23fc2474-f741-46ce-8465-674744c5c361 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0
DisplayText Create teams Create teams
Description Allows the app to create teams without a signed-in user.  Allows the app to create teams on behalf of the signed-in user.
AdminConsentRequired Yes No

Team.ReadBasic.All

Category Application Delegated
Identifier 2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e 485be79e-c497-4b35-9400-0e3fa7f2a5d4
DisplayText Get a list of all teams Read the names and descriptions of teams
Description Get a list of all teams, without a signed-in user. Read the names and descriptions of teams, on behalf of the signed-in user.
AdminConsentRequired Yes No

TeamMember.Read.All

Category Application Delegated
Identifier 660b7406-55f1-41ca-a0ed-0b035e182f3e 2497278c-d82d-46a2-b1ce-39d4cdde5570
DisplayText Read the members of all teams Read the members of teams
Description Read the members of all teams, without a signed-in user. Read the members of teams, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TeamMember.ReadWrite.All

Category Application Delegated
Identifier 0121dc95-1b9f-4aed-8bac-58c5ac466691 4a06efd2-f825-4e34-813e-82a57b03d1ee
DisplayText Add and remove members from all teams Add and remove members from teams
Description Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner. Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner.
AdminConsentRequired Yes Yes

TeamMember.ReadWriteNonOwnerRole.All

Category Application Delegated
Identifier 4437522e-9a86-4a41-a7da-e380edd4a97d 2104a4db-3a2f-4ea0-9dba-143d457dc666
DisplayText Add and remove members with non-owner role for all teams Add and remove members with non-owner role for all teams
Description Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role. Add and remove members from all teams, on behalf of the signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.
AdminConsentRequired Yes Yes

TeamsActivity.Read

Category Application Delegated
Identifier - 0e755559-83fb-4b44-91d0-4cc721b9323e
DisplayText - Read user's teamwork activity feed
Description - Allows the app to read the signed-in user's teamwork activity feed.
AdminConsentRequired - No

TeamsActivity.Read.All

Category Application Delegated
Identifier 70dec828-f620-4914-aa83-a29117306807 -
DisplayText Read all users' teamwork activity feed -
Description Allows the app to read all users' teamwork activity feed, without a signed-in user. -
AdminConsentRequired Yes -

TeamsActivity.Send

Category Application Delegated
Identifier a267235f-af13-44dc-8385-c1dc93023186 7ab1d787-bae7-4d5d-8db6-37ea32df9186
DisplayText Send a teamwork activity to any user Send a teamwork activity as the user
Description Allows the app to create new notifications in users' teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies. Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies.
AdminConsentRequired Yes No

TeamsAppInstallation.ReadForChat

Category Application Delegated
Identifier - bf3fbf03-f35f-4e93-963e-47e4d874c37a
DisplayText - Read installed Teams apps in chats
Description - Allows the app to read the Teams apps that are installed in chats the signed-in user can access. Does not give the ability to read application-specific settings.
AdminConsentRequired - No

TeamsAppInstallation.ReadForChat.All

Category Application Delegated
Identifier cc7e7635-2586-41d6-adaa-a8d3bcad5ee5 -
DisplayText Read installed Teams apps for all chats -
Description Allows the app to read the Teams apps that are installed in any chat, without a signed-in user. Does not give the ability to read application-specific settings. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadForTeam

Category Application Delegated
Identifier - 5248dcb1-f83b-4ec3-9f4d-a4428a961a72
DisplayText - Read installed Teams apps in teams
Description - Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadForTeam.All

Category Application Delegated
Identifier 1f615aea-6bf9-4b05-84bd-46388e138537 -
DisplayText Read installed Teams apps for all teams -
Description Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadForUser

Category Application Delegated
Identifier - c395395c-ff9a-4dba-bc1f-8372ba9dca84
DisplayText - Read user's installed Teams apps
Description - Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings.
AdminConsentRequired - No

TeamsAppInstallation.ReadForUser.All

Category Application Delegated
Identifier 9ce09611-f4f7-4abd-a629-a05450422a97 -
DisplayText Read installed Teams apps for all users -
Description Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteAndConsentForChat

Category Application Delegated
Identifier - e1408a66-8f82-451b-a2f3-3c3e38f7413f
DisplayText - Manage installed Teams apps in chats
Description - Allows the app to read, install, upgrade, and uninstall Teams apps in chats the signed-in user can access. Gives the ability to manage permission grants for accessing those specific chats' data.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteAndConsentForChat.All

Category Application Delegated
Identifier 6e74eff9-4a21-45d6-bc03-3a20f61f8281 -
DisplayText Manage installation and permission grants of Teams apps for all chats -
Description Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Gives the ability to manage permission grants for accessing those specific chats' data. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteAndConsentForTeam

Category Application Delegated
Identifier - 946349d5-2a9d-4535-abc0-7beeacaedd1d
DisplayText - Manage installed Teams apps in teams
Description - Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Gives the ability to manage permission grants for accessing those specific teams' data.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteAndConsentForTeam.All

Category Application Delegated
Identifier b0c13be0-8e20-4bc5-8c55-963c23a39ce9 -
DisplayText Manage installation and permission grants of Teams apps for all teams -
Description Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Gives the ability to manage permission grants for accessing those specific teams' data. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteAndConsentForUser

Category Application Delegated
Identifier - 2da62c49-dfbd-40df-ba16-fef3529d391c
DisplayText - Manage installation and permission grants of Teams apps in users' personal scope
Description - Allows the app to read, install, upgrade, and uninstall Teams apps in user accounts, on behalf of the signed-in user. Gives the ability to manage permission grants for accessing those specific users' data.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteAndConsentForUser.All

Category Application Delegated
Identifier 32ca478f-f89e-41d0-aaf8-101deb7da510 -
DisplayText Manage installation and permission grants of Teams apps in a user account -
Description Allows the app to read, install, upgrade, and uninstall Teams apps in any user account, without a signed-in user. Gives the ability to manage permission grants for accessing those specific users' data. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteAndConsentSelfForChat

Category Application Delegated
Identifier - a0e0e18b-8fb2-458f-8130-da2d7cab9c75
DisplayText - Allow the Teams app to manage itself and its permission grants in chats
Description - Allows a Teams app to read, install, upgrade, and uninstall itself in chats the signed-in user can access, and manage its permission grants for accessing those specific chats' data.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All

