Microsoft Graph permissions reference
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This topic lists the delegated and application permissions exposed by Microsoft Graph. For guidance about how to use the permissions, see the Overview of Microsoft Graph permissions.
To find the unique identifiers for all permissions, see All permissions and IDs.
Note
As a best practice, request the least privileged permissions that your app needs in order to access data and function correctly. Requesting permissions with more than the necessary privileges is poor security practice, which may cause users to refrain from consenting and affect your app's usage.
Access reviews permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
AccessReview.Read.All | Read all access reviews | Allows the app to read access reviews on behalf of the signed-in user. | Yes | No |
AccessReview.ReadWrite.All | Manage all access reviews | Allows the app to read and write access reviews on behalf of the signed-in user. | Yes | No |
AccessReview.ReadWrite.Membership | Manage access reviews for group and app memberships | Allows the app to read and write access reviews of groups and apps on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
AccessReview.Read.All | Read all access reviews | Allows the app to read access reviews without a signed-in user. | Yes |
AccessReview.ReadWrite.All | Manage all access reviews | Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user. | Yes |
AccessReview.ReadWrite.Membership | Manage access reviews for group and app memberships | Allows the app to manage access reviews of groups and apps without a signed-in user. | Yes |
Remarks
AccessReview.Read.All, AccessReview.ReadWrite.All, AccessReview.ReadWrite.Membership are valid only for work or school accounts.
For an app with delegated permissions to read access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. For an app with delegated permissions to write access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator.
For an app with delegated permissions to read access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or Privileged Role Administrator. For an app with delegated permissions to write access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator or Privileged Role Administrator.
For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.
Administrative units permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
AdministrativeUnit.Read.All | Read administrative units | Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user. | Yes | No |
AdministrativeUnit.ReadWrite.All | Read and write administrative units | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
AdministrativeUnit.Read.All | Read all administrative units | Allows the app to read administrative units and administrative unit membership without a signed-in user. | Yes |
AdministrativeUnit.ReadWrite.All | Read and write all administrative units | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. | Yes |
Remarks
With the AdministrativeUnit.Read.All permission an application can read administrative unit information including members.
With the AdministrativeUnit.ReadWrite.All permission an application can create, read, update, and delete administrative unit information including members.
AdministrativeUnit.Read.All and AdministrativeUnit.ReadWrite.All are valid only for work or school accounts.
Example usage
Note
The v1.0
endpoint for the administrative units API is /v1.0/directory/administrativeUnits
.
- AdministrativeUnit.Read.All: Read administrative units (
GET /beta/administrativeUnits
) - AdministrativeUnit.Read.All: Read members list of an administrative unit (
GET /beta/administrativeUnits/<id>/members
) - AdministrativeUnit.ReadWrite.All: Create an administrative unit (
POST /beta/administrativeUnits
) - AdministrativeUnit.ReadWrite.All: Update an administrative unit (
PATCH /beta/administrativeUnits/<id>
) - AdministrativeUnit.ReadWrite.All: Add members to an administrative unit (
POST /beta/administrativeUnits/<id>/members
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Analytics resource permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Analytics.Read | Read user activity statistics. | Allows the app to read the signed-in user's activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions. | No |
Application permissions
None.
Example usage
Delegated
- Analytics.Read: List related settings for a user (
GET /beta/me/analytics/settings
)
Application
None.
AppCatalog resource permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account Required |
---|---|---|---|---|
AppCatalog.Read.All | Read all app catalogs | Allows the app to read the apps in the app catalogs. | No | No |
AppCatalog.ReadWrite.All | Read and write to all app catalogs | Allows the app to create, read, update, and delete apps in the app catalogs. | Yes | No |
AppCatalog.Submit | Submit an app for admin review | Allows the user to submit and app for admin review for publication in an organization's app catalog and allows user to cancel past submissions that have not been published. 𝐍𝐎𝐓𝐄: Non-admin users submit apps for review by including the requiresReview=true query parameter. |
Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
AppCatalog.Read.All | Read all app catalogs | Allows the app to read apps in the app catalogs without a signed-in user. | Yes |
AppCatalog.ReadWrite.All | Read and write to all app catalogs | Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user. | Yes |
Remarks
Currently the only catalog is the list of applications in Microsoft Teams.
Example usage
Delegated
- AppCatalog.ReadWrite.All: List all applications in catalog (
GET /beta/appCatalogs/teamsApps
) - AppCatalog.ReadWrite.All: Publish an app (
POST /beta/appCatalogs/teamsApps
) - AppCatalog.ReadWrite.All: Update a published app (
PATCH /beta/appCatalogs/teamsApps/{id}
) - AppCatalog.ReadWrite.All: Remove a published app (
DELETE /beta/appCatalogs/teamsApps/{id}
)
Application
None.
Application resource permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Application.Read.All | Read applications | Allows the app to read applications and service principals on behalf of the signed-in user. | Yes |
Application.ReadWrite.All | Read and write all apps | Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. | Yes |
AppRoleAssignment.ReadWrite.All | Manage app permission grants and app role assignments | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. | Yes |
DelegatedPermissionGrant.ReadWrite.All | Manage delegated permission grants | Allows the app to manage delegated permission grants for any API (including Microsoft Graph), on behalf of the signed-in user. | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Application.Read.All | Read applications | Allows the app to read applications and service principals without a signed-in user. | Yes |
Application.ReadWrite.All | Read and write all apps | Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. Does not allow management of consent grants or application assignments to users or groups. | Yes |
Application.ReadWrite.OwnedBy | Manage apps that this app creates or owns | Allows the calling app to create other applications and service principals, and fully manage those applications and service principals (read, update, update application secrets and delete), without a signed-in user. It cannot update any applications that it is not an owner of. Does not allow management of consent grants or application assignments to users or groups. | Yes |
AppRoleAssignment.ReadWrite.All | Manage app permission grants and app role assignments | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. | Yes |
DelegatedPermissionGrant.ReadWrite.All | Manage all delegated permission grants | Allows the app to grant or revoke any delegated permission for any API (including Microsoft Graph), without a signed-in user. | Yes |
Remarks
Caution
Permissions that allow granting authorization, such as AppRoleAssignment.ReadWrite.All, allow an application to grant additional privileges to itself, other applications, or any user. Likewise, permissions that allow managing credentials, such as Application.ReadWrite.All, allow an application to act as other entities, and use the privileges they were granted. Use caution when granting any of these permissions.
The Application.ReadWrite.OwnedBy permission allows the same operations as Application.ReadWrite.All except that the former allows these operations only on applications and service principals that the calling app is an owner of. Ownership is indicated by the owners
navigation property on the target application or service principal resource.
Note
The Application.ReadWrite.OwnedBy permission allows an app to call GET /applications
and GET /servicePrincipals
to list all applications and service principals in the tenant. This scope of access has been allowed for the permission.
Example usage
Delegated
- Application.Read.All: List all applications (
GET /v1.0/applications
) - Application.ReadWrite.All: Update a service principal (
PATCH /v1.0/servicePrincipals/{id}
)
Application
Application.Read.All: List all applications (
GET /v1.0/applications
)Application.ReadWrite.All: Delete a service principal (
DELETE /v1.0/servicePrincipals/{id}
)Application.ReadWrite.OwnedBy: Create an application (
POST /v1.0/applications
)Application.ReadWrite.OwnedBy: List all applications owned by the calling application (
GET /v1.0/servicePrincipals/{id}/ownedObjects
)Application.ReadWrite.OwnedBy: Add another owner to an owned application (
POST /v1.0/applications/{id}/owners/$ref
).NOTE: This may require additional permissions.
Audit log permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
AuditLog.Read.All | Read audit log data | Allows the app to read and query your audit log activities, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
AuditLog.Read.All | Read all audit log data | Allows the app to read and query your audit log activities, without a signed-in user. | Yes |
Authentication events flow permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
EventListener.Read.All | Read your organization's authentication event listeners | Allows the app to read your organization's authentication event listeners on behalf of the signed-in user. | Yes | No |
EventListener.ReadWrite.All | Read and write your organization's authentication event listeners | Allows the app to read or write your organization's authentication event listeners on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
EventListener.Read.All | Read all authentication event listeners | Allows the app to read your organization's authentication event listeners without a signed-in user. | Yes |
EventListener.ReadWrite.All | Read and write all authentication event listeners | Allows the app to read or write your organization's authentication event listeners without a signed-in user. | Yes |
BitLocker recovery key permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
BitlockerKey.ReadBasic.All | Read basic BitLocker key information | Allows an app to read the BitLocker key's properties for all devices in the tenant. The recovery key is not returned. | Yes | No |
BitlockerKey.Read.All | Read the BitLocker key | Allows an app to read the BitLocker keys for all devices in the tenant. The recovery key is returned. | Yes | No |
Application permissions
None.
Example usage
Delegated
- BitlockerKey.ReadBasic.All: List the BitLocker recovery keys for all devices in the tenant without returning the 'key' property (
GET /bitlocker/recoveryKeys
). - BitlockerKey.Read.All: Get a BitLocker recovery key with the recovery key (
GET /bitlocker/recoveryKeys/{bitlockerRecoveryKeyId}?$select=key
)
Bookings permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Bookings.Read.All | Allows an app to read Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | Intended for read-only applications. Typical target user is the customer of a booking business. | No | No |
BookingsAppointment.ReadWrite.All | Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff on behalf of the signed-in user. | Intended for scheduling applications which need to manipulate appointments and customers. Cannot change fundamental information about the booking business, nor its services and staff members. Typical target user is the customer of a booking business. | No | No |
Bookings.ReadWrite.All | Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete, or publish of Bookings businesses. | Intended for management applications that manipulate existing businesses, their services and staff members. Cannot create, delete, or change the publishing status of a booking business. Typical target user is the support staff of an organization. | No | No |
Bookings.Manage.All | Allows an app to read, write, and manage Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | Allows the app to have full access. Intended for a full management experience. Typical target user is the administrator of an organization. |
No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Bookings.Read.All | Allows an app to read Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | Intended for read-only applications. Typical target user is the customer of a booking business. | Yes | No |
BookingsAppointment.ReadWrite.All | Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff on behalf of the signed-in user. | Intended for scheduling applications which need to manipulate appointments and customers. Cannot change fundamental information about the booking business, nor its services and staff members. Typical target user is the customer of a booking business. | Yes | No |
Bookings.ReadWrite.All | Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete, or publish of Bookings businesses. | Intended for management applications that manipulate existing businesses, their services and staff members. Cannot create, delete, or change the publishing status of a booking business. Typical target user is the support staff of an organization. | Yes | No |
Bookings.Manage.All | Allows an app to read, write, and manage Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | Allows the app to have full access. Intended for a full management experience. Typical target user is the administrator of an organization. |
Yes | No |
Example usage
Delegated
- Bookings.Read.All: Get the ID and names of the collection of Bookings businesses that has been created for a tenant (
GET /bookingBusinesses
). - BookingsAppointment.ReadWrite.All: Create an appointment for a service at a Bookings business (
POST /bookingBusinesses/{id}/appointments
). - Bookings.ReadWrite.All: Create a new service for the specified Bookings business (
POST /bookingBusinesses/{id}/services
). - Bookings.Manage.All: Make the scheduling page of this business available to external customers (
POST /bookingBusinesses/{id}/publish
).
Browser management permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
BrowserSiteLists.Read.All | Read browser site lists for your organization | Allows an app to read the browser site lists configured for your organization, on behalf of the signed-in user. | No | No |
BrowserSiteLists.ReadWrite.All | Read and write browser site lists for your organization | Allows an app to read and write the browser site lists configured for your organization, on behalf of the signed-in user. | No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
BrowserSiteLists.Read.All | Read all browser site lists for your organization | Allows an app to read all browser site lists configured for your organization, without a signed-in user. | Yes | No |
BrowserSiteLists.ReadWrite.All | Read and write all browser site lists for your organization | Allows an app to read and write all browser site lists configured for your organization, without a signed-in user. | Yes | No |
Example usage
Delegated
- BrowserSiteLists.Read.All: List all browser site lists, on behalf of a signed-in user (
GET /beta/admin/edge/internetExplorerMode/siteLists
) - BrowserSiteLists.ReadWrite.All: Update a browser site list, on behalf of a signed-in user (
PATCH /beta/admin/edge/internetExplorerMode/siteLists/{browserSiteListId}
)
Application
- BrowserSiteLists.Read.All: List all browser site lists, without a signed-in user (
GET /beta/admin/edge/internetExplorerMode/siteLists
) - BrowserSiteLists.ReadWrite.All: Delete a browser site list, without a signed-in user (
DELETE /beta/admin/edge/internetExplorerMode/siteLists/{browserSiteListId}
)
Business scenarios permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
BusinessScenarioConfig.Read.All | Read business scenario configurations | Allows the app to read the configurations for the business scenarios of your organization, on behalf of the signed-in user. | Yes | No |
BusinessScenarioConfig.Read.OwnedBy | Read business scenario configurations this app creates or owns | Allows the app to read the configurations of business scenarios it owns, on behalf of the signed-in user. | Yes | No |
BusinessScenarioConfig.ReadWrite.All | Read and write business scenario configurations | Allows the app to read and write the configurations for the business scenarios of your organization, on behalf of the signed-in user. | Yes | No |
BusinessScenarioConfig.ReadWrite.OwnedBy | Read and write business scenario configurations this app creates or owns | Allows the app to create new business scenarios and fully manage the configurations of scenarios it owns, on behalf of the signed-in user. | Yes | No |
BusinessScenarioData.Read.OwnedBy | Read all data for business scenarios this app creates or owns | Allows the app to read all data associated with the business scenarios it owns. Data access will be attributed to the signed-in user. | Yes | No |
BusinessScenarioData.ReadWrite.OwnedBy | Read and write all data for business scenarios this app creates or owns | Allows the app to fully manage all data associated with the business scenarios it owns. Data access and changes will be attributed to the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
BusinessScenarioConfig.Read.OwnedBy | Read all business scenario configurations this app creates or owns | Allows the app to read the configurations of business scenarios it owns, without a signed-in user. | Yes |
BusinessScenarioConfig.ReadWrite.OwnedBy | Read and write all business scenario configurations this app creates or owns | Allows the app to create new business scenarios and fully manage the configurations of scenarios it owns, without a signed-in user. | Yes |
BusinessScenarioData.Read.OwnedBy | Read data for all business scenarios this app creates or owns | Allows the app to read the data associated with the business scenarios it owns, without a signed-in user. | Yes |
BusinessScenarioData.ReadWrite.OwnedBy | Read and write data for all business scenarios this app creates or owns | Allows the app to fully manage the data associated with the business scenarios it owns, without a signed-in user. | Yes |
Example usage
Delegated
- BusinessScenarioConfig.ReadWrite.OwnedBy: Create a new business scenario (
POST /solutions/businessScenarios
) - BusinessScenarioConfig.Read.All: Get a list of all business scenarios in an organization (
GET /solutions/businessScenarios
)
Application
- BusinessScenarioConfig.ReadWrite.OwnedBy: Update the Planner plan configuration for a business scenario (
PATCH /solutions/businessScenarios/c5d514e6c6864911ac46c720affb6e4d/planner/planConfiguration
) - BusinessScenarioData.ReadWrite.OwnedBy: Delete a Planner task in a business scenario (
DELETE /solutions/businessScenarios/c5d514e6c6864911ac46c720affb6e4d/planner/tasks/M60dlXLEkk-ZocLUTDvBSpcAGRaa
)
Calendars permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Calendars.Read | Read user calendars | Allows the app to read events in user calendars. | No | Yes |
Calendars.Read.Shared | Read user and shared calendars | Allows the app to read events in all calendars that the user can access, including delegate and shared calendars. | No | No |
Calendars.ReadWrite | Have full access to user calendars | Allows the app to create, read, update, and delete events in user calendars. | No | Yes |
Calendars.ReadWrite.Shared | Read and write user and shared calendars | Allows the app to create, read, update and delete events in all calendars the user has permissions to access. This includes delegate and shared calendars. | No | No |
Calendars.ReadBasic | Read basic details of user calendars | Allows the app to read events in user calendars, except for properties such as body, attachments, and extensions. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Calendars.Read | Read calendars in all mailboxes | Allows the app to read events of all calendars without a signed-in user. | Yes |
Calendars.ReadWrite | Read and write calendars in all mailboxes | Allows the app to create, read, update, and delete events of all calendars without a signed-in user. | Yes |
Calendars.ReadBasic.All | Read basic details of calendars in all mailboxes | Allows the app to read events of all calendars, except for properties such as body, attachments, and extensions, without a signed-in user. | Yes |
Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Calendars.Read or Calendars.ReadWrite.
Example usage
Delegated
- Calendars.Read: Get events on the user's calendar between April 23, 2017 and April 29, 2017 (
GET /me/calendarView?startDateTime=2017-04-23T00:00:00&endDateTime=2017-04-29T00:00:00
). - Calendars.Read.Shared: Find meeting times where all attendees are available (
POST /users/{id|userPrincipalName}/findMeetingTimes
). - Calendars.ReadWrite: Add an event to the user's calendar (
POST /me/events
).
Application
- Calendars.Read: Find events in a conference room's calendar organized by bob@contoso.com (
GET /users/{id | userPrincipalName}/events?$filter=organizer/emailAddress/address eq 'bob@contoso.com'
). - Calendars.Read: List all events on a user's calendar for the month of May (
GET /users/{id | userPrincipalName}/calendarView?startDateTime=2017-05-01T00:00:00&endDateTime=2017-06-01T00:00:00
) - Calendars.ReadWrite: Add an event to a user's calendar for approved time off (
POST /users/{id | userPrincipalName}/events
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Calls permissions
Delegated permissions
None.
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Calls.Initiate.All | Initiate outgoing 1:1 calls from the app | Allows the app to place outbound calls to a single user and transfer calls to users in your organization's directory, without a signed-in user. | Yes |
Calls.InitiateGroupCall.All | Initiate outgoing group calls from the app | Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. | Yes |
Calls.JoinGroupCall.All | Join group calls and meetings as an app | Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your tenant. | Yes |
Calls.JoinGroupCallasGuest.All | Join group calls and meetings as a guest | Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined as a guest to meetings in your tenant. | Yes |
Calls.AccessMedia.All* | Access media streams in a call as an app | Allows the app to get direct access to media streams in a call, without a signed-in user. | Yes |
*Important: You may NOT use the Cloud Communications APIs to record or otherwise persist media content from calls or meetings that your application accesses, or data derived from that media content. Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. Please see the Terms of Use and consult with your legal counsel for more information.
Example usage
Application
- Calls.Initiate.All: Make a peer-to-peer call from the application to a user in the organization (
POST /beta/communications/calls
). - Calls.InitiateGroupCall.All: Make a group call from the application to a group of users in the organization (
POST /beta/communications/calls
). - Calls.JoinGroupCall.All: Join a group call or online meeting from the application (
POST /beta/communications/calls
). - Calls.JoinGroupCallasGuest.All: Join a group call or online meeting from the application, but the application only has guest privileges in the meeting (
POST /beta/communications/calls
). - Calls.AccessMedia.All: Create or join a call and the app gets direct access to participant media streams in the call (
POST /beta/communications/calls
).
Note: For request examples, see Create call.
For more complex scenarios involving multiple permissions, see Permission scenarios.
Call records permissions
Delegated permissions
None.
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
CallRecords.Read.All | Read all call records | Allows the app to read call records for all calls and online meetings without a signed-in user. | Yes |
CallRecord-PstnCalls.Read.All | Read PSTN and direct routing call log data | Allows the app to read all PSTN and direct routing call log data without a signed-in user. | Yes |
Remarks
The CallRecords.Read.All permission grants an application privileged access to callRecords for every call and online meeting within your organization, including calls to and from external phone numbers. This includes potentially sensitive details about who participated in the call, as well as technical information pertaining to these calls and meetings that can be used for network troubleshooting, such as IP addresses, device details, and other network information.
The CallRecord-PstnCalls.Read.All permission grants an application access to PSTN (calling plans) and direct routing call logs. This includes potentially sensitive information about users as well as calls to and from external phone numbers.
Important: Discretion should be used when granting these permissions to applications. Call records can provide insights into the operation of your business, and so can be a target for malicious actors. Only grant these permissions to applications you trust to meet your data protection requirements.
Important: Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. Please see the Terms of Use and consult with your legal counsel for more information.
Example usage
Application
- CallRecords.Read.All: Retrieve a call record (
GET /v1.0/communications/callRecords/{id}
). - CallRecords.Read.All: Subscribe to new call records (
POST /v1.0/subscriptions
). - CallRecords.Read.All: Retrieve direct routing call records within the specified time range (
GET /v1.0/communications/callRecords/microsoft.graph.callRecords.getDirectRoutingCalls(fromDateTime={start date and time),toDateTime={end date and time))
) - CallRecord-PstnCalls.Read.All: Retrieve PSTN call records within the specified time range (
GET /v1.0/communications/callRecords/microsoft.graph.callRecords.getPstnCalls(fromDateTime={start date and time),toDateTime={end date and time))
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Channel permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Channel.ReadBasic.All | Read the names and descriptions of channels. | Read channel names and channel descriptions, on behalf of the signed-in user. | No | No |
Channel.Create | Create channels. | Create channels in any team, on behalf of the signed-in user. | Yes | No |
Channel.Delete.All | Delete channels. | Delete channels in any team, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Channel.ReadBasic.All | Read the names and descriptions of all channels. | Read all channel names and channel descriptions, without a signed-in user. | Yes | No |
Channel.Create | Create channels. | Create channels in any team, without a signed-in user. | Yes | No |
Channel.Delete.All | Delete channels. | Delete channels in any team, without a signed-in user. | Yes | No |
Teamwork.Migrate.All | Manage migration to Microsoft Teams | Creating and managing resources for migration to Microsoft Teams | Yes | Yes |
Channel member permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChannelMember.Read.All | Read the members of channels. | Read the members of channels, on behalf of the signed-in user. | Yes | No |
ChannelMember.ReadWrite.All | Add and remove members from channels. | Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChannelMember.Read.All | Read the members of all channels. | Read the members of all channels, without a signed-in user. | Yes | No |
ChannelMember.ReadWrite.All | Add and remove members from all channels. | Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner. | Yes | No |
Channel message permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChannelMessage.Edit (private preview) | Edit user's channel messages | Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user. | Yes | No |
ChannelMessage.Read.All | Read user channel messages | Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user. | Yes | No |
ChannelMessage.Send | Send channel messages | Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. | No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChannelMessage.Read.All | Read all channel messages | Allows the app to read all channel messages in Microsoft Teams, without a signed-in user. | Yes | No |
ChannelMessage.UpdatePolicyViolation.All | Flag channel messages for violating policy | Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. | Yes | No |
Note: See also Group.Read.All.
Channel settings permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChannelSettings.Read.All | Read the names, descriptions, and settings of channels. | Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user. | Yes | No |
ChannelSettings.ReadWrite.All | Read and write the names, descriptions, and settings of channels. | Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChannelSettings.Read.All | Read the names, descriptions, and settings of all channels. | Read all channel names, channel descriptions, and channel settings, without a signed-in user. | Yes | No |
ChannelSettings.ReadWrite.All | Read and write the names, descriptions, and settings of all channels. | Read and write the names, descriptions, and settings of all channels, without a signed-in user. | Yes | No |
Chat permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Chat.Read | Read your chat messages. | Allows an app to read your 1:1 or group chat messages in Microsoft Teams, on your behalf. | No | No |
Chat.ReadBasic | Read names and members of user chat threads. | Allows an app to read the members and descriptions of 1:1 and group chats threads, on behalf of the signed-in user. | No | No |
Chat.ReadWrite | Read your chat messages and send new ones. | Allows an app to read and send your 1:1 or group chat messages in Microsoft Teams, on your behalf. | No | No |
Chat.ManageDeletion.All | Delete and recover deleted chats. | Allows the app to delete and recover deleted chats, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Chat.Read.WhereInstalled | Read all chat messages for chats where the associated Teams application is installed. | Allows the app to read all one-to-one or group chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user. | Yes | No |
Chat.Read.All | Read all chat messages. | Allows the app to read all 1:1 or group chat messages in Microsoft Teams, without a signed-in user. | Yes | No |
Chat.ReadBasic.WhereInstalled | Read names and members of all chat threads where the associated Teams application is installed. | Allows the app to read names and members of all one-to-one and group chats in Microsoft Teams where the associated Teams application is installed, without a signed-in user. | Yes | No |
Chat.ReadBasic.All | Read names and members of user chat threads. | Read names and members of all chat threads. | Yes | No |
Chat.UpdatePolicyViolation.All | Flag chat messages for violating policy. | Allows the app to update Microsoft Teams 1:1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. | Yes | No |
Chat.ReadWrite.WhereInstalled | Read and write all chat messages for chats where the associated Teams application is installed. | Allows the app to read and write all chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user. | Yes | No |
Chat.ReadWrite.All | Read and write all chat messages. | Allows an app to read and write all one-to-one and group chats in Microsoft Teams, without a signed-in user. Does not allow sending messages. | Yes | No |
Chat.ManageDeletion.All | Delete and recover deleted chats. | Allows the app to delete and recover deleted chats, without a signed-in user. | Yes | No |
Note: For messages in a channel, see ChannelMessage permissions.
Chat membership permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChatMember.Read | Read the members of chats. | Read the members of chats on behalf of the signed-in user. | Yes | No |
ChatMember.ReadWrite | Add and remove members from chats. | Add and remove members from chats on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChatMember.Read.WhereInstalled | Read the members of all chats where the associated Teams application is installed. | Allows the app to read the members of all chats where the associated Teams application is installed, without a signed-in user. | Yes | No |
ChatMember.Read.All | Read the members of all chats. | Allows the app to read all 1:1 or group chat messages in Microsoft Teams, without a signed-in user. | Yes | No |
ChatMember.ReadWrite.WhereInstalled | Add and remove members from all chats where the associated Teams application is installed. | Allows the app to add and remove members from all chats where the associated Teams application is installed, without a signed-in user. | Yes | No |
ChatMember.ReadWrite.All | Add and remove members of all chats. | Read names and members of all chat threads. | Yes | No |
Chat resource-specific consent permissions
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChatSettings.Read.Chat | Read this chat's settings. | Allows the app to read this chat's settings, without a signed-in user. | No | No |
ChatSettings.ReadWrite.Chat | Read and write this chat's settings. | Allows the app to read and write this chat's settings, without a signed-in user. | No | No |
ChatMessage.Read.Chat | Read this chat's messages. | Allows the app to read this chat's messages, without a signed-in user. | No | No |
ChatMember.Read.Chat | Read this chat's members. | Allows the app to read this chat's members, without a signed-in user. | No | No |
Chat.Manage.Chat | Manage this chat. | Allows the app to manage the chat, the chat's members, and grant access to the chat's data, without a signed-in user. | No | No |
TeamsTab.Read.Chat | Read this chat's tabs. | Allows the app to read this chat's tabs, without a signed-in user. | No | No |
TeamsTab.Create.Chat | Create tabs in this chat. | Allows the app to create tabs in this chat, without a signed-in user. | No | No |
TeamsTab.Delete.Chat | Delete this chat's tabs. | Allows the app to delete this chat's tabs, without a signed-in user. | No | No |
TeamsTab.ReadWrite.Chat | Manage this chat's tabs. | Allows the app to manage this chat's tabs, without a signed-in user. | No | No |
TeamsAppInstallation.Read.Chat | Read which apps are installed in this chat. | Allows the app to read the Teams apps that are installed in this chat along with the permissions granted to each app, without a signed-in user. | No | No |
OnlineMeeting.ReadBasic.Chat | Read basic properties of a meeting associated with this chat. | Allows the app to read basic properties—such as name, schedule, organizer, and join link—of a meeting associated with this chat, without a signed-in user. | No | No |
Calls.AccessMedia.Chat | Access media streams in calls associated with this chat or meeting. | Allows the app to access media streams in calls associated with this chat or meeting, without a signed-in user. | No | No |
Calls.JoinGroupCalls.Chat | Join calls associated with this chat or meeting. | Allows the app to join calls associated with this chat or meeting, without a signed-in user. | No | No |
TeamsActivity.Send.Chat | Send activity feed notifications to users in this chat. | Allows the app to create new notifications in the teamwork activity feeds of the users in this chat, without a signed-in user. | No | No |
Note
Currently, these permissions are supported only in the beta version of Microsoft Graph.
ChatMessage permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ChatMessage.Send | Send user chat messages | Allows an app to send 1:1 and group chat messages in Microsoft Teams, on behalf of the signed-in user. | No | No |
Cloud PC permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
CloudPC.Read.All | Read Cloud PCs | Allows the app to read Cloud PC objects such as provisioning policies, on behalf of the signed-in user. | No | No |
CloudPC.ReadWrite.All | Read and write Cloud PCs | Allows the app to create, read, update, and delete Cloud PC objects such as Azure network connections, provisioning policies, and device images, on behalf of the user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
CloudPC.Read.All | Read Cloud PCs | Allows the app to read Cloud PC objects such as provisioning policies, without a signed-in user. | Yes | No |
CloudPC.ReadWrite.All | Read and write Cloud PCs | Allows the app to create, read, update, and delete Cloud PC objects such as Azure network connections, provisioning policies, and device images, without a signed-in user. | Yes | No |
Example usage
Delegated
- CloudPC.Read.All: View the properties of all Cloud PCs (
GET /deviceManagement/virtualEndpoint/cloudPCs
). - CloudPC.ReadWrite.All: Edit the Cloud PC provisioning policy (
PATCH /deviceManagement/virtualEndpoint/provisioningPolicies/{id}
).
Application
- CloudPC.Read.All: View the properties of all Cloud PCs (
GET /deviceManagement/virtualEndpoint/cloudPCs
). - CloudPC.ReadWrite.All: Edit the Cloud PC provisioning policy (
PATCH /deviceManagement/virtualEndpoint/provisioningPolicies/{id}
).
Consent requests permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ConsentRequest.Read.All | Read consent requests | Allows the app to read consent requests and approvals on behalf of the signed-in user. | Yes | No |
ConsentRequest.ReadWrite.All | Read and write consent requests | Allows the app to read app consent requests and approvals, and deny or approve those requests on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
ConsentRequest.Read.All | Read consent requests | Allows the app to read app consent requests and approvals without a signed-in user. | Yes |
ConsentRequest.ReadWrite.All | Read and write consent requests | Allows the app to read app consent requests and approvals, and deny or approve those requests without a signed-in user. | Yes |
Cross-tenant user profile sharing permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
CrossTenantUserProfileSharing.Read | Read shared cross-tenant user profile and export data | Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user. | Yes | Yes |
CrossTenantUserProfileSharing.Read.All | Read all shared cross-tenant user profiles and export their data | Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user. | Yes | Yes |
CrossTenantUserProfileSharing.ReadWrite | Read shared cross-tenant user profile and export or delete data | Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user. | Yes | No |
CrossTenantUserProfileSharing.ReadWrite.All | Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
CrossTenantUserProfileSharing.Read.All | Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user. | Yes | |
CrossTenantUserProfileSharing.ReadWrite.All | Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user. | Yes |
Contacts permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Contacts.Read | Read user contacts | Allows the app to read user contacts. | No | Yes |
Contacts.Read.Shared | Read user and shared contacts | Allows the app to read contacts that the user has permissions to access, including the user's own and shared contacts. | No | No |
Contacts.ReadWrite | Have full access to user contacts | Allows the app to create, read, update, and delete user contacts. | No | Yes |
Contacts.ReadWrite.Shared | Read and write user and shared contacts | Allows the app to create, read, update and delete contacts that the user has permissions to, including the user's own and shared contacts. | No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Contacts.Read | Read contacts in all mailboxes | Allows the app to read all contacts in all mailboxes without a signed-in user. | Yes |
Contacts.ReadWrite | Read and write contacts in all mailboxes | Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. | Yes |
Important Administrators can configure application access policy to limit app access to specific mailboxes and not all the mailboxes in the organization, even if the app has been granted the application permissions of Contacts.Read or Contacts.ReadWrite.
Example usage
Delegated
- Contacts.Read: Read a contact from one of the top-level contact folders of the signed-in user (
GET /me/contactfolders/{Id}/contacts/{id}
). - Contacts.ReadWrite: Update the contact photo of one of the signed-in user's contacts (
PUT /me/contactfolders/{contactFolderId}/contacts/{id}/photo/$value
). - Contacts.ReadWrite: Add contacts to the root folder of the signed-in user (
POST /me/contacts
).
Application
- Contacts.Read: Read contacts from one of the top-level contact folders of any user in the organization (
GET /users/{id | userPrincipalName}/contactfolders/{Id}/contacts/{id}
). - Contacts.ReadWrite: Update the photo for any contact of any user in an organization (
PUT /users/{id | userPrincipalName}/contactfolders/{contactFolderId}/contacts/{id}/photo/$value
). - Contacts.ReadWrite: Add contacts to the root folder of any user in the organization (
POST /users/{id | userPrincipalName}/contacts
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Custom authentication extensions permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
CustomAuthenticationExtension.Read.All | Read your oganization's custom authentication extensions | Allows the app to read your organization's custom authentication extensions on behalf of the signed-in user. | Yes | No |
CustomAuthenticationExtension.ReadWrite.All | Read and write your organization's custom authentication extensions | Allows the app to read or write your organization's custom authentication extensions on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
CustomAuthenticationExtension.Read.All | Read all custom authentication extensions | Allows the app to read your organization's custom authentication extensions without a signed-in user. | Yes |
CustomAuthenticationExtension.ReadWrite.All | Read and write all custom authentication extensions | Allows the app to read or write your organization's custom authentication extensions without a signed-in user. | Yes |
Custom security attributes permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
CustomSecAttributeAssignment.Read.All | Read custom security attribute assignments | Allows the app to read custom security attribute assignments for all principals in the tenant on behalf of a signed in user. | Yes | No |
CustomSecAttributeAssignment.ReadWrite.All | Read and write custom security attribute assignments | Allows the app to read and write custom security attribute assignments for all principals in the tenant on behalf of a signed in user. | Yes | No |
CustomSecAttributeDefinition.Read.All | Read custom security attribute definitions | Allows the app to read custom security attribute definitions for the tenant on behalf of a signed in user. | Yes | No |
CustomSecAttributeDefinition.ReadWrite.All | Read and write custom security attribute definitions | Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
CustomSecAttributeAssignment.Read.All | Read custom security attribute assignments | Allows the app to read custom security attribute assignments for all principals in the tenant without a signed in user. | Yes |
CustomSecAttributeAssignment.ReadWrite.All | Read and write custom security attribute assignments | Allows the app to read and write custom security attribute assignments for all principals in the tenant without a signed in user. | Yes |
CustomSecAttributeDefinition.Read.All | Read custom security attribute definitions | Allows the app to read custom security attribute definitions for the tenant without a signed in user. | Yes |
CustomSecAttributeDefinition.ReadWrite.All | Read and write custom security attribute definitions | Allows the app to read and write custom security attribute definitions for the tenant without a signed in user. | Yes |
Device local credential permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
DeviceLocalCredential.ReadBasic.All | Read basic device local credential information | Allows the app to read device local credential properties excluding passwords, on behalf of the signed-in user. | Yes | No |
DeviceLocalCredential.Read.All | Read device local credential information | Allows the app to read device local credential properties including passwords, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
DeviceLocalCredential.ReadBasic.All | Read basic device local credential information | Allows the app to read device local credential properties excluding passwords. | Yes | No |
DeviceLocalCredential.Read.All | Read device local credential information | Allows the app to read device local credential properties including passwords. | Yes | No |
Example usage
Delegated
- DeviceLocalCredential.ReadBasic.All_: List the device local credential for all devices in the tenant without returning the 'credentials' property (
GET /deviceLocalCredentials
). - DeviceLocalCredential.Read.All_: Get a device local credential with the local administrator account password in Base64 encoded value (
GET /deviceLocalCredentials/{deviceId}?$select=credentials
).
Application
- DeviceLocalCredential.ReadBasic.All_: List the device local credential for all devices in the tenant without returning the 'credentials' property (
GET /deviceLocalCredentials
). - DeviceLocalCredential.Read.All_: Get a device local credential with the local administrator account password in Base64 encoded value (
GET /deviceLocalCredentials/{deviceId}?$select=credentials
).
Granular delegated admin privileges (GDAP) permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
DelegatedAdminRelationship.Read.All | Read Delegated Admin relationships with customers | Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups on behalf of the signed-in user. | Yes | No |
DelegatedAdminRelationship.ReadWrite.All | Manage Delegated Admin relationships with customers | Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships on your behalf. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
DelegatedAdminRelationship.Read.All | Read Delegated Admin relationships with customers | Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups without a signed-in user. | Yes | No |
DelegatedAdminRelationship.ReadWrite.All | Manage Delegated Admin relationships with customers | Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user. | Yes | No |
Device permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Device.Read | Read user devices | Allows the app to read a user's list of devices on behalf of the signed-in user. | No | Yes |
Device.Read.All | Read all devices | Allows the app to read your organization's devices' configuration information on behalf of the signed-in user. | Yes | Yes |
Device.Command | Communicate with user devices | Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user. | No | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Device.Read.All | Read all devices | Allows the app to read your organization's devices' configuration information without a signed-in user. | Yes |
Device.ReadWrite.All | Read and write devices | Allows the app to read and write all device properties without a signed in user. Does not allow device creation or update of device alternative security identifiers. | Yes |
Note
Before December 3rd, 2020, when the application permission Device.ReadWrite.All was granted, the Device Managers directory role was also assigned to the app's service principal. This directory role assignment is not removed automatically when the associated application permissions is revoked. To ensure that an application's access to read or write to devices is removed, customers must also remove any related directory roles that were granted to the application.
A service update disabling this behavior began rolling out on December 3rd, 2020. Deployment to all customers completed on January 11th, 2021. Directory roles are no longer automatically assigned when application permissions are granted.
Example usage
Application
- Device.ReadWrite.All: Read all registered devices in the organization (
GET /devices
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Directory permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Directory.Read.All | Read directory data | Allows the app to read data in your organization's directory, such as users, groups and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization's tenant. | Yes | No |
Directory.ReadWrite.All | Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. | Yes | No |
Directory.AccessAsUser.All | Access directory as the signed-in user | Allows the app to have the same access to information in the directory as the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Directory.Read.All | Read directory data | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | Yes |
Directory.ReadWrite.All | Read and write directory data | Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | Yes |
Remarks
Directory permissions provide the highest level of privilege for accessing directory resources such as user, group, and device in an organization.
They also exclusively control access to other directory resources like: organizational contacts, schema extension APIs, Privileged Identity Management (PIM) APIs, as well as many of the resources and APIs listed under the Azure Active Directory node in the v1.0 and beta API reference documentation. These include administrative units, directory roles, directory settings, policy, and many more.
Note
Before December 3rd, 2020, when the application permission Directory.Read.All was granted, the Directory Readers directory role was also assigned to the app's service principal. When Directory.ReadWrite.All was granted, the Directory Writers directory role was also assigned. These directory roles are not removed automatically when the associated application permissions are revoked. To remove an application's access to read or write to the directory, customers must also remove any directory roles that were granted to the application.
A service update disabling this behavior began rolling out on December 3rd, 2020. Deployment to all customers completed on January 11th, 2021. Directory roles are no longer automatically assigned when application permissions are granted.
The Directory.ReadWrite.All permission grants the following privileges:
- Full read of all directory resources (both declared properties and navigation properties)
- Create and update users
- Disable and enable users (but not Company Administrator)
- Set user alternative security ID (but not administrators)
- Create and update groups
- Manage group memberships
- Update group owner
- Manage license assignments
- Define schema extensions on applications
- Manage directory settings
- Manage admin consent workflow configuration (but not whether admin consent is required or who is authorized to grant admin consent)
Note:
- No rights to reset user passwords.
- Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
- No rights to delete resources (including users or groups).
- Specifically excludes create or update for resources not listed above. This includes: application, oAuth2PermissionGrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.
Example usage
Delegated
- Directory.Read.All: List all administrative units in an organization (
GET /beta/administrativeUnits
) - Directory.ReadWrite.All: Add members to a directory role (
POST /directoryRoles/{id}/members/$ref
)
Application
- Directory.Read.All: List all memberships of a user, including directory roles and administrative units (
GET /beta/users/{id}/memberOf
) - Directory.Read.All: List all group members, including service principals (
GET /beta/groups/{id}/members
) - Directory.ReadWrite.All: Add an owner to a group (
POST /groups/{id}/owners/$ref
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Directory recommendations permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
DirectoryRecommendations.Read.All | Read all recommendations | Allows the app to read recommendations on behalf of the signed-in user. | Yes | No |
DirectoryRecommendations.ReadWrite.All | Manage all recommendations | Allows the app to read and write recommendations on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
DirectoryRecommendations.Read.All | Read all recommendations | Allows the app to read recommendations without a signed-in user. | Yes |
DirectoryRecommendations.ReadWrite.All | Manage all recommendations | Allows the app to read and write recommendations without a signed-in user. | Yes |
Domain permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Domain.Read.All | Read domains | Allows the app to read all domain properties on behalf of the signed-in user. | Yes | No |
Domain.ReadWrite.All | Read and write domains | Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify, and remove domains. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Domain.Read.All | Read domains | Allows the app to read all domain properties without a signed-in user. | Yes |
Domain.ReadWrite.All | Read and write domains | Allows the app to read and write domains without a signed-in user. | Yes |
eDiscovery permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
eDiscovery.Read.All | Read user eDiscovery case data | Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user. | Yes | No |
eDiscovery.ReadWrite.All | Read and write eDiscovery case data | Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user. | Yes | No |
Application permissions
None
Example usage
Delegated
- eDiscovery.Read.All: Get the list of cases available to the user (
GET /compliance/ediscovery/cases
) - eDiscovery.ReadWrite.All: Create a reviewset query in a review set (
POST /compliance/ediscovery/cases/{caseId}/reviewSets/{reviewSetId}/queries
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Education permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
EduAdministration.Read | Read education app settings | Allows the app to read education app settings on behalf of the user. | Yes | No |
EduAdministration.ReadWrite | Manage education app settings | Allows the app to manage education app settings on behalf of the user. | Yes | No |
EduAssignments.ReadBasic | Read users' class assignments without grades | Allows the app to read assignments without grades on behalf of the user | Yes | No |
EduAssignments.ReadWriteBasic | Read and write users' class assignments without grades | Allows the app to read and write assignments without grades on behalf of the user | Yes | No |
EduAssignments.Read | Read users' view of class assignments and their grades | Allows the app to read assignments and their grades on behalf of the user | Yes | No |
EduAssignments.ReadWrite | Read and write users' view of class assignments and their grades | Allows the app to read and write assignments and their grades on behalf of the user | Yes | No |
EduRoster.ReadBasic | Read a limited subset of users' view of the roster | Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization's roster and a limited subset of properties about users to be read on behalf of the user. Includes name, status, education role, and email address. | Yes | No |
EduRoster.Read | Read users' view of the roster | Allows the app to read the structure of schools and classes in an organization's roster and education-specific information about users to be read on behalf of the user. | Yes | |
EduRoster.ReadWrite | Read and write users' view of the roster | Allows the app to read and write the structure of schools and classes in an organization's roster and education-specific information about users to be read and written on behalf of the user. | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
EduAdministration.Read.All | Read Education app settings | Read the state and settings of all Microsoft education apps on behalf of the user. | Yes |
EduAdministration.ReadWrite.All | Manage education app settings | Manage the state and settings of all Microsoft education apps on behalf of the user. | yes |
EduAssignments.ReadBasic.All | Read all class assignments without grades | Allows the app to read all class assignments without grades for all users without a signed-in user. | Yes |
EduAssignments.ReadWriteBasic.All | Create, read, update, and delete all class assignments without grades | Allows the app to create, read, update and delete all class assignments without grades for all users without a signed-in user. | Yes |
EduAssignments.Read.All | Read all class assignments with grades | Allows the app to read all class assignments with grades for all users without a signed-in user. | Yes |
EduAssignments.ReadWrite.All | Create, read, update, and delete all class assignments with grades | Allows the app to create, read, update and delete all class assignments with grades for all users without a signed-in user. | Yes |
EduRoster.ReadBasic.All | Read a limited subset of the organization's roster. | Allows the app to read a limited subset of both the structure of schools and classes in an organization's roster and education-specific information about all users. | Yes |
EduRoster.Read.All | Read the organization's roster. | Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about all users to be read. | Yes |
EduRoster.ReadWrite.All | Read and write the organization's roster. | Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written. | Yes |
Example usage
Delegated
- EduAssignments.Read: Get the signed-in student's assignment information (
GET /education/classes/{id}/assignments/{id}
) - EduAssignments.ReadWriteBasic: Submit signed-in student assignment (
GET /education/classes/{id}/assignments/{id}submit
) - EduRoster.ReadBasic: Classes a signed-in user attends or teaches (
GET /education/classes/{id}/members
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Employee learning permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
LearningContent.Read.All | Read learning content | Allows the app to read learning content in the organization's directory, on behalf of the signed-in user. | Yes | No |
LearningContent.ReadWrite.All | Manage learning content | Allows the app to manage all learning content in the organization's directory, on behalf of the signed-in user. | Yes | No |
LearningProvider.Read | Read learning provider | Allows the app to read data for the learning provider in the organization's directory, on behalf of the signed-in user. | Yes | No |
LearningProvider.ReadWrite | Manage learning provider | Allows the app to create, update, read, and delete data for the learning provider in the organization's directory, on behalf of the signed-in user. | Yes | No |
LearningAssignedCourse.Read | Read assignment | Allows the app to read data for assignment record in organization's directory on behalf of the signed-in user. | Yes | No |
LearningSelfInitiatedCourse.Read | Read self-initiated course | Allows the app to read data for self-initiated course record in organization's directory on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
LearningContent.Read.All | Read all learning content | Allows the app to read all learning content in the organization's directory, without a signed-in user. | Yes | No |
LearningContent.ReadWrite.All | Manage all learning content | Allows the app to manage all learning content in the organization's directory, without a signed-in user. | Yes | No |
LearningAssignedCourse.Read.All | Read learning assignment | Allows the app to read data for learning assignment record in organization's directory, without a signed-in user. | Yes | No |
LearningSelfInitiatedCourse.Read.All | Read learning self-initiated course | Allows the app to read data for learning self-initiated course record in organization's directory, without a signed-in user. | Yes | No |
LearningAssignedCourse.ReadWrite.All | Manage all learning assignment for learner | Allows the app to create/read/update/delete data for learning assignment record in organization's directory, without a signed-in user. | Yes | No |
LearningSelfInitiatedCourse.ReadWrite.All | Manage all self-initiated course for learner | Allows the app to create/read/update/delete data for self-initiated course record in organization's directory, without a signed-in user. | Yes | No |
Entitlement management permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
EntitlementManagement.ReadWrite.All | Read and write entitlement management resources | Allows the app to request access to read and manage access packages and related entitlement management resources on behalf of the signed-in user. | Yes |
EntitlementManagement.Read.All | Read entitlement management resources | Allows the app to request access to read access packages and related entitlement management resources on behalf of the signed-in user. | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
EntitlementManagement.ReadWrite.All | Read and write entitlement management resources | Allows the app to read and manage access packages and related entitlement management resources. | Yes |
EntitlementManagement.Read.All | Read entitlement management resources | Allows the app to read access packages and related entitlement management resources. | Yes |
Files permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Files.Read | Read user files | Allows the app to read the signed-in user's files. | No | Yes |
Files.Read.All | Read all files that user can access | Allows the app to read all files the signed-in user can access. | No | Yes |
Files.ReadWrite | Have full access to user files | Allows the app to read, create, update, and delete the signed-in user's files. | No | Yes |
Files.ReadWrite.All | Have full access to all files user can access | Allows the app to read, create, update, and delete all files the signed-in user can access. | No | Yes |
Files.ReadWrite.AppFolder | Have full access to the application's folder (preview) | (Preview) Allows the app to read, create, update, and delete files in the application's folder. | No | Yes |
Files.Read.Selected | Read files that the user selects | Limited support in Microsoft Graph; see Remarks (Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file. |
No | No |
Files.ReadWrite.Selected | Read and write files that the user selects | Limited support in Microsoft Graph; see Remarks (Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file. |
No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Files.Read.All | Read files in all site collections | Allows the app to read all files in all site collections without a signed in user. | Yes |
Files.ReadWrite.All | Read and write files in all site collections | Allows the app to read, create, update, and delete all files in all site collections without a signed in user. | Yes |
Remarks
Note: For personal accounts, Files.Read and Files.ReadWrite also grant access to files shared with the signed-in user.