Category Application Delegated
Identifier ba1ba90b-2d8f-487e-9f16-80728d85bb5c -
DisplayText Allow the Teams app to manage itself and its permission grants for all chats -
Description Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user, and manage its permission grants for accessing those specific chats' data. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteAndConsentSelfForTeam

Category Application Delegated
Identifier - 4a6bbf29-a0e1-4a4d-a7d1-cef17f772975
DisplayText - Allow the Teams app to manage itself and its permission grants in teams
Description - Allows a Teams app to read, install, upgrade, and uninstall itself in teams the signed-in user can access, and manage its permission grants for accessing those specific teams' data.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All

Category Application Delegated
Identifier 1e4be56c-312e-42b8-a2c9-009600d732c0 -
DisplayText Allow the Teams app to manage itself and its permission grants for all teams -
Description Allows a Teams app to read, install, upgrade, and uninstall itself for any team, without a signed-in user, and manage its permission grants for accessing those specific teams' data. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteAndConsentSelfForUser

Category Application Delegated
Identifier - 7a349935-c54d-44ab-ab66-1b460d315be7
DisplayText - Allow the Teams app to manage itself and its permission grants in user accounts
Description - Allows a Teams app to read, install, upgrade, and uninstall itself in user accounts, and manage its permission grants for accessing those specific users' data, on behalf of the signed-in user.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteAndConsentSelfForUser.All

Category Application Delegated
Identifier a87076cf-6abd-4e56-8559-4dbdf41bef96 -
DisplayText Allow the Teams app to manage itself and its permission grants in all user accounts -
Description Allows a Teams app to read, install, upgrade, and uninstall itself for any user account, without a signed-in user, and manage its permission grants for accessing those specific users' data. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteForChat

Category Application Delegated
Identifier - aa85bf13-d771-4d5d-a9e6-bca04ce44edf
DisplayText - Manage installed Teams apps in chats
Description - Allows the app to read, install, upgrade, and uninstall Teams apps in chats the signed-in user can access. Does not give the ability to read application-specific settings.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteForChat.All

Category Application Delegated
Identifier 9e19bae1-2623-4c4f-ab6e-2664615ff9a0 -
DisplayText Manage Teams apps for all chats -
Description Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteForTeam

Category Application Delegated
Identifier - 2e25a044-2580-450d-8859-42eeb6e996c0
DisplayText - Manage installed Teams apps in teams
Description - Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteForTeam.All

Category Application Delegated
Identifier 5dad17ba-f6cc-4954-a5a2-a0dcc95154f0 -
DisplayText Manage Teams apps for all teams -
Description Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteForUser

Category Application Delegated
Identifier - 093f8818-d05f-49b8-95bc-9d2a73e9a43c
DisplayText - Manage user's installed Teams apps
Description - Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed-in user. Does not give the ability to read application-specific settings.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteForUser.All

Category Application Delegated
Identifier 74ef0291-ca83-4d02-8c7e-d2391e6a444f -
DisplayText Manage Teams apps for all users -
Description Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteSelfForChat

Category Application Delegated
Identifier - 0ce33576-30e8-43b7-99e5-62f8569a4002
DisplayText - Allow the Teams app to manage itself in chats
Description - Allows a Teams app to read, install, upgrade, and uninstall itself in chats the signed-in user can access.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteSelfForChat.All

Category Application Delegated
Identifier 73a45059-f39c-4baf-9182-4954ac0e55cf -
DisplayText Allow the Teams app to manage itself for all chats -
Description Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteSelfForTeam

Category Application Delegated
Identifier - 0f4595f7-64b1-4e13-81bc-11a249df07a9
DisplayText - Allow the app to manage itself in teams
Description - Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access.
AdminConsentRequired - Yes

TeamsAppInstallation.ReadWriteSelfForTeam.All

Category Application Delegated
Identifier 9f67436c-5415-4e7f-8ac1-3014a7132630 -
DisplayText Allow the Teams app to manage itself for all teams -
Description Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. -
AdminConsentRequired Yes -

TeamsAppInstallation.ReadWriteSelfForUser

Category Application Delegated
Identifier - 207e0cb1-3ce7-4922-b991-5a760c346ebc
DisplayText - Allow the Teams app to manage itself for a user
Description - Allows a Teams app to read, install, upgrade, and uninstall itself for the signed-in user.
AdminConsentRequired - No

TeamsAppInstallation.ReadWriteSelfForUser.All

Category Application Delegated
Identifier 908de74d-f8b2-4d6b-a9ed-2a17b3b78179 -
DisplayText Allow the app to manage itself for all users -
Description Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. -
AdminConsentRequired Yes -

TeamSettings.Read.All

Category Application Delegated
Identifier 242607bd-1d2c-432c-82eb-bdb27baa23ab 48638b3c-ad68-4383-8ac4-e6880ee6ca57
DisplayText Read all teams' settings Read teams' settings
Description Read all team's settings, without a signed-in user. Read all teams' settings, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TeamSettings.ReadWrite.All

Category Application Delegated
Identifier bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f 39d65650-9d3e-4223-80db-a335590d027e
DisplayText Read and change all teams' settings Read and change teams' settings
Description Read and change all teams' settings, without a signed-in user. Read and change all teams' settings, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TeamsTab.Create

Category Application Delegated
Identifier 49981c42-fd7b-4530-be03-e77b21aed25e a9ff19c2-f369-4a95-9a25-ba9d460efc8e
DisplayText Create tabs in Microsoft Teams. Create tabs in Microsoft Teams.
Description Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.
AdminConsentRequired Yes Yes

TeamsTab.Read.All

Category Application Delegated
Identifier 46890524-499a-4bb2-ad64-1476b4f3e1cf 59dacb05-e88d-4c13-a684-59f1afc8cc98
DisplayText Read tabs in Microsoft Teams. Read tabs in Microsoft Teams.
Description Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. Read the names and settings of tabs inside any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs.
AdminConsentRequired Yes Yes