The Files.Read.Selected and Files.ReadWrite.Selected delegated permissions are only valid on work or school accounts and are only exposed for working with Office 365 file handlers (v1.0). They should not be used for directly calling Microsoft Graph APIs.
The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the App Root special folder with the OneDrive Get special folder Microsoft Graph API.
Example usage
Delegated
- Files.Read: Read files stored in the signed-in user's OneDrive (
GET /me/drive/root/children
) - Files.Read.All: Read files shared with the signed-in user (
GET /me/drive/root/sharedWithMe
) - Files.ReadWrite: Write a file in the signed-in user's OneDrive (
PUT /me/drive/root/children/filename.txt/content
) - Files.ReadWrite.All: Write a file shared with the user (
PUT /users/rgregg@contoso.com/drive/root/children/file.txt/content
) - Files.ReadWrite.AppFolder: Write files into the app's folder in OneDrive (
PUT /me/drive/special/approot/children/file.txt/content
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Financials permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Financials.ReadWrite.All | Read and write financials data | Allows the app to read and write financials data on behalf of the signed-in user | No |
Group permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Group.Read.All | Read all groups | Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. | Yes | No |
Group.ReadWrite.All | Read and write all groups | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendar, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content. | Yes | No |
GroupMember.Read.All | Read group memberships | Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. | Yes | No |
GroupMember.ReadWrite.All | Read and write group memberships | Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted. | Yes | No |
UnifiedGroupMember.Read.AsGuest | Read unified (Microsoft 365) group memberships as a guest user | Allows the app to read basic unified group properties, memberships, and owners of the group the signed-in guest is a member of. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Group.Read.All | Read all groups | Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. | Yes |
Group.ReadWrite.All | Read and write all groups | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | Yes |
GroupMember.Read.All | Read group memberships | Allows the app to read memberships and basic group properties for all groups without a signed-in user. | Yes |
GroupMember.ReadWrite.All | Read and write group memberships | Allows the app to list groups, read basic properties, read and update the membership of the groups without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. | Yes |
Group.Create | Create groups | Allows the calling app to create groups without a signed-in user. Does not allow read, update, or deletion of any groups. | Yes |
Remarks
Group functionality is not supported on personal Microsoft accounts.
For Microsoft 365 groups, Group permissions grant the app access to the contents of the group; for example, conversations, files, notes, and so on.
For application permissions, there are some limitations for the APIs that are supported. For more information, see known issues.
In some cases, an app may need Directory permissions to read some group properties like member
and memberOf
. For example, if a group has a one or more servicePrincipals as members, the app will need effective permissions to read service principals through being granted one of the Directory.* permissions, otherwise Microsoft Graph will return an error. (In the case of delegated permissions, the signed-in user will also need sufficient privileges in the organization to read service principals.) The same guidance applies for the memberOf
property, which can return administrativeUnits.
To set a Microsoft 365 group's preferredDataLocation attribute, an app needs Directory.ReadWrite.All permission. When users in a multi-geo environment create a Microsoft 365 group, the preferredDataLocation value for the group is automatically set to that of the user. For more information about groups' preferred data location, see Create a Microsoft 365 group with a specific PDL.
Group permissions are used to control access to Microsoft Teams resources and APIs. Personal Microsoft accounts are not supported.
Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are not supported.
Example usage
Delegated
- Group.Read.All: Read all Microsoft 365 groups that the signed-in user is a member of (
GET /me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified')
). - Group.Read.All: Read all Microsoft 365 group content like conversations (
GET /groups/{id}/conversations
). - Group.ReadWrite.All: Update group properties, like photo (
PUT /groups/{id}/photo/$value
). - GroupMember.ReadWrite.All: Update group members (
POST /groups/{id}/members/$ref
).
Note:: This also requires User.ReadBasic.All to read the user to add as a member.
Application
- Group.Read.All: Find all groups with name that starts with 'Sales' (
GET /groups?$filter=startswith(displayName,'Sales')
). - Group.ReadWrite.All: Daemon service creates new events on a Microsoft 365 group's calendar (
POST /groups/{id}/events
). - Group.Create: Creates a new group (
POST /groups
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Identity provider permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
IdentityProvider.Read.All | Read identity provider information | Allows the app to read identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. | Yes | No |
IdentityProvider.ReadWrite.All | Read and write identity provider information | Allows the app to read or write identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. | Yes | No |
Remarks
IdentityProvider.Read.All and IdentityProvider.ReadWrite.All are valid only for work or school accounts. For an app to read or write identity providers with delegated permissions, the signed-in user must be assigned the Global Administrator role. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.
Example usage
Delegated
The following usages are valid for both delegated permissions:
- IdentityProvider.Read.All: Read all identity providers configured in the tenant (
GET /beta/identityProviders
) - IdentityProvider.Read.All: Read an existing identity provider (
GET /beta/identityProviders/{id}
) - IdentityProvider.ReadWrite.All Create an identity provider (
POST /beta/identityProviders
) - IdentityProvider.ReadWrite.All Update an existing identity provider (
PATCH /beta/identityProviders/{id}
) - IdentityProvider.ReadWrite.All Delete an existing identity provider (
DELETE /beta/identityProviders/{id}
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Identity protection risk permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
IdentityRiskEvent.Read.All | Read identity risk event information | Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. | Yes | No |
IdentityRiskyUser.Read.All | Read identity user risk information | Allows the app to read identity user risk information for all users in your organization on behalf of the signed-in user. | Yes | No |
IdentityRiskyUser.ReadWrite.All | Read and update identity user risk information | Allows the app to read and update identity user risk information for all users in your organization on behalf of the signed-in user. | Yes | No |
IdentityRiskyServicePrincipal.Read.All | Read all risky service principal information | Allows the app to read all risky service principal information for your organization, on behalf of the signed-in user. | Yes | No |
IdentityRiskyServicePrincipal.ReadWrite.All | Read and write all risky service principal information | Allows the app to read and update risky service principal information for all service principals in your organization, on behalf of the signed-in user. Update operations include dismissing risky service principals. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
IdentityRiskEvent.Read.All | Read identity risk event information | Allows the app to read identity risk event information for all users in your organization without a signed-in user. | Yes |
IdentityRiskyUser.Read.All | Read identity user risk information | Allows the app to read identity user risk information for all users in your organization without a signed-in user. | Yes |
IdentityRiskyUser.ReadWrite.All | Read and update identity user risk information | Allows the app to read and update identity user risk information for all users in your organization without a signed-in user. | Yes |
IdentityRiskyServicePrincipal.Read.All | Read all risky service principal information | Allows the app to read all risky service principal information for your organization, without a signed-in user. | Yes |
IdentityRiskyServicePrincipal.ReadWrite.All | Read and write all risky service principal information | Allows the app to read and update risky service principal for your organization, without a signed-in user. | Yes |
All identity risk permissions are valid only for work or school accounts. For an app with delegated permissions to read identity risk information, the signed-in user must be a member of one of the following Azure AD administrator roles: Global Administrator, Security Administrator, or Security Reader.
Example usage
The following usages are valid for both delegated and application permissions:
Read risk events
- Read all risk events generated for all users in the tenant (
GET /identityProtection/riskDetections
) - Read most recent 50 risk events (
GET /identityProtection/riskDetections?$orderBy=detectedDateTime desc&top=50
)
Read risky users
- Read all risky users and properties in the tenant (
GET /identityProtection/riskyUsers
) - Read all risky users whose aggregate risk level is Medium (
GET /identityProtection/riskyUsers?$filter=riskLevel eq 'medium'
) - Read the risk information for a specific user (
GET /identityProtection/riskyUsers?$filter=id eq 'userId'
)
Read risky service principals
- Read all risky service principals and properties in the tenant (
GET /identityProtection/riskyServicePrincipals
) - Read all risky service principals whose aggregate risk level is Medium (
GET /identityProtection/riskyServicePrincipals?$filter=riskLevel eq 'medium'
) - Read the risk information for a specific service principal (
GET /identityProtection/riskyServicePrincipals?$filter=id eq '{riskyServicePrincipalsId}'
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Identity user flow permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
IdentityUserFlow.Read.All | Read all identity user flows in a tenant | Allows the app to read your organization's user flows. | Yes | No |
IdentityUserFlow.ReadWrite.All | Read and write all identity user flows in a tenant. | Allows the app to read or write your organization's user flows. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
IdentityUserFlow.Read.All | Read all identity user flows in a tenant | Allows the app to read your organization's user flows. | Yes | No |
IdentityUserFlow.ReadWrite.All | Read and write all identity user flows in a tenant. | Allows the app to read or write your organization's user flows. | Yes | No |
Remarks
IdentityUserFlow.Read.All and IdentityUserFlow.ReadWrite.ALL is valid only for work or school accounts.
For an app with delegated permissions to read user flows, the signed-in user must be a member of one of the following administrator roles: Global Administrator, External Identities User Flow Administrator, or Global Reader. For an app with delegated permissions to write user flows, the signed-in user must be a member of one of the following administrator roles: Global Administrator or External Identities User Flow Administrator.
For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.
Example usage
Delegated and Application
The following usages are valid for both delegated and application permissions:
- IdentityUserFlow.Read.All: Read all user flows in an Azure AD B2C tenant (
GET beta/identity/b2cUserFlows
) - IdentityUserFlow.Read.All: Read all user flows in an Azure Active Directory (Azure AD) tenant (
GET beta/identity/b2xUserFlows
) - IdentityUserFlow.Read.All: Read all user attribute assignments in an Azure AD B2C user flow (
GET beta/identity/b2cUserFlows/{id}/userAttributeAssignments
) - IdentityUserFlow.ReadWrite.All: Create a new user flow in an Azure AD B2C tenant (
POST beta/identity/b2cUserFlows
) - IdentityUserFlow.ReadWrite.All: Create a new user flow in an Azure Active Directory (Azure AD) tenant (
POST beta/identity/b2xUserflows
) - IdentitytUserFlow.ReadWrite.All: Add an identity provider to an Azure AD B2C user flow (
PATCH beta/identity/b2cUserFlows/{id}/identityProviders/$ref
) - IdentityUserFlow.ReadWrite.All: Remove an identity provider from an Azure AD B2C user flow (
DELETE beta/identity/b2cUserFlows/{id}/identityProviders/{id}
) - IdentityUserFlow.ReadWrite.All: Create a user attribute assignment in an Azure AD B2C user flow (
POST beta/identity/b2cUserFlows/{id}/userAttributeAssignments
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Incidents permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
SecurityIncident.Read.All | Read incidents | Allows the app to read incidents, on behalf of the signed-in user. | Yes | No |
SecurityIncident.ReadWrite.All | Read and write to incidents | Allows the app to read and write incidents, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
SecurityIncident.Read.All | Read all incidents | Allows the app to read all incidents, without a signed-in user. | Yes |
SecurityIncident.ReadWrite.All | Read and write to all incidents | Allows the app to read and write to all incidents, without a signed-in user. | Yes |
Remarks
Incidents permissions are valid only on work or school accounts.
Example usage
Delegated
- SecurityIncident.Read.All: Read all incidents in an organization that the user is allowed to read (
GET /security/incidents
) - SecurityIncident.ReadWrite.All: Read and write to all incidents in an organization that the user is allowed to read and write (
GET /security/incidents
)
Application
- SecurityIncident.Read.All: Read all incidents in an organization (
GET /security/incidents
) - SecurityIncident.ReadWrite.All: Read and write to all incidents in an organization (
GET /security/incidents
)
Industry data permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
IndustryData.ReadBasic.All | Read basic industry data service and resource definitions | Allows the app to read basic industry data service and resource information on behalf of the signed-in user. | No | No |
IndustryData-DataConnector.Read.All | View data connector definitions | Allows the app to read data connectors on behalf of the signed-in user. | Yes | No |
IndustryData-DataConnector.ReadWrite.All | Manage data connector definitions | Allows the app to read and write data connectors on behalf of the signed-in user. | Yes | No |
IndustryData-DataConnector.Upload | Upload files to a data connector | Allows the app to upload data files to a data connector on behalf of the signed-in user. | Yes | No |
IndustryData-InboundFlow.Read.All | View inbound flow definitions | Allows the app to read inbound data flows on behalf of the signed-in user. | Yes | No |
IndustryData-InboundFlow.ReadWrite.All | Manage inbound flow definitions | Allows the app to read and write inbound data flows on behalf of the signed-in user. | Yes | No |
IndustryData-ReferenceDefinition.Read.All | View reference definitions | Allows the app to read reference definitions on behalf of the signed-in user. | Yes | No |
IndustryData-Run.Read.All | View current and previous runs | Allows the app to read current and previous industry data runs on behalf of the signed-in user. | Yes | No |
IndustryData-SourceSystem.Read.All | View source system definitions | Allows the app to read source system definitions on behalf of the signed-in user. | Yes | No |
IndustryData-SourceSystem.ReadWrite.All | Manage source system definitions | Allows the app to read and write source system definitions on behalf of the signed-in user. | Yes | No |
IndustryData-TimePeriod.Read.All | Read time period definitions | Allows the app to read time period definitions on behalf of the signed-in user. | Yes | No |
IndustryData-TimePeriod.ReadWrite.All | Manage time period definitions | Allows the app to read and write time period definitions on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
IndustryData.ReadBasic.All | View basic service and resource information | Allows the app to read basic service and resource information without a signed-in user. | No |
IndustryData-DataConnector.Read.All | View data connector definitions | Allows the app to read data connectors without a signed-in user. | Yes |
IndustryData-DataConnector.ReadWrite.All | Manage data connector definitions | Allows the app to read and write data connectors without a signed-in user. | Yes |
IndustryData-DataConnector.Upload | Upload files to a data connector | Allows the app to upload data files to a data connector without a signed-in user. | Yes |
IndustryData-InboundFlow.Read.All | View inbound flow definitions | Allows the app to read inbound data flows without a signed-in user. | Yes |
IndustryData-InboundFlow.ReadWrite.All | Manage inbound flow definitions | Allows the app to read and write inbound data flows without a signed-in user. | Yes |
IndustryData-ReferenceDefinition.Read.All | View reference definitions | Allows the app to read reference definitions without a signed-in user. | Yes |
IndustryData-Run.Read.All | View current and previous runs | Allows the app to read current and previous industry data runs without a signed-in user. | Yes |
IndustryData-SourceSystem.Read.All | View source system definitions | Allows the app to read source system definitions without a signed-in user. | Yes |
IndustryData-SourceSystem.ReadWrite.All | Manage source system definitions | Allows the app to read and write source system definitions without a signed-in user. | Yes |
IndustryData-TimePeriod.Read.All | Read time period definitions | Allows the app to read time period definitions without a signed-in user. | Yes |
IndustryData-TimePeriod.ReadWrite.All | Manage time period definitions | Allows the app to read and write time period definitions without a signed-in user. | Yes |
Information protection policy permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
InformationProtectionPolicy.Read | Read user sensitivity labels and label policies | Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
InformationProtectionPolicy.Read.All | Read all published labels and label policies for an organization | Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user. | Yes |
Intune device management permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
DeviceManagementApps.Read.All | Read Microsoft Intune apps | Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | Yes | No |
DeviceManagementApps.ReadWrite.All | Read and write Microsoft Intune apps | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | Yes | No |
DeviceManagementConfiguration.Read.All | Read Microsoft Intune device configuration and policies | Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | Yes | No |
DeviceManagementConfiguration.ReadWrite.All | Read and write Microsoft Intune device configuration and policies | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | Yes | No |
DeviceManagementManagedDevices.PrivilegedOperations.All | Perform user-impacting remote actions on Microsoft Intune devices | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. | Yes | No |
DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune. | Yes | No |
DeviceManagementManagedDevices.ReadWrite.All | Read and write Microsoft Intune devices | Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device's owner. | Yes | No |
DeviceManagementRBAC.Read.All | Read Microsoft Intune RBAC settings | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | Yes | No |
DeviceManagementRBAC.ReadWrite.All | Read and write Microsoft Intune RBAC settings | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | Yes | No |
DeviceManagementServiceConfig.Read.All | Read Microsoft Intune configuration | Allows the app to read Intune service properties including device enrollment and third party service connection configuration. | Yes | No |
DeviceManagementServiceConfig.ReadWrite.All | Read and write Microsoft Intune configuration | Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
DeviceManagementApps.Read.All | Read Microsoft Intune apps | Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | Yes | No |
DeviceManagementApps.ReadWrite.All | Read and write Microsoft Intune apps | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | Yes | No |
DeviceManagementConfiguration.Read.All | Read Microsoft Intune device configuration and policies | Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | Yes | No |
DeviceManagementConfiguration.ReadWrite.All | Read and write Microsoft Intune device configuration and policies | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | Yes | No |
DeviceManagementManagedDevices.PrivilegedOperations.All | Perform user-impacting remote actions on Microsoft Intune devices | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. | Yes | No |
DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune. | Yes | No |
DeviceManagementManagedDevices.ReadWrite.All | Read and write Microsoft Intune devices | Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device's owner. | Yes | No |
DeviceManagementRBAC.Read.All | Read Microsoft Intune RBAC settings | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | Yes | No |
DeviceManagementRBAC.ReadWrite.All | Read and write Microsoft Intune RBAC settings | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | Yes | No |
DeviceManagementServiceConfig.Read.All | Read Microsoft Intune configuration | Allows the app to read Intune service properties including device enrollment and third party service connection configuration. | Yes | No |
DeviceManagementServiceConfig.ReadWrite.All | Read and write Microsoft Intune configuration | Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. | Yes | No |
Remarks
Note: Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.
These permissions are only valid for work or school accounts.
Example usage
Delegated
- DeviceManagementServiceConfiguration.Read.All: Check the current state of the Intune subscription (
GET /deviceManagement/subscriptionState
). - DeviceManagementServiceConfiguration.ReadWrite.All: Create new Terms and Conditions (
POST /deviceManagement/termsAndConditions
). - DeviceManagementConfiguration.Read.All: Find the status of a device configuration (
GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses
). - DeviceManagementConfiguration.ReadWrite.All: Assign a device compliance policy to a group (
POST deviceCompliancePolicies/{id}/assign
). - DeviceManagementApps.Read.All: Find all the Windows Store apps published to Intune (
GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp')
). - DeviceManagementApps.ReadWrite.All: Publish a new application (
POST /deviceAppManagement/mobileApps
). - DeviceManagementRBAC.Read.All: Find a role assignment by name (
GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment'
). - DeviceManagementRBAC.ReadWrite.All: Create a new custom role (
POST /deviceManagement/roleDefinitions
). - DeviceManagementManagedDevices.Read.All: Find a managed device by name (
GET /managedDevices/?$filter=deviceName eq 'My Device'
). - DeviceManagementManagedDevices.ReadWrite.All: Remove a managed device (
DELETE /managedDevices/{id}
). - DeviceManagementManagedDevices.PrivilegedOperations.All: Reset the passcode on a user's managed device (
POST /managedDevices/{id}/resetPasscode
).
Application
- DeviceManagementServiceConfiguration.Read.All: Check the current state of the Intune subscription (
GET /deviceManagement/subscriptionState
). - DeviceManagementServiceConfiguration.ReadWrite.All: Create new Terms and Conditions (
POST /deviceManagement/termsAndConditions
). - DeviceManagementConfiguration.Read.All: Find the status of a device configuration (
GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses
). - DeviceManagementConfiguration.ReadWrite.All: Assign a device compliance policy to a group (
POST deviceCompliancePolicies/{id}/assign
). - DeviceManagementApps.Read.All: Find all the Windows Store apps published to Intune (
GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp')
). - DeviceManagementApps.ReadWrite.All: Publish a new application (
POST /deviceAppManagement/mobileApps
). - DeviceManagementRBAC.Read.All: Find a role assignment by name (
GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment'
). - DeviceManagementRBAC.ReadWrite.All: Create a new custom role (
POST /deviceManagement/roleDefinitions
). - DeviceManagementManagedDevices.Read.All: Find a managed device by name (
GET /managedDevices/?$filter=deviceName eq 'My Device'
). - DeviceManagementManagedDevices.ReadWrite.All: Remove a managed device (
DELETE /managedDevices/{id}
). - DeviceManagementManagedDevices.PrivilegedOperations.All: Reset the passcode on a user's managed device (
POST /managedDevices/{id}/resetPasscode
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Lifecycle workflows permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
LifecycleWorkflows.Read.All | Read all lifecycle workflows resources | Allows the app to list and read all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user. | Yes | No |
LifecycleWorkflows.ReadWrite.All | Read and write all lifecycle workflows resources | Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
LifecycleWorkflows.Read.All | Read all lifecycle workflows resources | Allows the app to list and read all workflows, tasks and related lifecycle workflows resources without a signed-in user. | Yes |
LifecycleWorkflows.ReadWrite.All | Read and write all lifecycle workflows resources | Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources without a signed-in user. | Yes |
Mail permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Mail.Read | Read user mail | Allows the app to read email in user mailboxes. | No | Yes |
Mail.ReadBasic | Read user basic mail | Allows the app to read email in the signed-in user's mailbox, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties. Does not include permissions to search messages. | No | No |
Mail.ReadWrite | Read and write access to user mail | Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. | No | Yes |
Mail.Read.Shared | Read user and shared mail | Allows the app to read mail that the user can access, including the user's own and shared mail. | No | No |
Mail.ReadWrite.Shared | Read and write user and shared mail | Allows the app to create, read, update, and delete mail that the user has permission to access, including the user's own and shared mail. Does not include permission to send mail. | No | No |
Mail.Send | Send mail as a user | Allows the app to send mail as users in the organization. | No | Yes |
Mail.Send.Shared | Send mail on behalf of others | Allows the app to send mail as the signed-in user, including sending on-behalf of others. | No | No |
MailboxSettings.Read | Read user mailbox settings | Allows the app to the read user's mailbox settings. Does not include permission to send mail. | No | Yes |
MailboxSettings.ReadWrite | Read and write user mailbox settings | Allows the app to create, read, update, and delete user's mailbox settings. Does not include permission to directly send mail, but allows the app to create rules that can forward or redirect messages. | No | Yes |
IMAP.AccessAsUser.All | Read and write access to user mail via IMAP | Allows the app to read, update, create and delete email in user mailboxes. Does not include permission to send mail. | No | Yes |
POP.AccessAsUser.All | Read and write access to user mail via POP | Allows the app to read, update, create and delete email in user mailboxes. Does not include permission to send mail. | No | Yes |
SMTP.Send | Send mail as a user using SMTP AUTH | Allows the app to send mail as users in the organization. | No | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Mail.Read | Read mail in all mailboxes | Allows the app to read mail in all mailboxes without a signed-in user. | Yes |
Mail.ReadBasic.All | Read all users basic mail | Allows the app to read all users mailboxes except Body, BodyPreview, UniqueBody, Attachments, ExtendedProperties, and Extensions. Does not include permissions to search messages. | Yes |
Mail.ReadWrite | Read and write mail in all mailboxes | Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. | Yes |
Mail.Send | Send mail as any user | Allows the app to send mail as any user without a signed-in user. | Yes |
MailboxSettings.Read | Read all user mailbox settings | Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. | Yes |
MailboxSettings.ReadWrite | Read and write all user mailbox settings | Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail. | Yes |
Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.
Remarks
Mail.Read.Shared, Mail.ReadWrite.Shared, and Mail.Send.Shared are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.
With the Mail.Send or Mail.Send.Shared permission, an app can send mail and save a copy to the user's Sent Items folder, even if the app does not use a corresponding Mail.ReadWrite or Mail.ReadWrite.Shared permission.
Example usage
Delegated
- Mail.Read: List messages in the user's inbox, sorted by
receivedDateTime
(GET /me/mailfolders/inbox/messages?$orderby=receivedDateTime DESC
). - Mail.Read.Shared: Find all messages with attachments in a user's inbox that has shared their inbox with the signed-in user (
GET /users{id | userPrincipalName}/mailfolders/inbox/messages?$filter=hasAttachments eq true
). - Mail.ReadWrite: Mark a message read (
PATCH /me/messages/{id}
). - Mail.Send: Send a message (
POST /me/sendmail
). - MailboxSettings.ReadWrite: Update the user's automatic reply (
PATCH /me/mailboxSettings
).
Application
- Mail.Read: Find messages from bob@contoso.com (
GET /users/{id | userPrincipalName}/messages?$filter=from/emailAddress/address eq 'bob@contoso.com'
). - Mail.ReadWrite: Create a new folder in the Inbox named
Expense Reports
(POST /users/{id | userPrincipalName}/mailfolders
). - Mail.Send: Send a message (
POST /users/{id | userPrincipalName}/sendmail
). - MailboxSettings.Read: Get the default timezone for the user's mailbox (
GET /users/{id | userPrincipalName}/mailboxSettings/timeZone
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Managed tenant permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ManagedTenants.Read.All | Read all managed tenant specific information | Allows the app to read all managed tenant information on behalf of the signed-in user. | Yes | No |
ManagedTenants.ReadWrite.All | Read and write all managed tenant specific information | Allows the app to read and write all managed tenant information on behalf of the signed-in user. | Yes | No |
Application permissions
None.
Member permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Member.Read.Hidden | Read hidden memberships | Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Member.Read.Hidden | Read all hidden memberships | Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. | Yes |
Remarks
Member.Read.Hidden is valid only on work or school accounts.
Membership in some Microsoft 365 groups can be hidden. This means that only the members of the group can view its members. This feature can be used to help comply with regulations that require an organization to hide group membership from outsiders (for example, a Microsoft 365 group that represents students enrolled in a class).
Example usage
Delegated
- Member.Read.Hidden: Read the members of an administrative unit with hidden membership on behalf of the signed-in user (
GET /administrativeUnits/{id}/members
). - Member.Read.Hidden: Read the members of a group with hidden membership on behalf of the signed-in user (
GET /groups/{id}/members
).
Application
- Member.Read.Hidden: Read the members of an administrative unit with hidden membership (
GET /administrativeUnits/{id}/members
). - Member.Read.Hidden: Read the members of a group with hidden membership (
GET /groups/{id}/members
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Notes permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Notes.Read | Read user OneNote notebooks | Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. | No | Yes |
Notes.Create | Create user OneNote notebooks | Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. | No | Yes |
Notes.ReadWrite | Read and write user OneNote notebooks | Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user. | No | Yes |
Notes.Read.All | Read all OneNote notebooks that user can access | Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. | No | No |
Notes.ReadWrite.All | Read and write all OneNote notebooks that user can access | Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. | No | No |
Notes.ReadWrite.CreatedByApp | Limited notebook access (deprecated) | Deprecated Do not use. No privileges are granted by this permission. |
No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Notes.Read.All | Read all OneNote notebooks | Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. | Yes |
Notes.ReadWrite.All | Read and write all OneNote notebooks | Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user. | Yes |
Remarks
Notes.Read.All and Notes.ReadWrite.All are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.
With the Notes.Create permission, an app can view the OneNote notebook hierarchy of the signed-in user and create OneNote content (notebooks, section groups, sections, pages, and so on).
Notes.ReadWrite and Notes.ReadWrite.All also allow the app to modify the permissions on the OneNote content that can be accessed by the signed-in user.
For work or school accounts, Notes.Read.All and Notes.ReadWrite.All allow the app to access other users' OneNote content that the signed-in user has permission to within the organization.
Example usage
Delegated
- Notes.Create: Create a new notebooks for the signed-in user (
POST /me/onenote/notebooks
). - Notes.Read: Read the notebooks for the signed-in user (
GET /me/onenote/notebooks
). - Notes.Read.All: Get all notebooks that the signed-in user has access to within the organization (
GET /me/onenote/notebooks?includesharednotebooks=true
). - Notes.ReadWrite: Update the page of the signed-in user (
PATCH /me/onenote/pages/{id}/$value
). - Notes.ReadWrite.All: Create a page in another user's notebook that the signed-in user has access to within the organization (
POST /users/{id}/onenote/pages
).
Application
- Notes.Read.All: Read all users notebooks in a group (
GET /groups/{id}/onenote/notebooks
). - Notes.ReadWrite.All: Update the page in a notebook for any user in the organization (
PATCH /users/{id}/onenote/pages/{id}/$value
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Notifications permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Notifications.ReadWrite.CreatedByApp | Deliver and manage notifications for this app. | Allow the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user's notification items for this app. | No |
Remarks
Notifications.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts. The CreatedByApp constraint associated with this permission indicates that the service will apply implicit filtering to results based on the identity of the calling app, either the Microsoft account app ID or a set of app IDs configured for a cross-platform application identity.
Example usage
Delegated
- Notifications.ReadWrite.CreatedByApp: Publish a user-centric notification, which might then be delivered to the user's multiple application clients running on different endpoints. (POST /me/notifications/).
Online meetings permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
OnlineMeetings.Read | Read Online Meeting. | Allows an app to read online meeting details on behalf of the signed-in user. | No | No |
OnlineMeetings.ReadWrite | Read and Create Online Meetings. | Allows an app to create, read online meetings on behalf of the signed-in user. | No | No |
OnlineMeetingArtifact.Read.All | Read Online Meeting artifacts. | Allows the app to read online meeting artifacts on behalf of the signed-in user. | No | No |
OnlineMeetingTranscript.Read.All | Read all transcripts of online meetings. | Allows the app to read all transcripts of online meetings on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
OnlineMeetings.Read.All | Read Online Meeting details from the app | Allows the app to read Online Meeting details in your organization without a signed-in user. | Yes |
OnlineMeetings.ReadWrite.All | Read Online Meeting details from the app | Allows an app to create, read Online Meetings without a signed-in user. | Yes |
OnlineMeetingArtifact.Read.All | Read Online Meeting artifacts from the app | Allows the app to read Online Meeting artifacts in your organization, without a signed-in user. | Yes |
OnlineMeetingTranscript.Read.All | Read all transcripts of online meetings. | Allows the app to read all transcripts of all online meetings, without a signed-in user. | Yes |
Important Administrators can configure application access policy to allow apps to access online meetings on behalf of a user.
Example usage
Delegated
- OnlineMeetings.Read: Retrieve the properties and relationships of an online meeting (
GET /beta/communications/onlinemeetings/{default id}
). - OnlineMeetings.ReadWrite: Create an online meeting (
POST /beta/communications/onlinemeetings
).
Application
- OnlineMeetings.Read.All
- Retrieve the properties and relationships of an online meeting (
GET /beta/communications/onlinemeetings/?$filter=VideoTeleconferenceId%20eq%20'{id}'
). - Retrieve an online meeting on behalf of a user (`GET /beta/users/{userId}/onlineMeetings/{id})
- Retrieve the properties and relationships of an online meeting (
- OnlineMeetings.ReadWrite.All
- Create an online meeting on behalf of a user (`POST /beta/users/{userId}/onlineMeetings/)
- Update an online meeting on behalf of a user (`PATCH /beta/users/{userId}/onlineMeetings/{id})
- Delete an online meeting on behalf of a user (`DELETE /beta/users/{userId}/onlineMeetings/{id})
Note: Creating an online meeting creates a meeting on behalf of a user, but does not show it on the user's Calendar.
For more complex scenarios involving multiple permissions, see Permission scenarios.
On-premises directory synchronization permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
OnPremDirectorySynchronization.Read.All | Read all on-premises directory synchronization information | Allows the app to read all on-premises directory synchronization information for the organization, on behalf of the signed-in user | Yes | No |
OnPremDirectorySynchronization.ReadWrite.All | Read and write all on-premises directory synchronization information | Allows the app to read and write all on-premises directory synchronization information for the organization, on behalf of the signed-in user | Yes | No |
Application permissions
None.
On-premises publishing profiles permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
OnPremisesPublishingProfiles.ReadWrite.All | Access On-Premises Publishing Profiles | Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. | No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
OnPremisesPublishingProfiles.ReadWrite.All | Access On-Premises Publishing Profiles | Allows the app to create, view, update and delete on-premises published resources, on-premises agents and agent groups, as part of a hybrid identity configuration, without a signed in user. | Yes | No |
OpenID Connect (OIDC) scopes
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
View users' email address | Allows the app to read your users' primary email address. | No | Yes | |
offline_access | Access user's data anytime | Allows the app to read and update user data, even when they are not currently using the app. | No | Yes |
openid | Sign users in | By using this permission, an app can receive a unique identifier for the user in the form of the sub claim. The permission also gives the app access to the UserInfo endpoint. The openid scope can be used at the Microsoft identity platform token endpoint to acquire ID tokens. The app can use these tokens for authentication. | No | Yes |
profile | View users' basic profile | Allows the app to see your users' basic profile (name, picture, user name). | No | Yes |
Remarks
You can use these scopes to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.
With the Azure AD v1.0 endpoint, only the openid scope is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.
With the Azure AD v2.0 endpoint, you specify the offline_access scope in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid scope to request an ID token. You can also specify the email scope, profile scope, or both to return additional claims in the ID token. You do not need to specify the User.Read permission to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.
Important
The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these scopes explicitly, Azure AD may return an error.
Organization permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Organization.Read.All | Read organization information | Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. | Yes | No |
Organization.ReadWrite.All | Read and write organization information | Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Organization.Read.All | Read organization information | Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information. | Yes |
Organization.ReadWrite.All | Read and write organization information | Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information. | Yes |
Example usage
Delegated
- Organization.Read.All: Get organization information (
GET /organization
). - Organization.Read.All: Get the SKUs that the organization has subscribed to (
GET /subscribedSkus
).
Application
- Organization.ReadWrite.All: Update organization information (such as technicalNotificationMails) (
PATCH /organization/{id}
).
Organizational contact permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
OrgContact.Read.All | Read organizational contacts | Allows the app to read all organizational contacts on behalf of the signed-in user. These contacts are managed by the organization and are different from a user's personal contacts. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
OrgContact.Read.All | Read organizational contacts | Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user's personal contacts. | Yes |
Example usage
Delegated
- OrgContact.Read.All: Get all organizational contacts (
GET /contacts
).
People permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
People.Read | Read users' relevant people lists | Allows the app to read a scored list of people relevant to the signed-in user. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). | No | Yes |
People.Read.All | Read all users' relevant people lists | Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). Also allows the app to search the entire directory of the signed-in user's organization. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
People.Read.All | Read all users' relevant people lists | Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). Also allows the app to search the entire directory of the signed-in user's organization. |
Yes |
Remarks
The People.Read.All permission is only valid for work and school accounts.
Example usage
Delegated
- People.Read: Read a list of relevant people (
GET /me/people
) - People.Read.All: Read a list of relevant people to another user in the same organization (
GET /users('{id})/people
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Privileged access permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
PrivilegedAccess.ReadWrite.AzureAD | Read and write Privileged Identity Management data for Directory | Allows the app to have read and write access to Privileged Identity Management APIs for Azure AD. | Yes | No |
PrivilegedAccess.ReadWrite.AzureADGroup | Read and write Privileged Identity Management data for privileged access groups | Allows the app to have read and write access to Privileged Identity Management APIs for groups. | Yes | No |
PrivilegedAccess.ReadWrite.AzureResources | Read and write Privileged Identity Management data for Azure Resources | Allows the app to have read and write access to Privileged Identity Management APIs for Azure resources. | Yes | No |
PrivilegedAssignmentSchedule.Read.AzureADGroup | Read assignment schedules for access to Azure AD groups | Allows the app to read time-based assignment schedules for access to Azure AD groups, on behalf of the signed-in user. | Yes | No |
PrivilegedEligibilitySchedule.Read.AzureADGroup | Read eligibility schedules for access to Azure AD groups | Allows the app to read time-based eligibility schedules for access to Azure AD groups, on behalf of the signed-in user. | Yes | No |
PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Read, create, and delete assignment schedules for access to Azure AD groups | Allows the app to read, create, and delete time-based assignment schedules for access to Azure AD groups, on behalf of the signed-in user. | Yes | No |
PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Read, create, and delete eligibility schedules for access to Azure AD groups | Allows the app to read, create, and delete time-based eligibility schedules for access to Azure AD groups, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
PrivilegedAccess.Read.AzureAD | Read Privileged Identity Management data for Directory | Allows the app to have read access to Privileged Identity Management APIs for Azure AD. | Yes |
PrivilegedAccess.Read.AzureADGroup | Read Privileged Identity Management data for privileged access groups | Allows the app to have read access to Privileged Identity Management APIs for groups. | Yes |
PrivilegedAccess.Read.AzureResources | Read Privileged Identity Management data for Azure resources | Allows the app to have read access to Privileged Identity Management APIs for Azure AD resources. | Yes |
PrivilegedAssignmentSchedule.Read.AzureADGroup | Read assignment schedules for access to Azure AD groups | Allows the app to read time-based assignment schedules for access to Azure AD groups, without a signed-in user. | Yes |
PrivilegedEligibilitySchedule.Read.AzureADGroup | Read eligibility schedules for access to Azure AD groups | Allows the app to read time-based eligibility schedules for access to Azure AD groups, without a signed-in user. | Yes |
PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Read, create, and delete assignment schedules for access to Azure AD groups | Allows the app to read, create, and delete time-based assignment schedules for access to Azure AD groups, without a signed-in user. | Yes |
PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Read, create, and delete eligibility schedules for access to Azure AD groups | Allows the app to read, create, and delete time-based eligibility schedules for access to Azure AD groups, without a signed-in user. | Yes |
Places permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Place.Read.All | Read all company places | Allows the app to read company places (conference rooms and room lists) set up in Exchange Online for the tenant. | Yes | No |
Place.ReadWrite.All | Read and write all company places | Allows the app to read and write company places (conference rooms and room lists) set up in Exchange Online for the tenant. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Place.Read.All | Read all company places | Allows the app to read company places (conference rooms and room lists) for calendar events and other applications. | Yes |
Policy permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Policy.Read.All | Read your organization's policies | Allows the app to read your organization's policies on behalf of the signed-in user. | Yes | No |
Policy.Read.PermissionGrant | Read consent and permission grant policies | Allows the app to read policies related to consent and permission grants for applications, on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.AccessReview | Read and write your organization's access review policy | Allows the app to read and write your organization's access review policy on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.ApplicationConfiguration | Read and write your organization's application configuration policies | Allows the app to read and write your organization's application configuration policies on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.AuthenticationFlows | Read and write your organization's authentication flow policies | Allows the app to read and write the authentication flow policies, on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.AuthenticationMethod | Read and write authentication method policies | Allows the app to read and write the authentication method policies, on behalf of the signed-in user. The signed-in user must also be assigned the Global Administrator role. | Yes | No |
Policy.ReadWrite.Authorization | Read and write your organization's authorization policy | Allows the app to read and write your organization's authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. | Yes | No |
Policy.ReadWrite.ConditionalAccess | Read and write your organization's conditional access policies | Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.ConsentRequest | Read and write your organization's consent requests policy | Allows the app to read and write your organization's consent requests policy on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.CrossTenantAccess | Read and write your organization's cross-tenant access policy | Allows the app to read and write your organization's cross-tenant access policy on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.FeatureRollout | Read and write your organization's feature rollout policies | Allows the app to read and write your organization's feature rollout policies on behalf of the signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. | Yes | No |
Policy.ReadWrite.PermissionGrant | Manage consent and permission grant policies | Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.TrustFramework | Read and write your organization's trust framework policies | Allows the app to read and write your organization's trust framework policies on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.AuthenticationMethod | Read and write your organization's authentication method policies | Allows the app to read and write the authentication method policies, on behalf of the signed-in user. | Yes | No |
Policy.ReadWrite.MobilityManagement | Read and write your organization's mobility management policies. | Allows the app to read and write the mobility management policies on behalf of the signed-in user. These control the settings for mobile device management (MDM) and mobile application management (MAM) applications. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Policy.Read.All | Read your organization's policies | Allows the app to read all your organization's policies without a signed in user. | Yes |
Policy.Read.PermissionGrant | Read consent and permission grant policies | Allows the app to read policies related to consent and permission grants for applications, without a signed-in user. | Yes |
Policy.Read.ApplicationConfiguration | Read your organization's application configuration policies | Allows the app to read all your organization's application configuration policies without a signed in user. | Yes |
Policy.ReadWrite.AccessReview | Read and write your organization's access review policy | Allows the app to read and write your organization's access review policy, without a signed-in user. | Yes |
Policy.ReadWrite.ApplicationConfiguration | Read and write your organization's application configuration policies | Allows the app to read and write your organization's application configuration policies, without a signed-in user. | Yes |
Policy.ReadWrite.AuthenticationFlows | Read and write your organization's authentication flow policies | Allows the app to read and write the authentication flow policies for the tenant, without a signed in user. | Yes |
Policy.ReadWrite.Authorization | Read and write your organization's authorization policy | Allows the app to read and write your organization's authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. | Yes |
Policy.ReadWrite.ConsentRequest | Read and write your organization's consent requests policy | Allows the app to read and write your organization's consent requests policy without a signed-in user. | Yes |
Policy.ReadWrite.CrossTenantAccess | Read and write your organization's cross-tenant access policy | Allows the app to read and write your organization's cross-tenant access policy without a signed-in user. | Yes |
Policy.ReadWrite.AuthenticationMethod | Read and write all authentication method policies | Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. | Yes |
Policy.ReadWrite.FeatureRollout | Read and write feature rollout policies | Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. | Yes |
Policy.ReadWrite.PermissionGrant | Manage consent and permission grant policies | Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user. | Yes |
Policy.ReadWrite.TrustFramework | Read and write your organization's trust framework policies | Allows the app to read and write your organization's trust framework policies without a signed in user. | Yes |
Example usage
The following usages are valid for both delegated and application permissions:
- Policy.Read.All: Read your organization's policies (
GET /policies
) - Policy.Read.All: Read your organization's trust framework policies (
GET /beta/trustFramework/policies
) - Policy.Read.All: Read your organization's feature rollout policies (
GET /beta/directory/featureRolloutPolicies
) - Policy.ReadWrite.AccessReview: Read and write your organization's access review policies (
PATCH /beta/policies/accessReviewPolicy
) - Policy.ReadWrite.ApplicationConfiguration: Read and write your organization's application configuration policies (
POST /beta/policies/tokenLifetimePolicies
) - Policy.ReadWrite.AuthenticationFlows: Read and write your organization's authentication flows policy (
PATCH /beta/policies/authenticationFlowsPolicy
) - Policy.ReadWrite.AuthenticationMethod: Use this permission to manage the settings of the authentication methods policy, including enabling and disabling authentication methods, allowing users and groups to use those methods, and configuring other settings related to the authentication methods that users may register and use in a tenant.
- Policy.ReadWrite.ConditionalAccess: Read and write your organization's conditional access policies (
POST /beta/identity/conditionalAccess/policies
) - Policy.ReadWrite.CrossTenantAccess: Read and write your organization's cross tenant access policy (
PATCH /beta/policies/crossTenantAccessPolicy
) - Policy.ReadWrite.FeatureRollout: Read and write your organization's feature rollout policies (
POST /beta/directory/featureRolloutPolicies
) - Policy.ReadWrite.TrustFramework: Read and write your organization's trust framework policies (
POST /beta/trustFramework/policies
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Presence permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Presence.Read | Read user's presence information | Allows the app to read presence information on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | No |
Presence.Read.All | Read presence information of all users in your organization | Allows the app to read presence information of all users in the directory on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | No |
Presence.ReadWrite | Read and write a user's presence information | Allows the app to read the presence information and write activity and availability on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Presence.ReadWrite.All | Read and write presence information for all users | Allows the app to read all presence information and write activity and availability of all users in the directory without a signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | Yes |
Example usage
- Presence.Read: If you're signed in, retrieve your own presence information (
GET /me/presence
) - Presence.Read.All: Retrieve the presence information of another user (
GET /users/{id}/presence
) - Presence.Read.All: Retrieve the presence information of multiple users (
POST /communications/getPresencesByUserId
) - Presence.ReadWrite:
- If you're signed in, set the state of your presence session (
POST /me/presence/setPresence
) - If you're signed in, set your own preferred presence (
POST /me/presence/setUserPreferredPresence
)
- If you're signed in, set the state of your presence session (
- Presence.ReadWrite.All:
- Set the state of a user's presence session as an application (
POST /users/{id}/presence/setPresence
) - Set the preferred presence of a user as an application (
POST /users/{id}/presence/setUserPreferredPresence
)
- Set the state of a user's presence session as an application (
Programs and program controls permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ProgramControl.Read.All | Read all programs | Allows the app to read programs on behalf of the signed-in user. | Yes | No |
ProgramControl.ReadWrite.All | Manage all programs | Allows the app to read and write programs on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
ProgramControl.Read.All | Read all programs | Allows the app to read programs without a signed-in user. | Yes |
ProgramControl.ReadWrite.All | Manage all programs | Allows the app to read and write programs without a signed-in user. | Yes |
Remarks
ProgramControl.Read.All and ProgramControl.ReadWrite.All are valid only for work or school accounts.
For an app with delegated permissions to read programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. For an app with delegated permissions to write programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.
Records management permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
RecordsManagement.Read.All | Read Records Management configuration, labels, and policies | Allows the application to read any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user. | Yes |
RecordsManagement.ReadWrite.All | Read and write Records Management configuration, labels, and policies | Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user. | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
RecordsManagement.Read.All | Read Records Management configuration, labels and policies | Allows the application to read any data from Records Management, such as configuration, labels, and policies without the signed in user. | Yes |
RecordsManagement.ReadWrite.All | Read and write Records Management configuration, labels and policies | Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user. | Yes |
Example usage
Delegated
- RecordsManagement.Read.All: Get the list of labels available to the user from Microsoft Purview Records maangement (
GET /security/labels/retentionLabels
) - RecordsManagement.ReadWrite.All: Create a label in Microsoft Purview Records managment (
POST /security/labels/retentionLabels/
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Reports permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Reports.Read.All | Read all usage reports | Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Reports.Read.All | Read all usage reports | Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory. | Yes |
Remarks
- Reports permissions are only valid for work or school accounts.