TeamsTab.ReadWrite.All

Category Application Delegated
Identifier a96d855f-016b-47d7-b51c-1218a98d791c b98bfd41-87c6-45cc-b104-e2de4f0dafb9
DisplayText Read and write tabs in Microsoft Teams. Read and write tabs in Microsoft Teams.
Description Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. Read and write tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs.
AdminConsentRequired Yes Yes

TeamsTab.ReadWriteForChat

Category Application Delegated
Identifier - ee928332-e9c2-4747-b4a0-f8c164b68de6
DisplayText - Allow the Teams app to manage all tabs in chats
Description - Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats the signed-in user can access.
AdminConsentRequired - Yes

TeamsTab.ReadWriteForChat.All

Category Application Delegated
Identifier fd9ce730-a250-40dc-bd44-8dc8d20f39ea -
DisplayText Allow the Teams app to manage all tabs for all chats -
Description Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user. -
AdminConsentRequired Yes -

TeamsTab.ReadWriteForTeam

Category Application Delegated
Identifier - c975dd04-a06e-4fbb-9704-62daad77bb49
DisplayText - Allow the Teams app to manage all tabs in teams
Description - Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams the signed-in user can access.
AdminConsentRequired - Yes

TeamsTab.ReadWriteForTeam.All

Category Application Delegated
Identifier 6163d4f4-fbf8-43da-a7b4-060fe85ed148 -
DisplayText Allow the Teams app to manage all tabs for all teams -
Description Allows a Teams app to read, install, upgrade, and uninstall all tabs in any team, without a signed-in user. -
AdminConsentRequired Yes -

TeamsTab.ReadWriteForUser

Category Application Delegated
Identifier - c37c9b61-7762-4bff-a156-afc0005847a0
DisplayText - Allow the Teams app to manage all tabs for a user
Description - Allows a Teams app to read, install, upgrade, and uninstall all tabs for the signed-in user.
AdminConsentRequired - No

TeamsTab.ReadWriteForUser.All

Category Application Delegated
Identifier 425b4b59-d5af-45c8-832f-bb0b7402348a -
DisplayText Allow the app to manage all tabs for all users -
Description Allows a Teams app to read, install, upgrade, and uninstall all tabs for any user, without a signed-in user. -
AdminConsentRequired Yes -

TeamsTab.ReadWriteSelfForChat

Category Application Delegated
Identifier - 0c219d04-3abf-47f7-912d-5cca239e90e6
DisplayText - Allow the Teams app to manage only its own tabs in chats
Description - Allows a Teams app to read, install, upgrade, and uninstall its own tabs in chats the signed-in user can access.
AdminConsentRequired - Yes

TeamsTab.ReadWriteSelfForChat.All

Category Application Delegated
Identifier 9f62e4a2-a2d6-4350-b28b-d244728c4f86 -
DisplayText Allow the Teams app to manage only its own tabs for all chats -
Description Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user. -
AdminConsentRequired Yes -

TeamsTab.ReadWriteSelfForTeam

Category Application Delegated
Identifier - f266662f-120a-4314-b26a-99b08617c7ef
DisplayText - Allow the Teams app to manage only its own tabs in teams
Description - Allows a Teams app to read, install, upgrade, and uninstall its own tabs to teams the signed-in user can access.
AdminConsentRequired - Yes

TeamsTab.ReadWriteSelfForTeam.All

Category Application Delegated
Identifier 91c32b81-0ef0-453f-a5c7-4ce2e562f449 -
DisplayText Allow the Teams app to manage only its own tabs for all teams -
Description Allows a Teams app to read, install, upgrade, and uninstall its own tabs in any team, without a signed-in user. -
AdminConsentRequired Yes -

TeamsTab.ReadWriteSelfForUser

Category Application Delegated
Identifier - 395dfec1-a0b9-465f-a783-8250a430cb8c
DisplayText - Allow the Teams app to manage only its own tabs for a user
Description - Allows a Teams app to read, install, upgrade, and uninstall its own tabs for the signed-in user.
AdminConsentRequired - No

TeamsTab.ReadWriteSelfForUser.All

Category Application Delegated
Identifier 3c42dec6-49e8-4a0a-b469-36cff0d9da93 -
DisplayText Allow the Teams app to manage only its own tabs for all users -
Description Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user, without a signed-in user. -
AdminConsentRequired Yes -

TeamTemplates.Read

Category Application Delegated
Identifier - cd87405c-5792-4f15-92f7-debc0db6d1d6
DisplayText - Read available Teams templates
Description - Allows the app to read the available Teams templates, on behalf of the signed-in user.
AdminConsentRequired - No

TeamTemplates.Read.All

Category Application Delegated
Identifier 6323133e-1f6e-46d4-9372-ac33a0870636 -
DisplayText Read all available Teams Templates -
Description Allows the app to read all available Teams Templates, without a signed-user. -
AdminConsentRequired Yes -

Teamwork.Migrate.All

Category Application Delegated
Identifier dfb0dd15-61de-45b2-be36-d6a69fba3c79 -
DisplayText Create chat and channel messages with anyone's identity and with any timestamp -
Description Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization. -
AdminConsentRequired Yes -

Teamwork.Read.All

Category Application Delegated
Identifier 75bcfbce-a647-4fba-ad51-b63d73b210f4 594f4bb6-c083-4cf9-8aa8-213823bdf351
DisplayText Read organizational teamwork settings Read organizational teamwork settings
Description Allows the app to read all teamwork settings of the organization without a signed-in user. Allows the app to read the teamwork settings of the organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TeamworkAppSettings.Read.All

Category Application Delegated
Identifier 475ebe88-f071-4bd7-af2b-642952bd4986 44e060c4-bbdc-4256-a0b9-dcc0396db368
DisplayText Read Teams app settings Read Teams app settings
Description Allows the app to read the Teams app settings without a signed-in user. Allows the app to read the Teams app settings on behalf of the signed-in user.
AdminConsentRequired Yes No

TeamworkAppSettings.ReadWrite.All

Category Application Delegated
Identifier ab5b445e-8f10-45f4-9c79-dd3f8062cc4e 87c556f0-2bd9-4eed-bd74-5dd8af6eaf7e
DisplayText Read and write Teams app settings Read and write Teams app settings
Description Allows the app to read and write the Teams app settings without a signed-in user. Allows the app to read and write the Teams app settings on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TeamworkDevice.Read.All