- For delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user an Azure AD limited administrator role. For more details, see Authorization for APIs to read Microsoft 365 usage reports.
Example usage
Application
- Reports.Read.All: Read usage detail report of email apps with period of 7 days (
GET /reports/EmailAppUsage(view='Detail',period='D7')/content
). - Reports.Read.All: Read activity detail report of email with date of '2017-01-01' (
GET /reports/EmailActivity(view='Detail',data='2017-01-01')/content
). - Reports.Read.All: Read Microsoft 365 activations detail report (
GET /reports/Office365Activations(view='Detail')/content
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Role management permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
RoleAssignmentSchedule.Read.Directory | Read all active role assignments for your company's directory. | Allows the app to read the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles. | Yes | No |
RoleEligibilitySchedule.Read.Directory | Read all eligible role assignments for your company's directory. | Allows the app to read the eligible role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles. | Yes | No |
RoleManagement.Read.All | Read role management data for all RBAC providers. | Allows the app to read the role-based access control (RBAC) settings for all supported RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments. | Yes | No |
RoleManagement.Read.Directory | Read role management data for Azure AD. | Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, directory roles and memberships. | Yes | No |
RoleManagementPolicy.Read.Directory | Read all policies for privileged role assignments for your company's directory. | Allows the app to read policies for privileged role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. | Yes | No |
RoleManagement.Read.Exchange | Read Exchange Online RBAC configuration | Allows the app to read the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies. | Yes | No |
RoleAssignmentSchedule.ReadWrite.Directory | Read, update, and delete all active role assignments for your company's directory. | Allows the app to read and manage the active role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships. | Yes | No |
RoleEligibilitySchedule.ReadWrite.Directory | Read, update, and delete all eligible role assignments for your company's directory. | Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships. | Yes | No |
RoleManagement.ReadWrite.Directory | Read and write role management data for Azure AD. | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | Yes | No |
RoleManagementPolicy.ReadWrite.Directory | Read, update, and delete all policies for privileged role assignments for your company's directory. | Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments for your company's directory, on behalf of the signed-in user. | Yes | No |
RoleManagement.ReadWrite.Exchange | Read and write Exchange Online RBAC configuration | Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, on behalf of the signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
RoleManagement.Read.All | Read role management data for all RBAC providers. | Allows the app to read the role-based access control (RBAC) settings for all supported RBAC providers, without a signed-in user. This includes reading role definitions and role assignments. | Yes |
RoleManagement.Read.Directory | Read role management data for Azure AD. | Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships. | Yes |
RoleManagement.ReadWrite.Directory | Read and write role management data for Azure AD. | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | Yes |
Remarks
Caution
Permissions that allow granting authorization, such as RoleManagement.ReadWrite.Directory, allow an application to grant itself, other applications, or any user, additional privileges. Use caution when granting any of these permissions.
With the RoleManagement.Read.Directory permission an application can read directoryRoles and directoryRoleTemplates. This includes reading membership information for directory roles.
With the RoleManagement.ReadWrite.Directory permission an application can read and write directoryRoles (directoryRoleTemplates are readonly resources). This includes adding and removing members to and from directory roles.
Role management permissions are only valid for work or school accounts.
Example usage
- RoleManagement.Read.Directory: Read the list of available role templates (
GET /directoryRoleTemplates
) - RoleManagement.Read.Directory: Read the list of activated roles in your directory (
GET /directoryRoles
) - RoleManagement.Read.Directory: Read the list of members for a role (
GET /directoryRoles/<id>/members
) - RoleManagement.Read.Directory: Read the list of administrative unit-scoped members for a role (
GET /directoryRoles/<id>/scopedMembers
) - RoleManagement.ReadWrite.Directory: Activate a directory role from a role template (
POST /directoryRoles
) - RoleManagement.ReadWrite.Directory: Add a member to a directory role (
POST /directoryRoles/<id>/members
) - RoleManagement.ReadWrite.Directory: Add an administrative unit-scoped member to a directory role (
POST /directoryRoles/<id>/scopedMembers
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Schedule management permissions
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Schedule.ReadWrite.All (private preview) | Read and Write Shifts service (Teams) data | Allows an app to read and write schedule, schedule groups, shifts, and associated entities in shifts applications without a signed-in user. | Yes | No |
Schedule.Read.All (private preview) | Read Shifts service (Teams) data | Allows the app to read schedule, schedule groups, shifts, and associated entities in shifts applications without a signed-in user. | Yes | No |
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Schedule.ReadWrite.All | Read and Write Shifts service (Teams) data | Allows an app to read and write schedule, schedule groups, shifts, and associated entities in shifts applications on behalf of the signed-in user. | No | No |
Schedule.Read.All | Read Shifts service (Teams) data | Allows the app to read schedule, schedule groups, shifts, and associated entities in shifts applications on behalf of the signed-in user. | No | No |
WorkforceIntegration.ReadWrite.All (private preview) | Read and write workforce integrations | Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts with an integrated system, on behalf of the signed-in user. | Yes | No |
WorkforceIntegration.Read.All (private preview) | Read and write workforce integrations | Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts with an integrated system, on behalf of the signed-in user. | Yes | No |
Search permissions
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ExternalConnection.Read.All | Read all external connections | Allows the app to read all external connections without a signed-in user. | Yes | No |
ExternalConnection.ReadWrite.All | Read and write all external connections | Allows the app to read and write all external connections without a signed-in user. | Yes | No |
ExternalConnection.ReadWrite.OwnedBy | Read and write external connections and connection settings | Allows the app to read and write external connections and their settings without a signed-in user. The app can only read and write external connections that it is authorized to, or it can create new external connections. | Yes | No |
ExternalItem.Read.All | Read all external items | Allows the app to read all external items without a signed-in user. | Yes | No |
ExternalItem.ReadWrite.All | Read and write all external items | Allows the app to read and write all external items without a signed-in user. | Yes | No |
ExternalItem.ReadWrite.OwnedBy | Read and write external items | Allows the app to read and write external items without a signed-in user. The app can only read external items of the connection that it is authorized to. | Yes | No |
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Acronym.Read.All | Read all acronyms | Allows the app to read all acronyms on behalf of a signed-in user. | No | No |
Bookmark.Read.All | Read all bookmarks | Allows the app to read all bookmarks on behalf of a signed-in user. | No | No |
QnA.Read.All | Read all qnas | Allows the app to read all question and answer sets on behalf of a signed-in user. | No | No |
ExternalConnection.Read.All | Read all external connections | Allows the app to read all external connections on behalf of a signed-in user. | Yes | No |
ExternalConnection.ReadWrite.All | Read and write all external connections | Allows the app to read and write all external connections on behalf of a signed-in user. | Yes | No |
ExternalConnection.ReadWrite.OwnedBy | Read and write external connections | Allows the app to read and write external connections on behalf of a signed-in user. The app can only read and write external connections that it is authorized to, or it can create new external connections. | Yes | No |
ExternalItem.Read.All | Read external data | Allow the app to read external datasets and content on behalf of the signed-in user. | Yes | No |
ExternalItem.ReadWrite.All | Read and write all external items | Allows the app to read and write all external items on behalf of a signed-in user. | Yes | No |
ExternalItem.ReadWrite.OwnedBy | Read and write external items | Allows the app to read and write external items on behalf of a signed-in user. The app can only read external items of the connection that it is authorized to. | Yes | No |
Remarks
Search permissions are only valid for work or school accounts.
This search permission is only applicable to ingested data from the indexing API.
Access to data via search requires the read permission to the item. Ex : Files.Read.All to access files via search.
Example usage
Delegated
- ExternalItem.Read.All : Access external data from the search API (
POST /search/query
).
Search configuration permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
SearchConfiguration.Read.All | Read your organization's search configuration. | Allows the app to read search configuration, on behalf of the signed-in user. | Yes | No |
SearchConfiguration.ReadWrite.All | Read and write your organization's search configuration. | Allows the app to read and write search configurations, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
SearchConfiguration.Read.All | Read your organization's search configuration. | Allows the app to read search configurations without a signed-in user. | Yes |
SearchConfiguration.ReadWrite.All | Read and write your organization's search configuration. | Allows the app to read and write search configurations without a signed-in user. | Yes |
Remarks
Search configuration permissions are only valid for work or school accounts.
Example usage
Delegated and Application
- SearchConfiguration.Read.All: Read the list of all bookmarks created for your tenant (
GET /beta/search/bookmarks
) - SearchConfiguration.ReadWrite.All: Update or read all bookmarks created for your tenant (
PATCH /beta/search/bookmarks/{id}
)
Security permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
AttackSimulation.Read.All | Read attack simulation data of an organization | Allows the app to read attack simulation and training data for an organization for the signed-in user. | Yes | No |
AttackSimulation.ReadWrite.All | Read, create, and update attack simulation data of an organization | Allows the app to read, create, and update attack simulation and training data for an organization for the signed-in user. | Yes | No |
SecurityActions.Read.All | Read your organization's security actions | Allows the app to read your organization's security actions on behalf of the signed-in user. | Yes | No |
SecurityActions.ReadWrite.All | Read and update your organization's security actions | Allows the app to read or update your organization's security actions on behalf of the signed-in user. | Yes | No |
SecurityAlert.Read.All | Read alerts | Allows the app to read alerts, on behalf of the signed-in user. | Yes | No |
SecurityAlert.ReadWrite.All | Read and write to alerts | Allows the app to read and write alerts, on behalf of the signed-in user. | Yes | No |
SecurityEvents.Read.All | Read your organization's security events | Allows the app to read your organization's security events on behalf of the signed-in user. | Yes | No |
SecurityEvents.ReadWrite.All | Read and update your organization's security events | Allows the app to read your organization's security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user. | Yes | No |
SecurityIncident.Read.All | Read incidents | Allows the app to read incidents, on behalf of the signed-in user. | Yes | No |
SecurityIncident.ReadWrite.All | Read and write to incidents | Allows the app to read and write incidents, on behalf of the signed-in user. | Yes | No |
ThreatIndicators.ReadWrite.OwnedBy | Manage threat indicators this app creates or owns | Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete) on behalf of the signed-in user. | Yes | No |
ThreatIndicators.Read.All | Read your organization's threat indicators | Allows the app to read all the threat indicators for your organization, on behalf of the signed-in user. | Yes | No |
ThreatIndicators.ReadWrite.OwnedBy | Manage threat indicators this app creates or owns | Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete) on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
AttackSimulation.Read.All | Read attack simulation data of an organization | Allows the app to read attack simulation and training data for an organization without a signed-in user. | Yes |
AttackSimulation.ReadWrite.All | Read, create, and update all attack simulation data of an organization | Allows the app to read, create, and update attack simulation and training data for an organization without a signed-in user. | Yes |
SecurityActions.Read.All | Read and write your organization's security events | Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. | Yes |
SecurityActions.ReadWrite.All | Create and read your organization's security actions | Allows the app to read or create security actions, without a signed-in user. | Yes |
SecurityAlert.Read.All | Read all alerts | Allows the app to read all alerts, without a signed-in user. | Yes |
SecurityAlert.ReadWrite.All | Read and write to all alerts | Allows the app to read and write to all alerts, without a signed-in user. | Yes |
SecurityEvents.Read.All | Read your organization's security events | Allows the app to read your organization's security events. | Yes |
SecurityEvents.ReadWrite.All | Read and update your organization's security events | Allows the app to read your organization's security events. Also allows the app to update editable properties in security events. | Yes |
SecurityIncident.Read.All | Read all incidents | Allows the app to read all incidents, without a signed-in user. | Yes |
SecurityIncident.ReadWrite.All | Read and write to all incidents | Allows the app to read and write to all incidents, without a signed-in user. | Yes |
ThreatIndicators.ReadWrite.OwnedBy | Manage threat indicators this app creates or owns | Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. It cannot update any threat indicators it does not own. | Yes |
ThreatIndicators.Read.All | Manage threat indicators this app creates or owns | Allows the app to read all the threat indicators for your organization, without a signed-in user. | Yes |
ThreatIndicators.ReadWrite.OwnedBy | Manage threat indicators this app creates or owns | Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. It cannot update any threat indicators it does not own. | Yes |
Remarks
Security permissions are valid only on work or school accounts.
Example usage
Delegated
- SecurityAlert.Read.All: Read all alerts in an organization that the user is allowed to read (
GET /security/alerts_v2
). - SecurityAlert.ReadWrite.All: Read and write to all alerts in an organization that the user is allowed to read and write (
GET /security/alerts_v2
). - SecurityEvents.Read.All: Read the list of all security alerts from all licensed security providers available in an organization (
GET /beta/security/alerts
). - SecurityEvents.ReadWrite.All: Update or read security alerts from all licensed security providers available in an organization (
PATCH /beta/security/alerts/{id}
).
Application
- SecurityAlert.Read.All: Read all alerts in an organization (
GET /security/alerts_v2
). - SecurityAlert.ReadWrite.All: Read and write to all alerts in an organization (
GET /security/alerts
). - SecurityEvents.Read.All: Read the list of all security alerts from all licensed security providers available in an organization (
GET /beta/security/alerts
). - SecurityEvents.ReadWrite.All: Update or read security alerts from all licensed security providers available in an organization (
PATCH /beta/security/alerts/{id}
).
Service communications permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ServiceHealth.Read.All | Read service health | Allows the app to read your tenant's service health information on behalf of the signed-in user. Health information may include service issues or service health overviews. | Yes | Yes |
ServiceMessage.Read.All | Read service messages | Allows the app to read your tenant's service announcement messages on behalf of the signed-in user. Messages may include information about new or changed features. | Yes | Yes |
ServiceMessageViewpoint.Write | Update your user status on service announcement messages | Allows the app to update service announcement messages' user status on behalf of the signed-in user. The message status can be marked as read, archive, or favorite. | Yes | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
ServiceHealth.Read.All | Read service health | Allows the app to read your tenant's service health information, without a signed-in user. Health information may include service issues or service health overviews. | Yes |
ServiceMessage.Read.All | Read service messages | Allows the app to read your tenant's service announcement messages, without a signed-in user. Messages may include information about new or changed features. | Yes |
Short Notes permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ShortNotes.Read | Read short notes of the signed-in user | Allows the app to read all the short notes a sign-in user has access to. | No | Yes |
ShortNotes.ReadWrite | Read, create, edit, and delete short notes of the signed-in user | Allows the app to read, create, edit, and delete short notes of a signed-in user. | No | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
ShortNotes.Read.All | Read all users' short notes | Allows the app to read all the short notes without a signed-in user. | Yes |
ShortNotes.ReadWrite.All | Read, create, edit, and delete all users' short notes | Allows the app to read, create, edit, and delete all the short notes without a signed-in user. | Yes |
Sites permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Sites.Read.All | Read items in all site collections | Allows the app to read documents and list items in all site collections on behalf of the signed-in user. | No | No |
Sites.ReadWrite.All | Read and write items in all site collections | Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. | No | No |
Sites.Manage.All | Create, edit, and delete items and lists in all site collections | Allows the app to manage and create lists, documents, and list items in all site collections on behalf of the signed-in user. | No | No |
Sites.FullControl.All | Have full control of all site collections | Allows the app to have full control to SharePoint sites in all site collections on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Sites.Read.All | Read items in all site collections | Allows the app to read documents and list items in all site collections without a signed in user. | Yes |
Sites.ReadWrite.All | Read and write items in all site collections | Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. | Yes |
Sites.Manage.All | Create, edit, and delete items and lists in all site collections | Allows the app to manage and create lists, documents, and list items in all site collections without a signed-in user. | Yes |
Sites.FullControl.All | Have full control of all site collections | Allows the app to have full control to SharePoint sites in all site collections without a signed-in user. | Yes |
Sites.Selected | Access selected site collections | Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online. | Yes |
Remarks
Sites permissions are valid only on work or school accounts. The Sites.Selected application permission is available only in the Microsoft Graph API.
Example usage
Delegated
- Sites.Read.All: Read the lists on the SharePoint root site (
GET /v1.0/sites/root/lists
) - Sites.ReadWrite.All: Create new list items in a SharePoint list (
POST /v1.0/sites/root/lists/123/items
) - Sites.Manage.All: Add a new list to a SharePoint site (
POST /v1.0/sites/root/lists
) - Sites.FullControl.All: Complete access to SharePoint sites and lists.
Synchronization permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Synchronization.Read.All | Read all Azure AD synchronization data | Allows the app to read synchronization data on behalf of the signed-in user. | Yes | No |
Synchronization.ReadWrite.All | Read and write all Azure AD synchronization data | Allows the app to read and write synchronization data on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Synchronization.Read.All | Read all Azure AD synchronization data | Allows the app to read synchronization data on behalf of the signed-in user. | Yes |
Synchronization.ReadWrite.All | Read and write all Azure AD synchronization data | Allows the app to read and write synchronization data on behalf of the signed-in user. | Yes |
Example usage
Delegated
- Synchronization.Read.All: Get the list of subject rights request available to the user (
GET /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema
). - Synchronization.ReadWrite.All: Create a subject rights request (
PUT /servicePrincipals/{id}/synchronization/jobs/{jobId}/schema
).
Application
- Synchronization.Read.All: Get the list of subject rights request available to the user (
GET /servicePrincipals/{id}/synchronization/jobs/{jobId}/
). - Synchronization.ReadWrite.All: Create a subject rights request (
POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/starta
).
Subject rights request permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
SubjectRightsRequest.Read.All | Read subject rights requests | Allows the app to read subject rights requests on behalf of the signed-in user. | Yes | No |
SubjectRightsRequest.ReadWrite.All | Read and write subject rights requests | Allows the app to read and write subject rights requests on behalf of the signed-in user. | Yes | No |
Application permissions
None.
Example usage
Delegated
- SubjectRightsRequest.Read.All_: Get the list of subject rights request available to the user (
GET /privacy/subjectrightsrequests
). - SubjectRightsRequest.ReadWrite.All: Create a subject rights request (
POST /privacy/subjectrightsrequests
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Tasks permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Tasks.Read | Read user's tasks and task lists | Allows the app to read the signed-in user's tasks and task lists, including any shared with the user. Doesn't include permission to create, delete, or update anything. | No | Yes |
Tasks.Read.Shared | Read user and shared tasks (preview) | Allows the app to read tasks a user has permissions to access, including their own and shared tasks. | No | No |
Tasks.ReadWrite | Create, read, update, and delete user's tasks and task lists | Allows the app to create, read, update, and delete the signed-in user's tasks and task lists, including any shared with the user. | No | Yes |
Tasks.ReadWrite.Shared | Read and write user and shared tasks (preview) | Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks. | No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Tasks.Read.All | Read all users' tasks and tasklist | Allows the app to read all users' tasks and task lists in your organization, without a signed-in user. | Yes |
Tasks.ReadWrite.All | Read and write all users' tasks and tasklists | Allows the app to create, read, update and delete all users' tasks and task lists in your organization, without a signed-in user | Yes |
Remarks
Tasks permissions are used to control access for To Do tasks, Planner tasks, and Outlook tasks(deprecated).
Shared permissions are currently only supported for work or school accounts. Even with Shared permissions, reads and writes may fail if the user who owns the shared content has not granted the accessing user permissions to modify content within the folder.
Example usage
Delegated
- Tasks.Read: Get all Planner tasks assigned to the current user (
GET /me/planner/tasks
). - Tasks.Read.Shared: Access tasks in a folder shared to you by another user in your organization (
Get /users{id|userPrincipalName}/outlook/taskfolders/{id}/tasks
). - Tasks.ReadWrite: Create a Planner task (
POST /planner/tasks
). - Tasks.ReadWrite.Shared: Complete a task on behalf of another user (
POST /users/{id | userPrincipalName}/outlook/tasks/id/complete
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
Application
- Tasks.Read.All: Get all Planner plans in a group (
GET /groups/{id}/planner/plans
) - Tasks.ReadWrite.All: Delete a Planner task (
Delete /planner/tasks/{id}
)
Taxonomy permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TermStore.Read.All | Read term store data | Allows app to read various terms, sets, and groups in the term store | Yes | No |
TermStore.ReadWrite.All | Read and write all term store data | Allows the app to edit or delete terms, sets, and groups in the term store | Yes | No |
Remarks
Taxonomy permissions are valid only on work or school accounts.
Example usage
Delegated
- TermStore.Read.All: Read the termstore for the tenant (
GET /termStore
) - TermStore.ReadWrite.All: Create new terms in the termStore (
POST /termStore/sets/123/children
)
Teams permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Team.ReadBasic.All | Read the names and descriptions of teams | Read the names and descriptions of teams, on behalf of the signed-in user. | No | No |
Team.Create | Create teams | Create teams, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Team.ReadBasic.All | Get a list of all teams | Get a list of all teams, without a signed-in user. | Yes | No |
Team.Create | Create teams | Create teams, without a signed-in user. | Yes | No |
Teamwork.Migrate.All | Manage migration to Microsoft Teams | Creating and managing resources for migration to Microsoft Teams | Yes | Yes |
Team templates permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamTemplates.Read | TeamTemplates.Read is "Sign-in and read Teams templates available for this user" | Allows read of the available Teams Templates for the user | No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamTemplates.Read.All | Read all available Teams Templates | Allows read of the available Teams Templates, without signed user | No | No |
Team settings permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamSettings.Read.All | Read teams' settings | Read this team's settings, on behalf of the signed-in user. | Yes | No |
TeamSettings.ReadWrite.All | Read and change teams' settings | Read and change all teams' settings, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamSettings.Read.All | Read all teams' settings | Read this team's settings, without a signed-in user. | Yes | No |
TeamSettings.ReadWrite.All | Read and change all teams' settings. | Read and change all teams' settings, without a signed-in user. | Yes | No |
Teams activity permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamsActivity.Read | Read user's teamwork activity feed | Allows the app to read the signed-in user's teamwork activity feed. | No | No |
TeamsActivity.Send | Send a teamwork activity as the user | Allows the app to create new notifications in users' teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies. | No | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamsActivity.Read.All | Read all users' teamwork activity feed | Allows the app to read all users' teamwork activity feed, without a signed-in user. | Yes | No |
TeamsActivity.Send | Send a teamwork activity to any user | Allows the app to create new notifications in users' teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies. | Yes | No |
Teams app permissions (deprecated)
Note
These permissions are deprecated. Use the equivalent TeamsAppInstallation.*.All permissions instead.