Category Application Delegated
Identifier 0591bafd-7c1c-4c30-a2a5-2b9aacb1dfe8 b659488b-9d28-4208-b2be-1c6652b3c970
DisplayText Read Teams devices Read Teams devices
Description Allow the app to read the management data for Teams devices, without a signed-in user. Allow the app to read the management data for Teams devices on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TeamworkDevice.ReadWrite.All

Category Application Delegated
Identifier 79c02f5b-bd4f-4713-bc2c-a8a4a66e127b ddd97ecb-5c31-43db-a235-0ee20e635c40
DisplayText Read and write Teams devices Read and write Teams devices
Description Allow the app to read and write the management data for Teams devices, without a signed-in user. Allow the app to read and write the management data for Teams devices on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TeamworkTag.Read

Category Application Delegated
Identifier - 57587d0b-8399-45be-b207-8050cec54575
DisplayText - Read tags in Teams
Description - Allows the app to read tags in Teams, on behalf of the signed-in user.
AdminConsentRequired - Yes

TeamworkTag.Read.All

Category Application Delegated
Identifier b74fd6c4-4bde-488e-9695-eeb100e4907f -
DisplayText Read tags in Teams -
Description Allows the app to read tags in Teams without a signed-in user. -
AdminConsentRequired Yes -

TeamworkTag.ReadWrite

Category Application Delegated
Identifier - 539dabd7-b5b6-4117-b164-d60cd15a8671
DisplayText - Read and write tags in Teams
Description - Allows the app to read and write tags in Teams, on behalf of the signed-in user.
AdminConsentRequired - Yes

TeamworkTag.ReadWrite.All

Category Application Delegated
Identifier a3371ca5-911d-46d6-901c-42c8c7a937d8 -
DisplayText Read and write tags in Teams -
Description Allows the app to read and write tags in Teams without a signed-in user. -
AdminConsentRequired Yes -

TeamworkUserInteraction.Read.All

Category Application Delegated
Identifier - b4d26916-07e0-4daf-9096-9f6d9174aa96
DisplayText - Read all of the possible Teams interactions between the user and other users
Description - Allows the app to read all of the possible Teams interactions between the signed-in user and other users
AdminConsentRequired - Yes

TermStore.Read.All

Category Application Delegated
Identifier ea047cc2-df29-4f3e-83a3-205de61501ca 297f747b-0005-475b-8fef-c890f5152b38
DisplayText Read all term store data Read term store data
Description Allows the app to read all term store data, without a signed-in user. This includes all sets, groups and terms in the term store. Allows the app to read the term store data that the signed-in user has access to. This includes all sets, groups and terms in the term store.
AdminConsentRequired Yes Yes

TermStore.ReadWrite.All

Category Application Delegated
Identifier f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95 6c37c71d-f50f-4bff-8fd3-8a41da390140
DisplayText Read and write all term store data Read and write term store data
Description Allows the app to read, edit or write all term store data, without a signed-in user. This includes all sets, groups and terms in the term store. Allows the app to read or modify data that the signed-in user has access to. This includes all sets, groups and terms in the term store.
AdminConsentRequired Yes Yes

ThreatAssessment.Read.All

Category Application Delegated
Identifier f8f035bb-2cce-47fb-8bf5-7baf3ecbee48 -
DisplayText Read threat assessment requests -
Description Allows an app to read your organization's threat assessment requests, without a signed-in user. -
AdminConsentRequired Yes -

ThreatAssessment.ReadWrite.All

Category Application Delegated
Identifier - cac97e40-6730-457d-ad8d-4852fddab7ad
DisplayText - Read and write threat assessment requests
Description - Allows an app to read your organization's threat assessment requests on behalf of the signed-in user. Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user.
AdminConsentRequired - Yes

ThreatHunting.Read.All

Category Application Delegated
Identifier dd98c7f5-2d42-42d3-a0e4-633161547251 b152eca8-ea73-4a48-8c98-1a6742673d99
DisplayText Run hunting queries Run hunting queries
Description Allows the app to run hunting queries, without a signed-in user. Allows the app to run hunting queries, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ThreatIndicators.Read.All

Category Application Delegated
Identifier 197ee4e9-b993-4066-898f-d6aecc55125b 9cc427b4-2004-41c5-aa22-757b755e9796
DisplayText Read all threat indicators Read all threat indicators
Description Allows the app to read all the indicators for your organization, without a signed-in user. Allows the app to read all the indicators for your organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ThreatIndicators.ReadWrite.OwnedBy

Category Application Delegated
Identifier 21792b6c-c986-4ffc-85de-df9da54b52fa 91e7d36d-022a-490f-a748-f8e011357b42
DisplayText Manage threat indicators this app creates or owns Manage threat indicators this app creates or owns
Description Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user.  It cannot update any threat indicators it does not own. Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on behalf of the signed-in user.  It cannot update any threat indicators it does not own.
AdminConsentRequired Yes Yes

ThreatIntelligence.Read.All

Category Application Delegated
Identifier e0b77adb-e790-44a3-b0a0-257d06303687 f266d9c0-ccb9-4fb8-a228-01ac0d8d6627
DisplayText Read all Threat Intelligence Information Read all threat intelligence information
Description Allows the app to read threat intellgence information, such as indicators, observations, and and articles, without a signed in user. Allows the app to read threat intelligence information, such as indicators, observations, and articles, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ThreatSubmission.Read

Category Application Delegated
Identifier - fd5353c6-26dd-449f-a565-c4e16b9fce78
DisplayText - Read threat submissions
Description - Allows the app to read the threat submissions and threat submission policies owned by the signed-in user.
AdminConsentRequired - No

ThreatSubmission.Read.All

Category Application Delegated
Identifier 86632667-cd15-4845-ad89-48a88e8412e1 7083913a-4966-44b6-9886-c5822a5fd910
DisplayText Read all of the organization's threat submissions Read all threat submissions
Description Allows the app to read your organization's threat submissions and to view threat submission policies without a signed-in user. Allows the app to read your organization's threat submissions and threat submission policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ThreatSubmission.ReadWrite