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamsApp.Read.All (Deprecated) | Read all installed Teams apps | Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. Does not give the ability to read application-specific settings. | Yes | No |
TeamsApp.ReadWrite.All (Deprecated) | Manage all Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. Does not give the ability to read or write application-specific settings. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamsApp.Read.All (Deprecated) | Read all users' installed Teams apps | Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. | Yes | No |
TeamsApp.ReadWrite.All (Deprecated) | Manage all users' Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read or write application-specific settings. | Yes | No |
Teams app installation permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamsAppInstallation.ReadForUser | Read user's installed Teams apps | Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings. | No | No |
TeamsAppInstallation.ReadWriteForUser | Manage user's installed Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed in user. Does not give the ability to read application-specific settings. | Yes | No |
TeamsAppInstallation.ReadWriteSelfForUser | Allow the app to manage itself in teams | Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | No | No |
TeamsAppInstallation.ReadForTeam | Read installed Teams apps in teams | Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings. | Yes | No |
TeamsAppInstallation.ReadWriteForTeam | Manage installed Teams apps in teams | Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings. | Yes | No |
TeamsAppInstallation.ReadWriteSelfForTeam | Allow the app to manage itself in teams | Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | Yes | No |
TeamsAppInstallation.ReadWriteAndConsentForChat | Manage installed Teams apps in chats | Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | Yes | No |
TeamsAppInstallation.ReadWriteAndConsentForTeam | Manage installed Teams apps in teams | Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | Yes | No |
TeamsAppInstallation.ReadWriteAndConsentSelfForChat | Allow the Teams app to manage itself and its permission grants in chats | Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | Yes | No |
TeamsAppInstallation.ReadWriteAndConsentSelfForTeam | Allow the Teams app to manage itself and its permission grants in teams | Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
TeamsAppInstallation.ReadForUser.All | Read installed Teams apps for all users | Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. | Yes |
TeamsAppInstallation.ReadWriteForUser.All | Manage Teams apps for all users | Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. | Yes |
TeamsAppInstallation.ReadWriteSelfForUser.All | Allow the app to manage itself for all users | Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. | Yes |
TeamsAppInstallation.ReadForTeam.All | Read installed Teams apps for all teams | Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings. | Yes |
TeamsAppInstallation.ReadWriteForTeam.All | Manage Teams apps for all teams | Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. | Yes |
TeamsAppInstallation.ReadWriteSelfForTeam.All | Allow the Teams app to manage itself for all teams | Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. | Yes |
TeamsAppInstallation.ReadWriteAndConsentForChat.All | Manage installation and permission grants of Teams apps for all chats | Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Gives the ability to manage permission grants for accessing those specific chats' data. | Yes |
TeamsAppInstallation.ReadWriteAndConsentForTeam.All | Manage installation and permission grants of Teams apps for all teams | Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Gives the ability to manage permission grants for accessing those specific teams' data. | Yes |
TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All | Allow the Teams app to manage itself and its permission grants for all chats | Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user, and manage its permission grants for accessing those specific chats' data. | Yes |
TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All | Allow the Teams app to manage itself and its permission grants for all teams | Allows a Teams app to read, install, upgrade, and uninstall itself for any team, without a signed-in user, and manage its permission grants for accessing those specific teams' data. | Yes |
Teams app settings permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamworkAppSettings.Read.All | Read Teams app settings | Allows the app to read the Teams app settings on behalf of the signed-in user. | No | No |
TeamworkAppSettings.ReadWrite.All | Read and write Teams app settings | Allows the app to read and write the Teams app settings on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
TeamworkAppSettings.Read.All | Read Teams app settings | Allows the app to read the Teams app settings without a signed-in user. | Yes |
TeamworkAppSettings.ReadWrite.All | Read and write Teams app settings | Allows the app to read and write the Teams app settings without a signed-in user. | Yes |
Teams device management permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamworkDevice.Read.All | Read Teams devices. | Allows the app to read the management data for Teams devices on behalf of the signed-in user. | Yes | No |
TeamworkDevice.ReadWrite.All | Read and write Teams devices. | Allows the app to read and write the management data for Teams devices on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamworkDevice.Read.All | Read Teams devices. | Allows the app to read the management data for Teams devices, without a signed-in user. | Yes | No |
TeamworkDevice.ReadWrite.All | Read and write Teams devices. | Allows the app to read and write the management data for Teams devices, without a signed-in user. | Yes | No |
Team member permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamMember.Read.All | Read the members of teams. | Read the members of teams, on behalf of the signed-in user. | Yes | No |
TeamMember.ReadWrite.All | Add and remove members from teams. | Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamMember.Read.All | Read the members of all teams. | Read the members of all teams, without a signed-in user. | Yes | No |
TeamMember.ReadWrite.All | Add and remove members from all teams. | Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner. | Yes | No |
Team resource-specific consent permissions
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamSettings.Read.Group | Read this team's settings. | Read this team's settings, without a signed-in user. | No | No |
TeamSettings.ReadWrite.Group | Update the settings for this team. | Read and write this team's settings, without a signed-in user. | No | No |
ChannelSettings.Read.Group | Read the names, descriptions, and settings of this team's channels. | Read this team's channel names, channel descriptions, and channel settings, without a signed-in user. | No | No |
ChannelSettings.ReadWrite.Group | Update the names, descriptions, and settings of this team's channels. | Update this team's channel names, channel descriptions, and channel settings, without a signed-in user. | No | No |
Channel.Create.Group | Create channels in this team. | Create channels in this team, without a signed-in user. | No | No |
Channel.Delete.Group | Delete this team's channels. | Delete this team's channels, without a signed-in user. | No | No |
ChannelMessage.Read.Group | Read the team's channel messages. | Allows an app to read this team's channel's messages, without a signed-in user. | No | No |
TeamsAppInstallation.Read.Group | See which apps are installed in this team. | See which apps are installed in this team, without a signed-in user. | No | No |
TeamsTab.Read.Group | Read this team's tabs. | Read this team's tabs, without a signed-in user. | No | No |
TeamsTab.Create.Group | Create tabs in this team. | Create tabs in this team, without a signed-in user. | No | No |
TeamsTab.ReadWrite.Group | Update this team's tabs. | Update this team's tabs, without a signed-in user. | No | No |
TeamsTab.Delete.Group | Delete this team's tabs. | Delete this team's tabs, without a signed-in user. | No | No |
TeamMember.Read.Group | Read this team's members. | Read this team's members, without a signed-in user. | No | No |
Member.Read.Group | Read this group's members. | Read this group's members, without a signed-in user. | No | No |
Owner.Read.Group | Read this group's owners. | Read this group's owners, without a signed-in user. | No | No |
File.Read.Group | Read this team's files and folders. | Limited support (Preview) Read this team's files and folders, without a signed-in users. |
No | No |
TeamsActivity.Send.Group | Send activity feed notifications to users in this team. | Allows the app to create new notifications in the teamwork activity feeds of the users in this team, without a signed-in user. | No | No |
Teams settings permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Team.ReadBasic.All | Read the names and descriptions of teams | Read the names and descriptions of teams, on behalf of the signed-in user. | No | No |
TeamSettings.Read.All | Read teams' settings | Read all teams' settings, on behalf of the signed-in user. | Yes | No |
TeamSettings.ReadWrite.All | Read and change teams' settings. | Read and change all teams' settings, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Team.ReadBasic.All | Get a list of all teams. | Get a list of all teams, without a signed-in user. | Yes | No |
TeamSettings.Read.All | Read all teams' settings | Read this team's settings, without a signed-in user. | Yes | No |
TeamSettings.ReadWrite.All | Read and change all teams' settings | Read and change all teams' settings, without a signed-in user. | Yes | No |
Teams tab permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamsTab.Read.All | Read tabs in Microsoft Teams. | Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. Does not give the ability to read application-specific settings. | Yes | No |
TeamsTab.ReadWrite.All | Read and write tabs in Microsoft Teams. | Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. Does not give the ability to read or write application-specific settings. | Yes | No |
TeamsTab.Create | Create tabs in Microsoft Teams. | Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. | Yes | No |
TeamsTab.ReadWriteSelfForChat | Allow the Teams app to manage only its own tabs in chats. | Allows a Teams app to read, install, upgrade, and uninstall its own tabs in chats the signed-in user can access. | Yes | No |
TeamsTab.ReadWriteSelfForTeam | Allow the Teams app to manage only its own tabs in teams. | Allows a Teams app to read, install, upgrade, and uninstall its own tabs to teams the signed-in user can access. | Yes | No |
TeamsTab.ReadWriteSelfForUser | Allow the Teams app to manage only its own tabs for a user. | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamsTab.Read.All | Read tabs in Microsoft Teams. | Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. | Yes | No |
TeamsTab.ReadWrite.All | Read and write tabs in Microsoft Teams. | Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. | Yes | No |
TeamsTab.Create | Create tabs in Microsoft Teams. | Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. | Yes | No |
TeamsTab.ReadWriteSelfForChat.All | Allow the Teams app to manage only its own tabs for all chats. | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user. | Yes | No |
TeamsTab.ReadWriteSelfForTeam.All | Allow the Teams app to manage only its own tabs for all teams. | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any team, without a signed-in user. | Yes | No |
TeamsTab.ReadWriteSelfForUser.All | Allow the Teams app to manage only its own tabs for all users. | Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user, without a signed-in user. | Yes | No |
Teams tag permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamworkTag.ReadWrite | Read and write tags in Microsoft Teams. | Allows the app to read and write tags in Teams, on behalf of the signed-in user. | Yes | No |
TeamworkTag.Read | Read tags in Microsoft Teams. | Allows the app to read tags in Teams, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
TeamworkTag.ReadWrite.All | Read and write tags in Microsoft Teams. | Allows the app to read and write tags in Teams without a signed-in user. | Yes | No |
TeamworkTag.Read.All | Read tags in Microsoft Teams. | Allows the app to read tags in Teams without a signed-in user | Yes | No |
Tenant information permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
CrossTenantInformation.ReadBasic.All | Read basic information about an external tenant. | Allows the app to read limited information about an external tenant, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
CrossTenantInformation.ReadBasic.All | Read basic information about an external tenant. | Allows the app to read limited information about an external tenant, without a signed-in user. | Yes |
Terms of use permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Agreement.Read.All | Read all terms of use agreements | Allows the app to read terms of use agreements on behalf of the signed-in user. | Yes | No |
Agreement.ReadWrite.All | Read and write all terms of use agreements | Allows the app to read and write terms of use agreements on behalf of the signed-in user. | Yes | No |
AgreementAcceptance.Read | Read user terms of use acceptance statuses | Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. | Yes | No |
AgreementAcceptance.Read.All | Read terms of use acceptance statuses that user can access | Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. | Yes | No |
Remarks
All the permissions above are valid only for work or school accounts.
For an app to read or write all agreements or agreement acceptances with delegated permissions, the signed-in user must be assigned the Global Administrator, Conditional Access Administrator or Security Administrator role. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.
Example usage
Delegated
The following usages are valid for both delegated permissions:
- Agreement.Read.All: Read all terms of use agreements (
GET /beta/agreements
) - Agreement.ReadWrite.All: Read and write all terms of use agreements (
POST /beta/agreements
) - AgreementAcceptance.Read Read user terms of use acceptance statuses (
GET /beta/me/agreementAcceptances
)
For more complex scenarios involving multiple permissions, see Permission scenarios.
Threat assessment permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ThreatAssessment.ReadWrite.All | Read and write threat assessment requests | Allows an app to read your organization's threat assessment requests on behalf of the signed-in user. Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
ThreatAssessment.Read.All | Read threat assessment requests | Allows an app to read your organization's threat assessment requests, without a signed-in user. | Yes |
Remarks
Threat assessment permissions are valid only on work or school accounts.
Example usage
Delegated
- ThreatAssessment.ReadWrite.All: Read and write threat assessment requests (
POST /informationProtection/threatAssessmentRequests
)
Application
- ThreatAssessment.Read.All: Read threat assessment requests (
GET /informationProtection/threatAssessmentRequests
)
Threat hunting permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ThreatHunting.Read.All | Run hunting queries | Allows the app to run hunting queries, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
ThreatHunting.Read.All | Run hunting queries | Allows the app to run hunting queries, without a signed-in user. | Yes |
Remarks
Threat hunting permissions are valid only on work or school accounts.
Example usage
Delegated
- ThreatHunting.Read.All: Run hunting query on behalf of the signed in user (
POST /security/runHuntingQuery
)
Application
- ThreatHunting.Read.All: Run hunting query (
POST /security/runHuntingQuery
)
Threat intelligence permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
ThreatIntelligence.Read.All | Read all threat intelligence information | Allows the app to read threat intelligence information, such as indicators, observations, and articles, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
ThreatIntelligence.Read.All | Read all threat intelligence information | Allows the app to read threat intellgence information, such as indicators, observations, and articles, without a signed-in user. | Yes |
Remarks
Threat intelligence permissions are valid only on work or school accounts.
Example usage
Delegated
ThreatIntelligence.Read.All: List threat intelligence articles on behalf of the signed-in user (GET /security/threatIntelligence/articles
)
Application
ThreatIntelligence.Read.All: Get host reputation information, without a signed-in user (GET /security/threatIntelligence/hosts/contoso.com/reputation
)
Universal Print permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
Printer.Create | Register printers | Allows the application to create (register) printers on behalf of the signed-in user. | Yes | No |
Printer.FullControl.All | Register, read, update, and unregister printers | Allows the application to create (register), read, update, and delete (unregister) printers on behalf of the signed-in user. | Yes | No |
Printer.Read.All | Read printers | Allows the application to read printers on behalf of the signed-in user. | Yes | No |
Printer.ReadWrite.All | Read and update printers | Allows the application to read and update printers on behalf of the signed-in user. Does not allow creating (registering) or deleting (unregistering) printers. | Yes | No |
PrinterShare.ReadBasic.All | Read basic information about printer shares | Allows the application to read basic information about printer shares on behalf of the signed-in user. Does not allow reading access control information. | No | No |
PrinterShare.Read.All | Read printer shares | Allows the application to read printer shares on behalf of the signed-in user. | No | No |
PrinterShare.ReadWrite.All | Read and write printer shares | Allows the application to read and update printer shares on behalf of the signed-in user. | Yes | No |
PrintJob.Create | Create print jobs | Allows the application to create print jobs on behalf of the signed-in user and upload document content to print jobs that the signed-in user created. | No | No |
PrintJob.Read | Read user's print jobs | Allows the application to read the metadata and document content of print jobs that the signed-in user created. | No | No |
PrintJob.Read.All | Read print jobs | Allows the application to read the metadata and document content of print jobs on behalf of the signed-in user. | Yes | No |
PrintJob.ReadBasic | Read basic information of user's print jobs | Allows the application to read the metadata of print jobs that the signed-in user created. Does not allow access to print job document content. | No | No |
PrintJob.ReadBasic.All | Read basic information of print jobs | Allows the application to read the metadata of print jobs on behalf of the signed-in user. Does not allow access to print job document content. | Yes | No |
PrintJob.ReadWrite | Read and write user's print jobs | Allows the application to read and update the metadata and document content of print jobs that the signed-in user created. | No | No |
PrintJob.ReadWrite.All | Read and write print jobs | Allows the application to read and update the metadata and document content of print jobs on behalf of the signed-in user. | Yes | No |
PrintJob.ReadWriteBasic | Read and write basic information of user's print jobs | Allows the application to read and update the metadata of print jobs that the signed-in user created. Does not allow access to print job document content. | No | No |
PrintJob.ReadWriteBasic.All | Read and write basic information of print jobs | Allows the application to read and update the metadata of print jobs on behalf of the signed-in user. Does not allow access to print job document content. | Yes | No |
PrintConnector.Read.All | Read connectors | Allows the application to read connectors on behalf of the signed-in user. | Yes | No |
PrintConnector.ReadWrite.All | Read and write print connectors | Allows the application to read and write print connectors on behalf of the signed-in user. | Yes | No |
PrintSettings.Read.All | Read tenant-wide print settings | Allows the application to read print settings on behalf of the signed-in user. | Yes | No |
PrintSettings.ReadWrite.All | Read and write tenant-wide print settings | Allows the application to read and update print settings on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
Printer.Read.All | Read printers | Allows the application to read printers without a signed-in user. | Yes |
Printer.ReadWrite.All | Read and update printers | Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting (unregistering) printers. | Yes |
PrintJob.Manage.All | Perform advanced operations on print jobs | Allows the application to perform advanced operations like redirecting a print job to another printer without a signed-in user. Also allows the application to read and update the metadata of print jobs. | Yes |
PrintJob.Read.All | Read print jobs | Allows the application to read the metadata and document content of print jobs without a signed-in user. | Yes |
PrintJob.ReadBasic.All | Read basic information for print jobs | Allows the application to read the metadata of print jobs without a signed-in user. Does not allow access to print job document content. | Yes |
PrintJob.ReadWrite.All | Read and write print jobs | Allows the application to read and update the metadata and document content of print jobs without a signed-in user. | Yes |
PrintJob.ReadWriteBasic.All | Read and write basic information for print jobs | Allows the application to read and update the metadata of print jobs without a signed-in user. Does not allow access to print job document content. | Yes |
PrintTaskDefinition.ReadWrite.All | Read, write and update print task definitions | Allows the application to read and update print task definitions without a signed-in user. | Yes |
Remarks
To use the Universal Print service, the user or app's tenant must have an active Universal Print subscription in addition to the permissions listed earlier.
Some permissions distinguish between print job metadata and payload. Metadata describes the configuration of a print job (its name and document configuration, such as whether it should be stapled or printed in color). Payload is the document data itself (the PDF or XPS file to be printed.)
All PrintJob.* permissions also require at least Printer.Read.All (or a more prviliged permission) because print jobs are stored within printers.
Example usage
Delegated
- Printer.Read.All: Get a list of all printers in the tenant (
GET /print/printers
) - PrintJob.Read.All: Get a list of all print jobs queued to a Printer (
GET /print/printers/{id}/jobs
) - Printer.FullControl.All: Delete (unregister) a printer (
DELETE /print/printers/{id}
) - PrintJob.ReadWriteBasic.All: Update metadata (such as current status) of print jobs (
PATCH /print/printers/{id}/jobs/{id}
) - PrintJob.ReadWrite.All: Create print jobs and upload document data to them (
POST /print/printers/{id}/jobs
)
Application
- Printer.Read.All: Get a list of all printers in the tenant (
GET /print/printers
)
User permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
User.Read | Sign-in and read user profile | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No | Yes |
User.ReadWrite | Read and write access to user profile | Allows the app to read the signed-in user's full profile. It also allows the app to update the signed-in user's profile information on their behalf. | No | Yes |
User.ReadBasic.All | Read all users' basic profiles | Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user. | No | No |
User.Read.All | Read all users' full profiles | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | Yes | No |
User.ReadWrite.All | Read and write all users' full profiles | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. | Yes | No |
User.Invite.All | Invite guest users to the organization | Allows the app to invite guest users to your organization, on behalf of the signed-in user. | Yes | No |
User.EnableDisableAccount.All | Enable and disable user accounts | Allows the app to enable and disable users' accounts, on behalf of the signed-in user. | Yes | No |
User.Export.All | Export users' data | Allows the app to export an organizational user's data, when performed by a Company Administrator. | Yes | No |
User.ManageIdentities.All | Manage user identities | Allows an application to read, update and delete identities that are associated with a user's account, that the signed-in user has access to. This controls which identities your users can sign-in with. | Yes | No |
User-LifeCycleInfo.Read.All | Read all users' lifecycle information | Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user. | Yes | No |
User-LifeCycleInfo.ReadWrite.All | Read and write all users' lifecycle information | Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
User.Read.All | Read all users' full profiles | Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. | Yes |
User.ReadWrite.All | Read and write all users' full profiles | Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords. | Yes |
User.Invite.All | Invite guest users to the organization | Allows the app to invite guest users to your organization, without a signed-in user. | Yes |
User.EnableDisableAccount.All | Enable and disable user accounts | Allows the app to enable and disable users' accounts, without a signed-in user. | Yes |
User.Export.All | Export users' data | Allows the app to export organizational users' data, without a signed-in user. | Yes |
User.ManageIdentities.All | Manage all user identities | Allows an application to read, update and delete identities that are associated with a user's account, without a signed in user. This controls which identities users can sign-in with. | Yes |
User-LifeCycleInfo.Read.All | Read all users' lifecycle information | Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user. | Yes |
User-LifeCycleInfo.ReadWrite.All | Read and write all users' lifecycle information | Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user. | Yes |
Remarks
With the User.Read permission, an app can also read the basic company information of the signed-in user for a work or school account through the organization resource. The following properties are available: id, displayName, and verifiedDomains.
For work or school accounts, the full profile includes all of the declared properties of the User resource. On reads, only a limited number of properties are returned by default. To read properties that are not in the default set, use $select
. The default properties are:
- displayName
- givenName
- jobTitle
- mobilePhone
- officeLocation
- preferredLanguage
- surname
- userPrincipalName
User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:
- aboutMe
- birthday
- hireDate
- interests
- mobilePhone
- mySite
- pastProjects
- photo
- preferredName
- responsibilities
- schools
- skills
With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.
With the User.ReadWrite.All delegated or application permission, updating another user's businessPhones, mobilePhone or otherMails is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles.
To read or write direct reports (directReports
) or the manager (manager
) of a work or school account, the app must have either User.Read.All (read only) or User.ReadWrite.All.
The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:
- displayName
- givenName
- id
- photo
- securityIdentifier
- surname
- userPrincipalName
To read the group memberships of a user (memberOf
), the app must have either Group.Read.All or Group.ReadWrite.All. However, if the user also has membership in a directoryRole or an administrativeUnit, the app will need effective permissions to read those resources too, or Microsoft Graph will return an error. This means the app will also need Directory permissions, and, for delegated permissions, the signed-in user will also need sufficient privileges in the organization to access directory roles and administrative units.
With the User.ManageIdentities.All delegated or application permission, it is possible to update the identities (identities
) of a user. This includes federated (or social identities) or local identities with email or name-based sign-in names.
Example usage
Delegated
- User.Read: Read the full profile for the signed-in user (
GET /me
). - User.ReadWrite: Update the photo of the signed-in user (
PUT /me/photo/$value
). - User.ReadBasic.All: Find all users whose name starts with "David" (
GET /users?$filter=startswith(displayName,'David')
). - User.Read.All: Read a user's manager (
GET /users/{id | userPrincipalName}/manager
).
Application
- User.Read.All: Read all users and relationships through delta query (
GET /beta/users/delta?$select=displayName,givenName,surname
). - User.ReadWrite.All: Update the photo for any user in the organization (
PUT /users/{id | userPrincipalName}/photo/$value
).
For more complex scenarios involving multiple permissions, see Permission scenarios.
User activity permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
UserActivity.ReadWrite.CreatedByApp | Read and write app activity to users' activity feed | Allows the app to read and report the signed-in user's activity in the app. | No | Yes |
Application permissions
None.
Remarks
UserActivity.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts.
The CreatedByApp constraint associated with this permission indicates the service will apply implicit filtering to results based on the identity of the calling app, either the MSA app id or a set of app ids configured for a cross-platform application identity.
Example usage
Delegated
- UserActivity.ReadWrite.CreatedByApp: Get a list of recent unique user activities based on associated history items published in the last day. (GET /me/activities/recent).
- UserActivity.ReadWrite.CreatedByApp: Publish or update a user activity which may be resumed by the user of the application. (PUT /me/activities/%2Farticle%3F12345).
- UserActivity.ReadWrite.CreatedByApp: Publish or update a history item for a specified user activity in order to represent the period of user engagement. (PUT /me/activities/{id}/historyItems/{id}).
- UserActivity.ReadWrite.CreatedByApp: Delete a user activity in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id}).
- UserActivity.ReadWrite.CreatedByApp: Delete a history item in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id}/historyItems/{id}).
User authentication method permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account supported |
---|---|---|---|---|
UserAuthenticationMethod.Read | Read own authentication methods | Allows the app to read the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods. | Yes | No |
UserAuthenticationMethod.Read.All | Read users' authentication methods | Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Yes | No |
UserAuthenticationMethod.ReadWrite | Manage own authentication methods | Allows the app to read and write the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods. | Yes | No |
UserAuthenticationMethod.ReadWrite.All | Manage users' authentication methods | Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
UserAuthenticationMethod.Read.All | Read users' authentication methods | Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Yes |
UserAuthenticationMethod.ReadWrite.All | Manage users' authentication methods | Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Yes |
Remarks
User authentication method permissions are used to manage authentication methods on users. With these permissions, a delegated user or application can register new authentication methods on a user, read the authentication methods the user already has registered, update those authentication methods, and remove them from the user.