Category Application Delegated
Identifier - 68a3156e-46c9-443c-b85c-921397f082b5
DisplayText - Read and write threat submissions
Description - Allows the app to read the threat submissions and threat submission policies owned by the signed-in user. Also allows the app to create new threat submissions on behalf of the signed-in user.
AdminConsentRequired - No

ThreatSubmission.ReadWrite.All

Category Application Delegated
Identifier d72bdbf4-a59b-405c-8b04-5995895819ac 8458e264-4eb9-4922-abe9-768d58f13c7f
DisplayText Read and write all of the organization's threat submissions Read and write all threat submissions
Description Allows the app to read your organization's threat submissions and threat submission policies without a signed-in user. Also allows the app to create new threat submissions without a signed-in user. Allows the app to read your organization's threat submissions and threat submission policies on behalf of the signed-in user. Also allows the app to create new threat submissions on behalf of the signed-in user.
AdminConsentRequired Yes Yes

ThreatSubmissionPolicy.ReadWrite.All

Category Application Delegated
Identifier 926a6798-b100-4a20-a22f-a4918f13951d 059e5840-5353-4c68-b1da-666a033fc5e8
DisplayText Read and write all of the organization's threat submission policies Read and write all threat submission policies
Description Allows the app to read your organization's threat submission policies without a signed-in user. Also allows the app to create new threat submission polices without a signed-in user. Allows the app to read your organization's threat submission policies on behalf of the signed-in user. Also allows the app to create new threat submission policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Topic.Read.All

Category Application Delegated
Identifier - 79c4c76f-409a-4f98-884d-e2c09291ec26
DisplayText - Read topic items
Description - Allows the app to read topics data on behalf of the signed-in user.
AdminConsentRequired - Yes

TrustFrameworkKeySet.Read.All

Category Application Delegated
Identifier fff194f1-7dce-4428-8301-1badb5518201 7ad34336-f5b1-44ce-8682-31d7dfcd9ab9
DisplayText Read trust framework key sets Read trust framework key sets
Description Allows the app to read trust framework key set properties without a signed-in user. Allows the app to read trust framework key set properties on behalf of the signed-in user.
AdminConsentRequired Yes Yes

TrustFrameworkKeySet.ReadWrite.All

Category Application Delegated
Identifier 4a771c9a-1cf2-4609-b88e-3d3e02d539cd 39244520-1e7d-4b4a-aee0-57c65826e427
DisplayText Read and write trust framework key sets Read and write trust framework key sets
Description Allows the app to read and write trust framework key set properties without a signed-in user. Allows the app to read and write trust framework key set properties on behalf of the signed-in user.
AdminConsentRequired Yes Yes

UnifiedGroupMember.Read.AsGuest

Category Application Delegated
Identifier - 73e75199-7c3e-41bb-9357-167164dbb415
DisplayText - Read unified group memberships as guest
Description - Allows the app to read basic unified group properties, memberships and owners of the group the signed-in guest is a member of.
AdminConsentRequired - Yes

User.EnableDisableAccount.All

Category Application Delegated
Identifier 3011c876-62b7-4ada-afa2-506cbbecc68c f92e74e7-2563-467f-9dd0-902688cb5863
DisplayText Enable and disable user accounts Enable and disable user accounts
Description Allows the app to enable and disable users' accounts, without a signed-in user. Allows the app to enable and disable users' accounts, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

User.Export.All

Category Application Delegated
Identifier 405a51b5-8d8d-430b-9842-8be4b0e9f324 405a51b5-8d8d-430b-9842-8be4b0e9f324
DisplayText Export user's data Export user's data
Description Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator). Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator).
AdminConsentRequired Yes Yes

User.Invite.All

Category Application Delegated
Identifier 09850681-111b-4a89-9bed-3f2cae46d706 63dd7cd9-b489-4adf-a28c-ac38b9a0f962
DisplayText Invite guest users to the organization Invite guest users to the organization
Description Allows the app to invite guest users to the organization, without a signed-in user. Allows the app to invite guest users to the organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

User.ManageIdentities.All

Category Application Delegated
Identifier c529cfca-c91b-489c-af2b-d92990b66ce6 637d7bec-b31e-4deb-acc9-24275642a2c9
DisplayText Manage all users' identities Manage user identities
Description Allows the app to read, update and delete identities that are associated with a user's account, without a signed in user. This controls the identities users can sign-in with. Allows the app to read, update and delete identities that are associated with a user's account that the signed-in user has access to. This controls the identities users can sign-in with.
AdminConsentRequired Yes Yes

User.Read

Category Application Delegated
Identifier - e1fe6dd8-ba31-4d61-89e7-88639da4683d
DisplayText - Sign in and read user profile
Description - Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
AdminConsentRequired - No

User.Read.All

Category Application Delegated
Identifier df021288-bdef-4463-88db-98f22de89214 a154be20-db9c-4678-8ab7-66f6cc099a59
DisplayText Read all users' full profiles Read all users' full profiles
Description Allows the app to read user profiles without a signed in user. Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

User.ReadBasic.All

Category Application Delegated
Identifier 97235f07-e226-4f63-ace3-39588e11d3a1 b340eb25-3456-403f-be2f-af7a0d370277
DisplayText Read all users' basic profiles Read all users' basic profiles
Description Allows the app to read a basic set of profile properties of other users in your organization without a signed-in user. Includes display name, first and last name, email address, open extensions, and photo. Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.
AdminConsentRequired Yes No

User.ReadWrite

Category Application Delegated
Identifier - b4e74841-8e56-480b-be8b-910348b18b4c
DisplayText - Read and write access to user profile
Description - Allows the app to read your profile. It also allows the app to update your profile information on your behalf.
AdminConsentRequired - No

User.ReadWrite.All

Category Application Delegated
Identifier 741f803b-c850-494e-b5df-cde7c675a1ca 204e0828-b5ca-4ad8-b9f3-f32a958e7cc4
DisplayText Read and write all users' full profiles Read and write all users' full profiles
Description Allows the app to read and update user profiles without a signed in user. Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

UserActivity.ReadWrite.CreatedByApp

Category Application Delegated
Identifier - 47607519-5fb1-47d9-99c7-da4b48f369b1
DisplayText - Read and write app activity to users' activity feed
Description - Allows the app to read and report the signed-in user's activity in the app.
AdminConsentRequired - No