With these permissions, all authentication methods can be read and managed on a user. This includes methods used for:
- Primary authentication (password, FIDO2, Microsoft Authenticator, and so on)
- Second factor of multi-factor authentication/MFA (phone numbers, Microsoft Authenticator, and so on)
- Self-Service Password Reset/SSPR (email address, and so on)
Virtual event permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
VirtualEvent.Read | Read your virtual events. | Allows the app to read virtual events created by the you. | Yes |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
VirtualEvent.Read.All | Read all users' virtual events. | Allows the app to read all virtual events without a signed-in user. | Yes |
Example usage
- VirtualEvent.Read: Retrieve a virtual event created by the signed-in user (
GET /solutions/virtualEvents/webinars/{id}
). - VirtualEvent.Read.All: Retrieve a virtual event created by any user in the tenant (
GET /solutions/virtualEvents/webinars/{id}
).
Windows updates permissions
Delegated permissions
Permission | Display String | Description | Admin Consent Required | Microsoft Account Supported |
---|---|---|---|---|
WindowsUpdates.ReadWrite.All | Read and write all Windows update deployment settings | Allows the app to read and write all Windows update deployment settings for the organization on behalf of the signed-in user. | Yes | No |
Application permissions
Permission | Display String | Description | Admin Consent Required |
---|---|---|---|
WindowsUpdates.ReadWrite.All | Read and write all Windows update deployment settings | Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user. | Yes |
Remarks
All the permissions above are valid only for work or school accounts.
For an app to read or write all Windows update deployment settings with delegated permissions, the signed-in user must be assigned the Global Administrator, Intune Administrator, or Windows Update Deployment Administrator role. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.
Example usage
Delegated
- WindowsUpdates.ReadWrite.All: Create a deployment (
POST /beta/admin/windows/updates/deployments
).
Application
- WindowsUpdates.ReadWrite.All: Create a deployment (
POST /beta/admin/windows/updates/deployments
).
Permission scenarios
This section shows some common scenarios that target user and group resources in an organization. The tables show the permissions that an app needs to be able to perform specific operations required by the scenario. Note that in some cases the ability of the app to perform specific operations will depend on whether a permission is an application or delegated permission. In the case of delegated permissions, the app's effective permissions will also depend on the privileges of the signed-in user within the organization. For more information, see Delegated permissions, Application permissions, and effective permissions.
Access scenarios on the User resource
App tasks involving User | Required permissions | Permission strings |
---|---|---|
App wants to read other users' basic information (only display name and picture), for example to show in a people picking experience | User.ReadBasic.All | Read all user's basic profiles |
App wants to read complete user profile for signed in user (see direct reports, and manager, and so on) | User.Read | Enable sign-in and read user profile |
App wants to read complete user profile all users | User.Read.All | Read all user's full profiles |
App wants to read files, mail and calendar information for the signed in user | User.Read, Files.Read, Mail.Read, Calendars.Read | Enable sign-in and read user profile, Read users' files, Read user mail, Read user calendars |
App wants to read the signed-in user's (my) files and files that other users have shared with the signed-in user (me). | User.Read, Files.Read, Sites.Read.All | Enable sign-in and read user profile, Read users' files, Read items in all site collections |
App wants to read and write complete user profile for signed in user | User.ReadWrite | Read and write access to user profile |
App wants to read and write complete user profile all users | User.ReadWrite.All | Read and write all user's full profiles |
App wants to read and write files, mail and calendar information for the signed in user | User.ReadWrite, Files.ReadWrite, Mail.ReadWrite, Calendars.ReadWrite | Read and write access to user profile, Read and write access to user profile, Read and write access to user mail, Have full access to user calendars |
App wants to submit a data policy operation request to export a user's personal data | User.Export.All | Export a user'a personal data. |
Access scenarios on the Group resource
App tasks involving Group | Required permissions | Permission strings |
---|---|---|
App wants to read basic group info (only display name and picture), for example to show in a group picking experience | Group.Read.All | Read all groups |
App wants to read all content in all Microsoft 365 groups, including files, conversations. It also needs to show group memberships, be able to update group memberships, (if owner). | Group.Read.All | Read items in all site collections, Read all groups |
App wants to read and write all content in all Microsoft 365 groups, including files, conversations. It also needs to show group memberships, be able to update group memberships, (if owner). | Group.ReadWrite.All, Sites.ReadWrite.All | Read and write all groups, Edit or delete items in all site collections |
App wants to discover (find) a Microsoft 365 group. It allows the user to search for a particular group and choose one from the enumerated list to allow the user to join the group. | Group.ReadWrite.All | Read and write all groups |
App wants to create a group through AAD Graph | Group.ReadWrite.All | Read and write all groups |
All permissions and IDs
Permission name | Type | ID |
---|---|---|
AccessReview.Read.All | Application | d07a8cc0-3d51-4b77-b3b0-32704d1f69fa |
AccessReview.Read.All | Delegated | ebfcd32b-babb-40f4-a14b-42706e83bd28 |
AccessReview.ReadWrite.All | Application | ef5f7d5c-338f-44b0-86c3-351f46c8bb5f |
AccessReview.ReadWrite.All | Delegated | e4aa47b9-9a69-4109-82ed-36ec70d85ff1 |
AccessReview.ReadWrite.Membership | Application | 18228521-a591-40f1-b215-5fad4488c117 |
AccessReview.ReadWrite.Membership | Delegated | 5af8c3f5-baca-439a-97b0-ea58a435e269 |
Acronym.Read.All | Application | 8c0aed2c-0c61-433d-b63c-6370ddc73248 |
Acronym.Read.All | Delegated | 9084c10f-a2d6-4713-8732-348def50fe02 |
AdministrativeUnit.Read.All | Application | 134fd756-38ce-4afd-ba33-e9623dbe66c2 |
AdministrativeUnit.Read.All | Delegated | 3361d15d-be43-4de6-b441-3c746d05163d |
AdministrativeUnit.ReadWrite.All | Application | 5eb59dd3-1da2-4329-8733-9dabdc435916 |
AdministrativeUnit.ReadWrite.All | Delegated | 7b8a2d34-6b3f-4542-a343-54651608ad81 |
Agreement.Read.All | Application | 2f3e6f8c-093b-4c57-a58b-ba5ce494a169 |
Agreement.Read.All | Delegated | af2819c9-df71-4dd3-ade7-4d7c9dc653b7 |
Agreement.ReadWrite.All | Application | c9090d00-6101-42f0-a729-c41074260d47 |
Agreement.ReadWrite.All | Delegated | ef4b5d93-3104-4664-9053-a5c49ab44218 |
AgreementAcceptance.Read | Delegated | 0b7643bb-5336-476f-80b5-18fbfbc91806 |
AgreementAcceptance.Read.All | Application | d8e4ec18-f6c0-4620-8122-c8b1f2bf400e |
AgreementAcceptance.Read.All | Delegated | a66a5341-e66e-4897-9d52-c2df58c2bfb9 |
Analytics.Read | Delegated | e03cf23f-8056-446a-8994-7d93dfc8b50e |
APIConnectors.Read.All | Application | b86848a7-d5b1-41eb-a9b4-54a4e6306e97 |
APIConnectors.Read.All | Delegated | 1b6ff35f-31df-4332-8571-d31ea5a4893f |
APIConnectors.ReadWrite.All | Application | 1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171 |
APIConnectors.ReadWrite.All | Delegated | c67b52c5-7c69-48b6-9d48-7b3af3ded914 |
AppCatalog.Read.All | Application | e12dae10-5a57-4817-b79d-dfbec5348930 |
AppCatalog.Read.All | Delegated | 88e58d74-d3df-44f3-ad47-e89edf4472e4 |
AppCatalog.ReadWrite.All | Application | dc149144-f292-421e-b185-5953f2e98d7f |
AppCatalog.ReadWrite.All | Delegated | 1ca167d5-1655-44a1-8adf-1414072e1ef9 |
AppCatalog.Submit | Delegated | 3db89e36-7fa6-4012-b281-85f3d9d9fd2e |
Application.Read.All | Application | 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 |
Application.Read.All | Delegated | c79f8feb-a9db-4090-85f9-90d820caa0eb |
Application.ReadWrite.All | Application | 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 |
Application.ReadWrite.All | Delegated | bdfbf15f-ee85-4955-8675-146e8e5296b5 |
Application.ReadWrite.OwnedBy | Application | 18a4783c-866b-4cc7-a460-3d5e5662c884 |
Application-RemoteDesktopConfig.ReadWrite.All | Application | 3be0012a-cc4e-426b-895b-f9c836bf6381 |
Application-RemoteDesktopConfig.ReadWrite.All | Delegated | ffa91d43-2ad8-45cc-b592-09caddeb24bb |
AppRoleAssignment.ReadWrite.All | Application | 06b708a9-e830-4db3-a914-8e69da51d44f |
AppRoleAssignment.ReadWrite.All | Delegated | 84bccea3-f856-4a8a-967b-dbe0a3d53a64 |
AttackSimulation.Read.All | Application | 93283d0a-6322-4fa8-966b-8c121624760d |
AttackSimulation.Read.All | Delegated | 104a7a4b-ca76-4677-b7e7-2f4bc482f381 |
AttackSimulation.ReadWrite.All | Application | e125258e-8c8a-42a8-8f55-ab502afa52f3 |
AttackSimulation.ReadWrite.All | Delegated | 27608d7c-2c66-4cad-a657-951d575f5a60 |
AuditLog.Read.All | Application | b0afded3-3588-46d8-8b3d-9842eff778da |
AuditLog.Read.All | Delegated | e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 |
AuthenticationContext.Read.All | Application | 381f742f-e1f8-4309-b4ab-e3d91ae4c5c1 |
AuthenticationContext.Read.All | Delegated | 57b030f1-8c35-469c-b0d9-e4a077debe70 |
AuthenticationContext.ReadWrite.All | Application | a88eef72-fed0-4bf7-a2a9-f19df33f8b83 |
AuthenticationContext.ReadWrite.All | Delegated | ba6d575a-1344-4516-b777-1404f5593057 |
BillingConfiguration.ReadWrite.All | Application | 9e8be751-7eee-4c09-bcfd-d64f6b087fd8 |
BillingConfiguration.ReadWrite.All | Delegated | 2bf6d319-dfca-4c22-9879-f88dcfaee6be |
BitlockerKey.Read.All | Delegated | b27a61ec-b99c-4d6a-b126-c4375d08ae30 |
BitlockerKey.ReadBasic.All | Delegated | 5a107bfc-4f00-4e1a-b67e-66451267bc68 |
Bookings.Manage.All | Delegated | 7f36b48e-542f-4d3b-9bcb-8406f0ab9fdb |
Bookings.Read.All | Application | 6e98f277-b046-4193-a4f2-6bf6a78cd491 |
Bookings.Read.All | Delegated | 33b1df99-4b29-4548-9339-7a7b83eaeebc |
Bookings.ReadWrite.All | Delegated | 948eb538-f19d-4ec5-9ccc-f059e1ea4c72 |
BookingsAppointment.ReadWrite.All | Application | 9769393e-5a9f-4302-9e3d-7e018ecb64a7 |
BookingsAppointment.ReadWrite.All | Delegated | 02a5a114-36a6-46ff-a102-954d89d9ab02 |
Bookmark.Read.All | Application | be95e614-8ef3-49eb-8464-1c9503433b86 |
Bookmark.Read.All | Delegated | 98b17b35-f3b1-4849-a85f-9f13733002f0 |
BrowserSiteLists.Read.All | Application | c5ee1f21-fc7f-4937-9af0-c91648ff9597 |
BrowserSiteLists.Read.All | Delegated | fb9be2b7-a7fc-4182-aec1-eda4597c43d5 |
BrowserSiteLists.ReadWrite.All | Application | 8349ca94-3061-44d5-9bfb-33774ea5e4f9 |
BrowserSiteLists.ReadWrite.All | Delegated | 83b34c85-95bf-497b-a04e-b58eca9d49d0 |
BusinessScenarioConfig.Read.All | Delegated | d16480b2-e469-4118-846b-d3d177327bee |
BusinessScenarioConfig.Read.OwnedBy | Application | acc0fc4d-2cd6-4194-8700-1768d8423d86 |
BusinessScenarioConfig.Read.OwnedBy | Delegated | c47e7b6e-d6f1-4be9-9ffd-1e00f3e32892 |
BusinessScenarioConfig.ReadWrite.All | Delegated | 755e785b-b658-446f-bb22-5a46abd029ea |
BusinessScenarioConfig.ReadWrite.OwnedBy | Application | bbea195a-4c47-4a4f-bff2-cba399e11698 |
BusinessScenarioConfig.ReadWrite.OwnedBy | Delegated | b3b7fcff-b4d4-4230-bf6f-90bd91285395 |
BusinessScenarioData.Read.OwnedBy | Application | 6c0257fd-cffe-415b-8239-2d0d70fdaa9c |
BusinessScenarioData.Read.OwnedBy | Delegated | 25b265c4-5d34-4e44-952d-b567f6d3b96d |
BusinessScenarioData.ReadWrite.OwnedBy | Application | f2d21f22-5d80-499e-91cc-0a8a4ce16f54 |
BusinessScenarioData.ReadWrite.OwnedBy | Delegated | 19932d57-2952-4c60-8634-3655c79fc527 |
Calendars.Read | Application | 798ee544-9d2d-430c-a058-570e29e34338 |
Calendars.Read | Delegated | 465a38f9-76ea-45b9-9f34-9e8b0d4b0b42 |
Calendars.Read.Shared | Delegated | 2b9c4092-424d-4249-948d-b43879977640 |
Calendars.ReadBasic | Delegated | 662d75ba-a364-42ad-adee-f5f880ea4878 |
Calendars.ReadBasic.All | Application | 8ba4a692-bc31-4128-9094-475872af8a53 |
Calendars.ReadWrite | Application | ef54d2bf-783f-4e0f-bca1-3210c0444d99 |
Calendars.ReadWrite | Delegated | 1ec239c2-d7c9-4623-a91a-a9775856bb36 |
Calendars.ReadWrite.Shared | Delegated | 12466101-c9b8-439a-8589-dd09ee67e8e9 |
CallRecord-PstnCalls.Read.All | Application | a2611786-80b3-417e-adaa-707d4261a5f0 |
CallRecords.Read.All | Application | 45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8 |
Calls.AccessMedia.All | Application | a7a681dc-756e-4909-b988-f160edc6655f |
Calls.Initiate.All | Application | 284383ee-7f6e-4e40-a2a8-e85dcb029101 |
Calls.InitiateGroupCall.All | Application | 4c277553-8a09-487b-8023-29ee378d8324 |
Calls.JoinGroupCall.All | Application | f6b49018-60ab-4f81-83bd-22caeabfed2d |
Calls.JoinGroupCallAsGuest.All | Application | fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4 |
Channel.Create | Application | f3a65bd4-b703-46df-8f7e-0174fea562aa |
Channel.Create | Delegated | 101147cf-4178-4455-9d58-02b5c164e759 |
Channel.Delete.All | Application | 6a118a39-1227-45d4-af0c-ea7b40d210bc |
Channel.Delete.All | Delegated | cc83893a-e232-4723-b5af-bd0b01bcfe65 |
Channel.ReadBasic.All | Application | 59a6b24b-4225-4393-8165-ebaec5f55d7a |
Channel.ReadBasic.All | Delegated | 9d8982ae-4365-4f57-95e9-d6032a4c0b87 |
ChannelMember.Read.All | Application | 3b55498e-47ec-484f-8136-9013221c06a9 |
ChannelMember.Read.All | Delegated | 2eadaff8-0bce-4198-a6b9-2cfc35a30075 |
ChannelMember.ReadWrite.All | Application | 35930dcf-aceb-4bd1-b99a-8ffed403c974 |
ChannelMember.ReadWrite.All | Delegated | 0c3e411a-ce45-4cd1-8f30-f99a3efa7b11 |
ChannelMessage.Edit | Delegated | 2b61aa8a-6d36-4b2f-ac7b-f29867937c53 |
ChannelMessage.Read.All | Application | 7b2449af-6ccd-4f4d-9f78-e550c193f0d1 |
ChannelMessage.Read.All | Delegated | 767156cb-16ae-4d10-8f8b-41b657c8c8c8 |
ChannelMessage.ReadWrite | Delegated | 5922d31f-46c8-4404-9eaf-2117e390a8a4 |
ChannelMessage.Send | Delegated | ebf0f66e-9fb1-49e4-a278-222f76911cf4 |
ChannelMessage.UpdatePolicyViolation.All | Application | 4d02b0cc-d90b-441f-8d82-4fb55c34d6bb |
ChannelSettings.Read.All | Application | c97b873f-f59f-49aa-8a0e-52b32d762124 |
ChannelSettings.Read.All | Delegated | 233e0cf1-dd62-48bc-b65b-b38fe87fcf8e |
ChannelSettings.ReadWrite.All | Application | 243cded2-bd16-4fd6-a953-ff8177894c3d |
ChannelSettings.ReadWrite.All | Delegated | d649fb7c-72b4-4eec-b2b4-b15acf79e378 |
Chat.Create | Application | d9c48af6-9ad9-47ad-82c3-63757137b9af |
Chat.Create | Delegated | 38826093-1258-4dea-98f0-00003be2b8d0 |
Chat.ManageDeletion.All | Application | 9c7abde0-eacd-4319-bf9e-35994b1a1717 |
Chat.ManageDeletion.All | Delegated | bb64e6fc-6b6d-4752-aea0-dd922dbba588 |
Chat.Read | Delegated | f501c180-9344-439a-bca0-6cbf209fd270 |
Chat.Read.All | Application | 6b7d71aa-70aa-4810-a8d9-5d9fb2830017 |
Chat.Read.WhereInstalled | Application | 1c1b4c8e-3cc7-4c58-8470-9b92c9d5848b |
Chat.ReadBasic | Delegated | 9547fcb5-d03f-419d-9948-5928bbf71b0f |
Chat.ReadBasic.All | Application | b2e060da-3baf-4687-9611-f4ebc0f0cbde |
Chat.ReadBasic.WhereInstalled | Application | 818ba5bd-5b3e-4fe0-bbe6-aa4686669073 |
Chat.ReadWrite | Delegated | 9ff7295e-131b-4d94-90e1-69fde507ac11 |
Chat.ReadWrite.All | Application | 294ce7c9-31ba-490a-ad7d-97a7d075e4ed |
Chat.ReadWrite.WhereInstalled | Application | ad73ce80-f3cd-40ce-b325-df12c33df713 |
Chat.UpdatePolicyViolation.All | Application | 7e847308-e030-4183-9899-5235d7270f58 |
ChatMember.Read | Delegated | c5a9e2b1-faf6-41d4-8875-d381aa549b24 |
ChatMember.Read.All | Application | a3410be2-8e48-4f32-8454-c29a7465209d |
ChatMember.Read.WhereInstalled | Application | 93e7c9e4-54c5-4a41-b796-f2a5adaacda7 |
ChatMember.ReadWrite | Delegated | dea13482-7ea6-488f-8b98-eb5bbecf033d |
ChatMember.ReadWrite.All | Application | 57257249-34ce-4810-a8a2-a03adf0c5693 |
ChatMember.ReadWrite.WhereInstalled | Application | e32c2cd9-0124-4e44-88fc-772cd98afbdb |
ChatMessage.Read | Delegated | cdcdac3a-fd45-410d-83ef-554db620e5c7 |
ChatMessage.Read.All | Application | b9bb2381-47a4-46cd-aafb-00cb12f68504 |
ChatMessage.Send | Delegated | 116b7235-7cc6-461e-b163-8e55691d839e |
CloudPC.Read.All | Application | a9e09520-8ed4-4cde-838e-4fdea192c227 |
CloudPC.Read.All | Delegated | 5252ec4e-fd40-4d92-8c68-89dd1d3c6110 |
CloudPC.ReadWrite.All | Application | 3b4349e1-8cf5-45a3-95b7-69d1751d3e6a |
CloudPC.ReadWrite.All | Delegated | 9d77138f-f0e2-47ba-ab33-cd246c8b79d1 |
ConsentRequest.Read.All | Application | 1260ad83-98fb-4785-abbb-d6cc1806fd41 |
ConsentRequest.Read.All | Delegated | f3bfad56-966e-4590-a536-82ecf548ac1e |
ConsentRequest.ReadWrite.All | Application | 9f1b81a7-0223-4428-bfa4-0bcb5535f27d |
ConsentRequest.ReadWrite.All | Delegated | 497d9dfa-3bd1-481a-baab-90895e54568c |
Contacts.Read | Application | 089fe4d0-434a-44c5-8827-41ba8a0b17f5 |
Contacts.Read | Delegated | ff74d97f-43af-4b68-9f2a-b77ee6968c5d |
Contacts.Read.Shared | Delegated | 242b9d9e-ed24-4d09-9a52-f43769beb9d4 |
Contacts.ReadWrite | Application | 6918b873-d17a-4dc1-b314-35f528134491 |
Contacts.ReadWrite | Delegated | d56682ec-c09e-4743-aaf4-1a3aac4caa21 |
Contacts.ReadWrite.Shared | Delegated | afb6c84b-06be-49af-80bb-8f3f77004eab |
CrossTenantInformation.ReadBasic.All | Application | cac88765-0581-4025-9725-5ebc13f729ee |
CrossTenantInformation.ReadBasic.All | Delegated | 81594d25-e88e-49cf-ac8c-fecbff49f994 |
CrossTenantUserProfileSharing.Read | Delegated | cb1ba48f-d22b-4325-a07f-74135a62ee41 |
CrossTenantUserProfileSharing.Read.All | Application | 8b919d44-6192-4f3d-8a3b-f86f8069ae3c |
CrossTenantUserProfileSharing.Read.All | Delegated | 759dcd16-3c90-463c-937e-abf89f991c18 |
CrossTenantUserProfileSharing.ReadWrite | Delegated | eed0129d-dc60-4f30-8641-daf337a39ffd |
CrossTenantUserProfileSharing.ReadWrite.All | Application | 306785c5-c09b-4ba0-a4ee-023f3da165cb |
CrossTenantUserProfileSharing.ReadWrite.All | Delegated | 64dfa325-cbf8-48e3-938d-51224a0cac01 |