UserAuthenticationMethod.Read

Category Application Delegated
Identifier - 1f6b61c5-2f65-4135-9c9f-31c0f8d32b52
DisplayText - Read user authentication methods.
Description - Allows the app to read the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods.
AdminConsentRequired - Yes

UserAuthenticationMethod.Read.All

Category Application Delegated
Identifier 38d9df27-64da-44fd-b7c5-a6fbac20248f aec28ec7-4d02-4e8c-b864-50163aea77eb
DisplayText Read all users' authentication methods Read all users' authentication methods
Description Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
AdminConsentRequired Yes Yes

UserAuthenticationMethod.ReadWrite

Category Application Delegated
Identifier - 48971fc1-70d7-4245-af77-0beb29b53ee2
DisplayText - Read and write user authentication methods
Description - Allows the app to read and write the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods.
AdminConsentRequired - Yes

UserAuthenticationMethod.ReadWrite.All

Category Application Delegated
Identifier 50483e42-d915-4231-9639-7fdb7fd190e5 b7887744-6746-4312-813d-72daeaee7e2d
DisplayText Read and write all users' authentication methods Read and write all users' authentication methods.
Description Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
AdminConsentRequired Yes Yes

User-ConvertToInternal.ReadWrite.All

Category Application Delegated
Identifier 9d952b72-f741-4b40-9185-8c53076c2339 550e695c-7511-40f4-ac79-e8fb9c82552d
DisplayText Convert an external user to internal member user Convert an external user to internal memeber user
Description Allow the app to convert an external user to an internal member user, without a signed-in user. Allow the app to convert an external user to an internal member user, on behalf of signed-in user.
AdminConsentRequired Yes Yes

User-LifeCycleInfo.Read.All

Category Application Delegated
Identifier 8556a004-db57-4d7a-8b82-97a13428e96f ed8d2a04-0374-41f1-aefe-da8ac87ccc87
DisplayText Read all users' lifecycle information Read all users' lifecycle information
Description Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user. Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

User-LifeCycleInfo.ReadWrite.All

Category Application Delegated
Identifier 925f1248-0f97-47b9-8ec8-538c54e01325 7ee7473e-bd4b-4c9f-987c-bd58481f5fa2
DisplayText Read and write all users' lifecycle information Read and write all users' lifecycle information
Description Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user. Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

UserNotification.ReadWrite.CreatedByApp

Category Application Delegated
Identifier 4e774092-a092-48d1-90bd-baad67c7eb47 26e2f3e8-b2a1-47fc-9620-89bb5b042024
DisplayText Deliver and manage all user's notifications Deliver and manage user's notifications
Description Allows the app to send, read, update and delete user's notifications, without a signed-in user. Allows the app to send, read, update and delete user's notifications.
AdminConsentRequired Yes No

UserShiftPreferences.Read.All

Category Application Delegated
Identifier de023814-96df-4f53-9376-1e2891ef5a18 -
DisplayText Read all user shift preferences -
Description Allows the app to read all users' shift schedule preferences without a signed-in user. -
AdminConsentRequired Yes -

UserShiftPreferences.ReadWrite.All

Category Application Delegated
Identifier d1eec298-80f3-49b0-9efb-d90e224798ac -
DisplayText Read and write all user shift preferences -
Description Allows the app to manage all users' shift schedule preferences without a signed-in user. -
AdminConsentRequired Yes -

UserTeamwork.Read

Category Application Delegated
Identifier - 834bcc1c-762f-41b0-bb91-1cdc323ee4bf
DisplayText - Read user teamwork settings
Description - Allows the app to read the teamwork settings of the signed-in user.
AdminConsentRequired - Yes

UserTeamwork.Read.All

Category Application Delegated
Identifier fbcd7ef1-df0d-4e05-bb28-93424a89c6df -
DisplayText Read all user teamwork settings -
Description Allows the app to read all user teamwork settings without a signed-in user. -
AdminConsentRequired Yes -

UserTimelineActivity.Write.CreatedByApp

Category Application Delegated
Identifier - 367492fc-594d-4972-a9b5-0d58c622c91c
DisplayText - Write app activity to users' timeline
Description - Allows the app to report the signed-in user's app activity information to Microsoft Timeline.
AdminConsentRequired - No

VirtualAppointment.Read

Category Application Delegated
Identifier - 27470298-d3b8-4b9c-aad4-6334312a3eac
DisplayText - Read a user's virtual appointments
Description - Allows an application to read virtual appointments for the signed-in user. Only an organizer or participant user can read their virtual appointments.  
AdminConsentRequired - Yes

VirtualAppointment.Read.All

Category Application Delegated
Identifier d4f67ec2-59b5-4bdc-b4af-d78f6f9c1954 -
DisplayText Read all virtual appointments for users, as authorized by online meetings application access policy -
Description Allows the application to read virtual appointments for all users, without a signed-in user. The app must also be authorized to access an individual user's data by the online meetings application access policy. -
AdminConsentRequired Yes -

VirtualAppointment.ReadWrite

Category Application Delegated
Identifier - 2ccc2926-a528-4b17-b8bb-860eed29d64c
DisplayText - Read and write a user's virtual appointments  
Description - Allows an application to read and write virtual appointments for the signed-in user. Only an organizer or participant user can read and write their virtual appointments. 
AdminConsentRequired - Yes

VirtualAppointment.ReadWrite.All

Category Application Delegated
Identifier bf46a256-f47d-448f-ab78-f226fff08d40 -
DisplayText Read-write all virtual appointments for users, as authorized by online meetings app access policy -
Description Allows the application to read and write virtual appointments for all users, without a signed-in user. The app must also be authorized to access an individual user's data by the online meetings application access policy. -
AdminConsentRequired Yes -

VirtualAppointmentNotification.Send

Category Application Delegated
Identifier 97e45b36-1250-48e4-bd70-2df6dab7e94a 20d02fff-a0ef-49e7-a46e-019d4a6523b7
DisplayText Send notification regarding virtual appointments as any user Send notification regarding virtual appointments for the signed-in user
Description Allows the application to send notification regarding virtual appointments as any user, without a signed-in user. The app must also be authorized to access an individual user's data by the online meetings application access policy. Allows an application to send notifications for virtual appointments for the signed-in user.
AdminConsentRequired Yes Yes

VirtualEvent.Read

Category Application Delegated
Identifier - 6b616635-ae58-433a-a918-8c45e4f304dc
DisplayText - Read your virtual events
Description - Allows the app to read virtual events created by the you
AdminConsentRequired - Yes

VirtualEvent.Read.All

Category Application Delegated
Identifier 1dccb351-c4e4-4e09-a8d1-7a9ecbf027cc -
DisplayText Read all users' virtual events -
Description Allows the app to read all virtual events without a signed-in user. -
AdminConsentRequired Yes -

VirtualEvent.ReadWrite

Category Application Delegated
Identifier - d38d189c-e29b-4344-8b3b-829bfa81380b
DisplayText - Read and write your virtual events
Description - Allows the app to read and write virtual events for you
AdminConsentRequired - Yes

WindowsUpdates.ReadWrite.All

Category Application Delegated
Identifier 7dd1be58-6e76-4401-bf8d-31d1e8180d5b 11776c0c-6138-4db3-a668-ee621bea2555
DisplayText Read and write all Windows update deployment settings Read and write all Windows update deployment settings
Description Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user. Allows the app to read and write all Windows update deployment settings for the organization on behalf of the signed-in user.
AdminConsentRequired Yes Yes

WorkforceIntegration.Read.All

Category Application Delegated
Identifier - f1ccd5a7-6383-466a-8db8-1a656f7d06fa
DisplayText - Read workforce integrations
Description - Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user.
AdminConsentRequired - Yes

WorkforceIntegration.ReadWrite.All

Category Application Delegated
Identifier 202bf709-e8e6-478e-bcfd-5d63c50b68e3 08c4b377-0d23-4a8b-be2a-23c1c1d88545
DisplayText Read and write workforce integrations Read and write workforce integrations
Description Allows the app to manage workforce integrations to synchronize data from Microsoft Teams Shifts, without a signed-in user. Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Delegated permissions supported for personal Microsoft accounts (MSA)

The following delegated permissions are supported for personal Microsoft accounts (MSA).

  • Application.Read.All
  • Application.ReadWrite.All
  • Calendars.Read
  • Calendars.Read.Shared
  • Calendars.ReadBasic
  • Calendars.ReadWrite
  • Contacts.Read
  • Contacts.ReadWrite
  • CrossTenantUserProfileSharing.Read
  • CrossTenantUserProfileSharing.Read.All
  • Device.Command
  • Device.Read
  • Device.Read.All
  • Files.Read
  • Files.Read.All
  • Files.ReadWrite
  • Files.ReadWrite.All
  • Files.ReadWrite.AppFolder
  • IMAP.AccessAsUser.All
  • Mail.Read
  • Mail.ReadBasic
  • Mail.ReadWrite
  • Mail.Send
  • MailboxSettings.Read
  • MailboxSettings.ReadWrite
  • Notes.Create
  • Notes.Read
  • Notes.ReadWrite
  • Notifications.ReadWrite.CreatedByApp
  • POP.AccessAsUser.All
  • People.Read
  • Policy.Read.All
  • Policy.ReadWrite.AuthenticationMethod
  • SMTP.Send
  • ServiceHealth.Read.All
  • ServiceMessage.Read.All
  • ServiceMessageViewpoint.Write
  • ShortNotes.Read
  • ShortNotes.ReadWrite
  • Sites.FullControl.All
  • Sites.Read.All
  • Sites.ReadWrite.All
  • Tasks.Read
  • Tasks.ReadWrite
  • Teamwork.Migrate.All
  • User.Read
  • User.Read.All
  • User.ReadBasic.All
  • User.ReadWrite
  • User.ReadWrite.All
  • UserActivity.ReadWrite.CreatedByApp

Learn more about RSC authorization framework and RSC permissions.


Name ID Display text Description
Calls.AccessMedia.Chat e716890c-c30a-4ac3-a0e3-551e7d9e8deb Access media streams in calls associated with this chat or meeting Allows the app to access media streams in calls associated with this chat or meeting, without a signed-in user.
Calls.JoinGroupCalls.Chat a01e73f1-94da-4f6d-9b73-02e4ea65560b Join calls associated with this chat or meeting Allows the app to join calls associated with this chat or meeting, without a signed-in user.
Channel.Create.Group 65af85d7-62bb-4339-a206-7160fd427454 Create channels in this team Allows the app to create channels in this team, without a signed-in user.
Channel.Delete.Group 4432e57d-0983-4c17-881c-235c529f96dc Delete this team's channels Allows the app to delete this team's channels, without a signed-in user.
ChannelMeeting.ReadBasic.Group 6c13459c-facc-4b0a-93cb-63f0dff28046 Read basic properties of the channel meetings in this team Allows the app to read basic properties, such as name, schedule, organizer, join link, and start or end notifications, of channel meetings in this team, without a signed-in user.
ChannelMeetingNotification.Send.Group bbb12bdb-71e6-4602-9f5e-b1172c505746 Send notifications in all the channel meetings associated with this team Allows the app to send notifications inside all the channel meetings associated with this team, without a signed-in user.
ChannelMeetingParticipant.Read.Group bd118236-e8f5-4bec-a62d-89a623717e05 Read the participants of this team's channel meetings Allows the app to read participant information, including name, role, id, joined and left times, of channel meetings associated with this team, without a signed-in user.
ChannelMeetingRecording.Read.Group 30a40618-9b50-4764-b62e-b04023a8f5f3 Read the recordings of all channel meetings associated with this team Allows the app to read recordings of all the channel meetings associated with this team, without a signed-in user.
ChannelMeetingTranscript.Read.Group 37e59e88-1a46-482b-b623-0a4aa6abdf67 Read the transcripts of all channel meetings associated with this team Allows the app to read transcripts of all the channel meetings associated with this team, without a signed-in user.
ChannelMessage.Read.Group 19103a54-c397-4bcd-be5a-ef111e0406fa Read this team's channel messages Allows the app to read this team's channel's messages, without a signed-in user.
ChannelSettings.Read.Group 0a7b3084-8d18-46f5-8aef-b5b829292c6f Read the names, descriptions, and settings of this team's channels Allows the app to read this team's channel names, channel descriptions, and channel settings, without a signed-in user.
ChannelSettings.ReadWrite.Group d057ad03-b27b-49f7-8219-e0d4a706da55 Update the names, descriptions, and settings of this team's channels Allows the app to update and read the names, descriptions, and settings of this team's channels, without a signed-in user.
Chat.Manage.Chat 4a14842e-6bb6-4088-b21a-7d0a24f835a6 Manage this chat Allows the app to manage the chat, the chat's members and grant access to the chat's data, without a signed-in user.
ChatMember.Read.Chat e854bbc6-07e3-45cc-af99-b6e78fab5b80 Read this chat's members Allows the app to read the members of this chat, without a signed-in user.
ChatMessage.Read.Chat 9398c3de-3f6b-4958-90f3-5098714ff50c Read this chat's messages Allows the app to read this chat's messages, without a signed-in user.
ChatSettings.Read.Chat 40d35d7c-9cc3-4f2d-912b-464457412a00 Read this chat's settings Allows the app to read this chat's settings, without a signed-in user.
ChatSettings.ReadWrite.Chat ed928a9c-7530-496a-a624-4c0a460ab3ed Read and write this chat's settings Allows the app to read and write this chat's settings, without a signed-in user.
Member.Read.Group 0a8ce3c7-89dd-46cf-b2c3-5ef0064437a8 Read this group's members Allows the app to read the basic profile of this group's members, without a signed-in user.
OnlineMeeting.ReadBasic.Chat eda8d262-4e6e-4ff6-a7ba-a2fb50535165 Read basic properties of meetings associated with this chat Allows the app to read basic properties, such as name, schedule, organizer, join link, and start or end notifications, of meetings associated with this chat, without a signed-in user.
OnlineMeetingNotification.Send.Chat d9837fe0-9c31-4faa-8acb-b10874560161 Send notifications in the meetings associated with this chat Allows the app to send notifications inside meetings associated with this chat, without a signed-in user.
OnlineMeetingParticipant.Read.Chat 6324a770-185c-4b4f-be13-2d9a1668e6eb Read the participants of the meetings associated with this chat Allows the app to read participant information, including name, role, id, joined and left times, of meetings associated with this chat, without a signed-in user.
OnlineMeetingRecording.Read.Chat d20f0153-08ff-48a9-b299-96a8d1131d1d Read the recordings of the meetings associated with this chat  Allows the app to read recordings of the meetings associated with this chat, without a signed-in user.
OnlineMeetingTranscript.Read.Chat 8c477e19-f0f7-45f9-ae72-604f77a599e3 Read the transcripts of the meetings associated with this chat Allows the app to read transcripts of the meetings associated with this chat, without a signed-in user. 
Owner.Read.Group 70d5316c-9b27-4057-a650-3b0fe49002ab Read this group's owners Allows the app to read the basic profile of this group's owners, without a signed-in user.
TeamMember.Read.Group b8731755-de22-4604-be08-93e1e5c2d2d6 Read this team's members Allows the app to read the members of this team, without a signed-in user.
TeamsActivity.Send.Chat 119b5846-be45-44cd-87d7-bfc566330e11 Send activity feed notifications to users in this chat Allows the app to create new notifications in the teamwork activity feeds of the users in this chat, without a signed-in user.
TeamsActivity.Send.Group d4539c25-0937-4095-b844-b97228dd8655 Send activity feed notifications to users in this team Allows the app to create new notifications in the teamwork activity feeds of the users in this team, without a signed-in user.
TeamsActivity.Send.User 483c432d-7210-44e7-a362-954c0c5e4108 Send activity feed notifications to this user Allows the app to create new notifications in the teamwork activity feed of this user, without a signed-in user.
TeamsAppInstallation.Read.Chat b60343cd-f77a-4c4f-8036-41938b1abd8b Read which apps are installed in this chat Allows the app to read the Teams apps that are installed in this chat along with the permissions granted to each app, without a signed-in user.
TeamsAppInstallation.Read.Group ba4beb29-863b-4f02-8969-37a289cd91c0 Read which apps are installed in this team Allows the app to read the Teams apps that are installed in this team, without a signed-in user.
TeamSettings.Read.Group 87909ea6-7b07-42cf-b3a0-b8bd8e7072a8 Read this team's settings Allows the app to read this team's settings, without a signed-in user.
TeamSettings.ReadWrite.Group 13451d84-ced2-4d45-9b0d-98688b90e5bf Read and write this team's settings Allows the app to read and write this team's settings, without a signed-in user.
TeamsTab.Create.Chat 0029d2bb-fc98-4712-9310-69dd5fcc94d5 Create tabs in this chat Allows the app to create tabs in this chat, without a signed-in user.
TeamsTab.Create.Group c4d7203b-1e46-4c4a-95f9-862779aa39e1 Create tabs in this team Allows the app to create tabs in this team, without a signed-in user.
TeamsTab.Delete.Chat fa50d890-02fe-4696-b82b-110dc7f7382a Delete this chat's tabs Allows the app to delete this chat's tabs, without a signed-in user.
TeamsTab.Delete.Group cc2e79a6-9a86-45cc-91c1-41c15745287e Delete this team's tabs Allows the app to delete this team's tabs, without a signed-in user.
TeamsTab.Read.Chat aa07ff41-1317-4f07-8edb-a1558e9bfc84 Read this chat's tabs Allows the app to read this chat's tabs, without a signed-in user.
TeamsTab.Read.Group 60d920d0-44e7-44f4-a811-1a172a2ea5b3 Read this team's tabs Allows the app to read this team's tabs, without a signed-in user.
TeamsTab.ReadWrite.Chat d583f4d7-57da-4b2c-9744-253e9ec3c7be Manage this chat's tabs Allows the app to manage this chat's tabs, without a signed-in user.
TeamsTab.ReadWrite.Group 717ca3a4-bc73-47f8-b613-4d43e657fa9c Manage this team's tabs Allows the app to manage this team's tabs, without a signed-in user.