CustomAuthenticationExtension.Read.All | Application | 88bb2658-5d9e-454f-aacd-a3933e079526 |
CustomAuthenticationExtension.Read.All | Delegated | b2052569-c98c-4f36-a5fb-43e5c111e6d0 |
CustomAuthenticationExtension.ReadWrite.All | Application | c2667967-7050-4e7e-b059-4cbbb3811d03 |
CustomAuthenticationExtension.ReadWrite.All | Delegated | 8dfcf82f-15d0-43b3-bc78-a958a13a5792 |
CustomAuthenticationExtension.Receive.Payload | Application | 214e810f-fda8-4fd7-a475-29461495eb00 |
CustomSecAttributeAssignment.Read.All | Application | 3b37c5a4-1226-493d-bec3-5d6c6b866f3f |
CustomSecAttributeAssignment.Read.All | Delegated | b46ffa80-fe3d-4822-9a1a-c200932d54d0 |
CustomSecAttributeAssignment.ReadWrite.All | Application | de89b5e4-5b8f-48eb-8925-29c2b33bd8bd |
CustomSecAttributeAssignment.ReadWrite.All | Delegated | ca46335e-8453-47cd-a001-8459884efeae |
CustomSecAttributeDefinition.Read.All | Application | b185aa14-d8d2-42c1-a685-0f5596613624 |
CustomSecAttributeDefinition.Read.All | Delegated | ce026878-a0ff-4745-a728-d4fedd086c07 |
CustomSecAttributeDefinition.ReadWrite.All | Application | 12338004-21f4-4896-bf5e-b75dfaf1016d |
CustomSecAttributeDefinition.ReadWrite.All | Delegated | 8b0160d4-5743-482b-bb27-efc0a485ca4a |
DelegatedAdminRelationship.Read.All | Application | f6e9e124-4586-492f-adc0-c6f96e4823fd |
DelegatedAdminRelationship.Read.All | Delegated | 0c0064ea-477b-4130-82a5-4c2cc4ff68aa |
DelegatedAdminRelationship.ReadWrite.All | Application | cc13eba4-8cd8-44c6-b4d4-f93237adce58 |
DelegatedAdminRelationship.ReadWrite.All | Delegated | 885f682f-a990-4bad-a642-36736a74b0c7 |
DelegatedPermissionGrant.ReadWrite.All | Application | 8e8e4742-1d95-4f68-9d56-6ee75648c72a |
DelegatedPermissionGrant.ReadWrite.All | Delegated | 41ce6ca6-6826-4807-84f1-1c82854f7ee5 |
Device.Command | Delegated | bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804 |
Device.Read | Delegated | 11d4cd79-5ba5-460f-803f-e22c8ab85ccd |
Device.Read.All | Application | 7438b122-aefc-4978-80ed-43db9fcc7715 |
Device.Read.All | Delegated | 951183d1-1a61-466f-a6d1-1fde911bfd95 |
Device.ReadWrite.All | Application | 1138cb37-bd11-4084-a2b7-9f71582aeddb |
DeviceLocalCredential.Read.All | Application | 884b599e-4d48-43a5-ba94-15c414d00588 |
DeviceLocalCredential.Read.All | Delegated | 280b3b69-0437-44b1-bc20-3b2fca1ee3e9 |
DeviceLocalCredential.ReadBasic.All | Application | db51be59-e728-414b-b800-e0f010df1a79 |
DeviceLocalCredential.ReadBasic.All | Delegated | 9917900e-410b-4d15-846e-42a357488545 |
DeviceManagementApps.Read.All | Application | 7a6ee1e7-141e-4cec-ae74-d9db155731ff |
DeviceManagementApps.Read.All | Delegated | 4edf5f54-4666-44af-9de9-0144fb4b6e8c |
DeviceManagementApps.ReadWrite.All | Application | 78145de6-330d-4800-a6ce-494ff2d33d07 |
DeviceManagementApps.ReadWrite.All | Delegated | 7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af |
DeviceManagementConfiguration.Read.All | Application | dc377aa6-52d8-4e23-b271-2a7ae04cedf3 |
DeviceManagementConfiguration.Read.All | Delegated | f1493658-876a-4c87-8fa7-edb559b3476a |
DeviceManagementConfiguration.ReadWrite.All | Application | 9241abd9-d0e6-425a-bd4f-47ba86e767a4 |
DeviceManagementConfiguration.ReadWrite.All | Delegated | 0883f392-0a7a-443d-8c76-16a6d39c7b63 |
DeviceManagementManagedDevices.PrivilegedOperations.All | Application | 5b07b0dd-2377-4e44-a38d-703f09a0dc3c |
DeviceManagementManagedDevices.PrivilegedOperations.All | Delegated | 3404d2bf-2b13-457e-a330-c24615765193 |
DeviceManagementManagedDevices.Read.All | Application | 2f51be20-0bb4-4fed-bf7b-db946066c75e |
DeviceManagementManagedDevices.Read.All | Delegated | 314874da-47d6-4978-88dc-cf0d37f0bb82 |
DeviceManagementManagedDevices.ReadWrite.All | Application | 243333ab-4d21-40cb-a475-36241daa0842 |
DeviceManagementManagedDevices.ReadWrite.All | Delegated | 44642bfe-8385-4adc-8fc6-fe3cb2c375c3 |
DeviceManagementRBAC.Read.All | Application | 58ca0d9a-1575-47e1-a3cb-007ef2e4583b |
DeviceManagementRBAC.Read.All | Delegated | 49f0cc30-024c-4dfd-ab3e-82e137ee5431 |
DeviceManagementRBAC.ReadWrite.All | Application | e330c4f0-4170-414e-a55a-2f022ec2b57b |
DeviceManagementRBAC.ReadWrite.All | Delegated | 0c5e8a55-87a6-4556-93ab-adc52c4d862d |
DeviceManagementServiceConfig.Read.All | Application | 06a5fe6d-c49d-46a7-b082-56b1b14103c7 |
DeviceManagementServiceConfig.Read.All | Delegated | 8696daa5-bce5-4b2e-83f9-51b6defc4e1e |
DeviceManagementServiceConfig.ReadWrite.All | Application | 5ac13192-7ace-4fcf-b828-1a26f28068ee |
DeviceManagementServiceConfig.ReadWrite.All | Delegated | 662ed50a-ac44-4eef-ad86-62eed9be2a29 |
Directory.AccessAsUser.All | Delegated | 0e263e50-5827-48a4-b97c-d940288653c7 |
Directory.Read.All | Application | 7ab1d382-f21e-4acd-a863-ba3e13f7da61 |
Directory.Read.All | Delegated | 06da0dbc-49e2-44d2-8312-53f166ab848a |
Directory.ReadWrite.All | Application | 19dbc75e-c2e2-444c-a770-ec69d8559fc7 |
Directory.ReadWrite.All | Delegated | c5366453-9fb0-48a5-a156-24f0c49a4b84 |
Directory.Write.Restricted | Application | f20584af-9290-4153-9280-ff8bb2c0ea7f |
Directory.Write.Restricted | Delegated | cba5390f-ed6a-4b7f-b657-0efc2210ed20 |
DirectoryRecommendations.Read.All | Application | ae73097b-cb2a-4447-b064-5d80f6093921 |
DirectoryRecommendations.Read.All | Delegated | 34d3bd24-f6a6-468c-b67c-0c365c1d6410 |
DirectoryRecommendations.ReadWrite.All | Application | 0e9eea12-4f01-45f6-9b8d-3ea4c8144158 |
DirectoryRecommendations.ReadWrite.All | Delegated | f37235e8-90a0-4189-93e2-e55b53867ccd |
Domain.Read.All | Application | dbb9058a-0e50-45d7-ae91-66909b5d4664 |
Domain.Read.All | Delegated | 2f9ee017-59c1-4f1d-9472-bd5529a7b311 |
Domain.ReadWrite.All | Application | 7e05723c-0bb0-42da-be95-ae9f08a6e53c |
Domain.ReadWrite.All | Delegated | 0b5d694c-a244-4bde-86e6-eb5cd07730fe |
EAS.AccessAsUser.All | Delegated | ff91d191-45a0-43fd-b837-bd682c4a0b0f |
eDiscovery.Read.All | Application | 50180013-6191-4d1e-a373-e590ff4e66af |
eDiscovery.Read.All | Delegated | 99201db3-7652-4d5a-809a-bdb94f85fe3c |
eDiscovery.ReadWrite.All | Application | b2620db1-3bf7-4c5b-9cb9-576d29eac736 |
eDiscovery.ReadWrite.All | Delegated | acb8f680-0834-4146-b69e-4ab1b39745ad |
EduAdministration.Read | Delegated | 8523895c-6081-45bf-8a5d-f062a2f12c9f |
EduAdministration.Read.All | Application | 7c9db06a-ec2d-4e7b-a592-5a1e30992566 |
EduAdministration.ReadWrite | Delegated | 63589852-04e3-46b4-bae9-15d5b1050748 |
EduAdministration.ReadWrite.All | Application | 9bc431c3-b8bc-4a8d-a219-40f10f92eff6 |
EduAssignments.Read | Delegated | 091460c9-9c4a-49b2-81ef-1f3d852acce2 |
EduAssignments.Read.All | Application | 4c37e1b6-35a1-43bf-926a-6f30f2cdf585 |
EduAssignments.ReadBasic | Delegated | c0b0103b-c053-4b2e-9973-9f3a544ec9b8 |
EduAssignments.ReadBasic.All | Application | 6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e |
EduAssignments.ReadWrite | Delegated | 2f233e90-164b-4501-8bce-31af2559a2d3 |
EduAssignments.ReadWrite.All | Application | 0d22204b-6cad-4dd0-8362-3e3f2ae699d9 |
EduAssignments.ReadWriteBasic | Delegated | 2ef770a1-622a-47c4-93ee-28d6adbed3a0 |
EduAssignments.ReadWriteBasic.All | Application | f431cc63-a2de-48c4-8054-a34bc093af84 |
EduRoster.Read | Delegated | a4389601-22d9-4096-ac18-36a927199112 |
EduRoster.Read.All | Application | e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648 |
EduRoster.ReadBasic | Delegated | 5d186531-d1bf-4f07-8cea-7c42119e1bd9 |
EduRoster.ReadBasic.All | Application | 0d412a8c-a06c-439f-b3ec-8abcf54d2f96 |
EduRoster.ReadWrite | Delegated | 359e19a6-e3fa-4d7f-bcab-d28ec592b51e |
EduRoster.ReadWrite.All | Application | d1808e82-ce13-47af-ae0d-f9b254e6d58a |
Delegated | 64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0 | |
EntitlementManagement.Read.All | Application | c74fd47d-ed3c-45c3-9a9e-b8676de685d2 |
EntitlementManagement.Read.All | Delegated | 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2 |
EntitlementManagement.ReadWrite.All | Application | 9acd699f-1e81-4958-b001-93b1d2506e19 |
EntitlementManagement.ReadWrite.All | Delegated | ae7a573d-81d7-432b-ad44-4ed5c9d89038 |
EntitlementMgmt-SubjectAccess.ReadWrite | Delegated | e9fdcbbb-8807-410f-b9ec-8d5468c7c2ac |
EventListener.Read.All | Application | b7f6385c-6ce6-4639-a480-e23c42ed9784 |
EventListener.Read.All | Delegated | f7dd3bed-5eec-48da-bc73-1c0ef50bc9a1 |
EventListener.ReadWrite.All | Application | 0edf5e9e-4ce8-468a-8432-d08631d18c43 |
EventListener.ReadWrite.All | Delegated | d11625a6-fe21-4fc6-8d3d-063eba5525ad |
EWS.AccessAsUser.All | Delegated | 9769c687-087d-48ac-9cb3-c37dde652038 |
ExternalConnection.Read.All | Application | 1914711b-a1cb-4793-b019-c2ce0ed21b8c |
ExternalConnection.Read.All | Delegated | a38267a5-26b6-4d76-9493-935b7599116b |
ExternalConnection.ReadWrite.All | Application | 34c37bc0-2b40-4d5e-85e1-2365cd256d79 |
ExternalConnection.ReadWrite.All | Delegated | bbbbd9b3-3566-4931-ac37-2b2180d9e334 |
ExternalConnection.ReadWrite.OwnedBy | Application | f431331c-49a6-499f-be1c-62af19c34a9d |
ExternalConnection.ReadWrite.OwnedBy | Delegated | 4082ad95-c812-4f02-be92-780c4c4f1830 |
ExternalItem.Read.All | Application | 7a7cffad-37d2-4f48-afa4-c6ab129adcc2 |
ExternalItem.Read.All | Delegated | 922f9392-b1b7-483c-a4be-0089be7704fb |
ExternalItem.ReadWrite.All | Application | 38c3d6ee-69ee-422f-b954-e17819665354 |
ExternalItem.ReadWrite.All | Delegated | b02c54f8-eb48-4c50-a9f0-a149e5a2012f |
ExternalItem.ReadWrite.OwnedBy | Application | 8116ae0f-55c2-452d-9944-d18420f5b2c8 |
ExternalItem.ReadWrite.OwnedBy | Delegated | 4367b9d7-cee7-4995-853c-a0bdfe95c1f9 |
Family.Read | Delegated | 3a1e4806-a744-4c70-80fc-223bf8582c46 |
Files.Read | Delegated | 10465720-29dd-4523-a11a-6a75c743c9d9 |
Files.Read.All | Application | 01d4889c-1287-42c6-ac1f-5d1e02578ef6 |
Files.Read.All | Delegated | df85f4d6-205c-4ac5-a5ea-6bf408dba283 |
Files.Read.Selected | Delegated | 5447fe39-cb82-4c1a-b977-520e67e724eb |
Files.ReadWrite | Delegated | 5c28f0bf-8a70-41f1-8ab2-9032436ddb65 |
Files.ReadWrite.All | Application | 75359482-378d-4052-8f01-80520e7db3cd |
Files.ReadWrite.All | Delegated | 863451e7-0667-486c-a5d6-d135439485f0 |
Files.ReadWrite.AppFolder | Delegated | 8019c312-3263-48e6-825e-2b833497195b |
Files.ReadWrite.Selected | Delegated | 17dde5bd-8c17-420f-a486-969730c1b827 |
Financials.ReadWrite.All | Delegated | f534bf13-55d4-45a9-8f3c-c92fe64d6131 |
Group.Create | Application | bf7b1a76-6e77-406b-b258-bf5c7720e98f |
Group.Read.All | Application | 5b567255-7703-4780-807c-7be8301ae99b |
Group.Read.All | Delegated | 5f8c59db-677d-491f-a6b8-5f174b11ec1d |
Group.ReadWrite.All | Application | 62a82d76-70ea-41e2-9197-370581804d09 |
Group.ReadWrite.All | Delegated | 4e46008b-f24c-477d-8fff-7bb4ec7aafe0 |
GroupMember.Read.All | Application | 98830695-27a2-44f7-8c18-0c3ebc9698f6 |
GroupMember.Read.All | Delegated | bc024368-1153-4739-b217-4326f2e966d0 |
GroupMember.ReadWrite.All | Application | dbaae8cf-10b5-4b86-a4a1-f871c94c6695 |
GroupMember.ReadWrite.All | Delegated | f81125ac-d3b7-4573-a3b2-7099cc39df9e |
IdentityProvider.Read.All | Application | e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0 |
IdentityProvider.Read.All | Delegated | 43781733-b5a7-4d1b-98f4-e8edff23e1a9 |
IdentityProvider.ReadWrite.All | Application | 90db2b9a-d928-4d33-a4dd-8442ae3d41e4 |
IdentityProvider.ReadWrite.All | Delegated | f13ce604-1677-429f-90bd-8a10b9f01325 |
IdentityRiskEvent.Read.All | Application | 6e472fd1-ad78-48da-a0f0-97ab2c6b769e |
IdentityRiskEvent.Read.All | Delegated | 8f6a01e7-0391-4ee5-aa22-a3af122cef27 |
IdentityRiskEvent.ReadWrite.All | Application | db06fb33-1953-4b7b-a2ac-f1e2c854f7ae |
IdentityRiskEvent.ReadWrite.All | Delegated | 9e4862a5-b68f-479e-848a-4e07e25c9916 |
IdentityRiskyServicePrincipal.Read.All | Application | 607c7344-0eed-41e5-823a-9695ebe1b7b0 |
IdentityRiskyServicePrincipal.Read.All | Delegated | ea5c4ab0-5a73-4f35-8272-5d5337884e5d |
IdentityRiskyServicePrincipal.ReadWrite.All | Application | cb8d6980-6bcb-4507-afec-ed6de3a2d798 |
IdentityRiskyServicePrincipal.ReadWrite.All | Delegated | bb6f654c-d7fd-4ae3-85c3-fc380934f515 |
IdentityRiskyUser.Read.All | Application | dc5007c0-2d7d-4c42-879c-2dab87571379 |
IdentityRiskyUser.Read.All | Delegated | d04bb851-cb7c-4146-97c7-ca3e71baf56c |
IdentityRiskyUser.ReadWrite.All | Application | 656f6061-f9fe-4807-9708-6a2e0934df76 |
IdentityRiskyUser.ReadWrite.All | Delegated | e0a7cdbb-08b0-4697-8264-0069786e9674 |
IdentityUserFlow.Read.All | Application | 1b0c317f-dd31-4305-9932-259a8b6e8099 |
IdentityUserFlow.Read.All | Delegated | 2903d63d-4611-4d43-99ce-a33f3f52e343 |
IdentityUserFlow.ReadWrite.All | Application | 65319a09-a2be-469d-8782-f6b07debf789 |
IdentityUserFlow.ReadWrite.All | Delegated | 281892cc-4dbf-4e3a-b6cc-b21029bb4e82 |
IMAP.AccessAsUser.All | Delegated | 652390e4-393a-48de-9484-05f9b1212954 |
IndustryData.ReadBasic.All | Application | 4f5ac95f-62fd-472c-b60f-125d24ca0bc5 |
IndustryData.ReadBasic.All | Delegated | 60382b96-1f5e-46ea-a544-0407e489e588 |
IndustryData-DataConnector.Read.All | Application | 7ab52c2f-a2ee-4d98-9ebc-725e3934aae2 |
IndustryData-DataConnector.Read.All | Delegated | d19c0de5-7ecb-4aba-b090-da35ebcd5425 |
IndustryData-DataConnector.ReadWrite.All | Application | eda0971c-482e-4345-b28f-69c309cb8a34 |
IndustryData-DataConnector.ReadWrite.All | Delegated | 5ce933ac-3997-4280-aed0-cc072e5c062a |
IndustryData-DataConnector.Upload | Application | 9334c44b-a7c6-4350-8036-6bf8e02b4c1f |
IndustryData-DataConnector.Upload | Delegated | fc47391d-ab2c-410f-9059-5600f7af660d |
IndustryData-InboundFlow.Read.All | Application | 305f6ba2-049a-4b1b-88bb-fe7e08758a00 |
IndustryData-InboundFlow.Read.All | Delegated | cb0774da-a605-42af-959c-32f438fb38f4 |
IndustryData-InboundFlow.ReadWrite.All | Application | e688c61f-d4c6-4d64-a197-3bcf6ba1d6ad |
IndustryData-InboundFlow.ReadWrite.All | Delegated | 97044676-2cec-40ee-bd70-38df444c9e70 |
IndustryData-ReferenceDefinition.Read.All | Application | 6ee891c3-74a4-4148-8463-0c834375dfaf |
IndustryData-ReferenceDefinition.Read.All | Delegated | a3f96ffe-cb84-40a8-ac85-582d7ef97c2a |
IndustryData-Run.Read.All | Application | f6f5d10b-3024-4d1d-b674-aae4df4a1a73 |
IndustryData-Run.Read.All | Delegated | 92685235-50c4-4702-b2c8-36043db6fa79 |
IndustryData-SourceSystem.Read.All | Application | bc167a60-39fe-4865-8b44-78400fc6ed03 |
IndustryData-SourceSystem.Read.All | Delegated | 49b7016c-89ae-41e7-bd6f-b7170c5490bf |
IndustryData-SourceSystem.ReadWrite.All | Application | 7d866958-e06e-4dd6-91c6-a086b3f5cfeb |
IndustryData-SourceSystem.ReadWrite.All | Delegated | 9599f005-05d6-4ea7-b1b1-4929768af5d0 |
IndustryData-TimePeriod.Read.All | Application | 7c55c952-b095-4c23-a522-022bce4cc1e3 |
IndustryData-TimePeriod.Read.All | Delegated | c9d51f28-8ccd-42b2-a836-fd8fe9ebf2ae |
IndustryData-TimePeriod.ReadWrite.All | Application | 7afa7744-a782-4a32-b8c2-e3db637e8de7 |
IndustryData-TimePeriod.ReadWrite.All | Delegated | b6d56528-3032-4f9d-830f-5a24a25e6661 |
InformationProtectionConfig.Read | Delegated | 12f4bffb-b598-413c-984b-db99728f8b54 |
InformationProtectionConfig.Read.All | Application | 14f49b9f-4bf2-4d24-b80e-b27ec58409bd |
InformationProtectionContent.Sign.All | Application | cbe6c7e4-09aa-4b8d-b3c3-2dbb59af4b54 |
InformationProtectionContent.Write.All | Application | 287bd98c-e865-4e8c-bade-1a85523195b9 |
InformationProtectionPolicy.Read | Delegated | 4ad84827-5578-4e18-ad7a-86530b12f884 |
InformationProtectionPolicy.Read.All | Application | 19da66cb-0fb0-4390-b071-ebc76a349482 |
LearningAssignedCourse.Read | Delegated | ac08cdae-e845-41db-adf9-5899a0ec9ef6 |
LearningAssignedCourse.Read.All | Application | 535e6066-2894-49ef-ab33-e2c6d064bb81 |
LearningAssignedCourse.ReadWrite.All | Application | 236c1cbd-1187-427f-b0f5-b1852454973b |
LearningContent.Read.All | Application | 8740813e-d8aa-4204-860e-2a0f8f84dbc8 |
LearningContent.Read.All | Delegated | ea4c1fd9-6a9f-4432-8e5d-86e06cc0da77 |
LearningContent.ReadWrite.All | Application | 444d6fcb-b738-41e5-b103-ac4f2a2628a3 |
LearningContent.ReadWrite.All | Delegated | 53cec1c4-a65f-4981-9dc1-ad75dbf1c077 |
LearningProvider.Read | Delegated | dd8ce36f-9245-45ea-a99e-8ac398c22861 |
LearningProvider.ReadWrite | Delegated | 40c2eb57-abaf-49f5-9331-e90fd01f7130 |
LearningSelfInitiatedCourse.Read | Delegated | f6403ef7-4a96-47be-a190-69ba274c3f11 |
LearningSelfInitiatedCourse.Read.All | Application | 467524fc-ed22-4356-a910-af61191e3503 |
LearningSelfInitiatedCourse.ReadWrite.All | Application | 7654ed61-8965-4025-846a-0856ec02b5b0 |
LicenseAssignment.ReadWrite.All | Application | 5facf0c1-8979-4e95-abcf-ff3d079771c0 |
LicenseAssignment.ReadWrite.All | Delegated | f55016cc-149c-447e-8f21-7cf3ec1d6350 |
LifecycleWorkflows.Read.All | Application | 7c67316a-232a-4b84-be22-cea2c0906404 |
LifecycleWorkflows.Read.All | Delegated | 9bcb9916-765a-42af-bf77-02282e26b01a |
LifecycleWorkflows.ReadWrite.All | Application | 5c505cf4-8424-4b8e-aa14-ee06e3bb23e3 |
LifecycleWorkflows.ReadWrite.All | Delegated | 84b9d731-7db8-4454-8c90-fd9e95350179 |
Mail.Read | Application | 810c84a8-4a9e-49e6-bf7d-12d183f40d01 |
Mail.Read | Delegated | 570282fd-fa5c-430d-a7fd-fc8dc98a9dca |
Mail.Read.Shared | Delegated | 7b9103a5-4610-446b-9670-80643382c1fa |
Mail.ReadBasic | Application | 6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a |
Mail.ReadBasic | Delegated | a4b8392a-d8d1-4954-a029-8e668a39a170 |
Mail.ReadBasic.All | Application | 693c5e45-0940-467d-9b8a-1022fb9d42ef |
Mail.ReadBasic.Shared | Delegated | b11fa0e7-fdb7-4dc9-b1f1-59facd463480 |
Mail.ReadWrite | Application | e2a3a72e-5f79-4c64-b1b1-878b674786c9 |
Mail.ReadWrite | Delegated | 024d486e-b451-40bb-833d-3e66d98c5c73 |
Mail.ReadWrite.Shared | Delegated | 5df07973-7d5d-46ed-9847-1271055cbd51 |
Mail.Send | Application | b633e1c5-b582-4048-a93e-9f11b44c7e96 |
Mail.Send | Delegated | e383f46e-2787-4529-855e-0e479a3ffac0 |
Mail.Send.Shared | Delegated | a367ab51-6b49-43bf-a716-a1fb06d2a174 |
MailboxSettings.Read | Application | 40f97065-369a-49f4-947c-6a255697ae91 |
MailboxSettings.Read | Delegated | 87f447af-9fa4-4c32-9dfa-4a57a73d18ce |
MailboxSettings.ReadWrite | Application | 6931bccd-447a-43d1-b442-00a195474933 |
MailboxSettings.ReadWrite | Delegated | 818c620a-27a9-40bd-a6a5-d96f7d610b4b |
ManagedTenants.Read.All | Delegated | dc34164e-6c4a-41a0-be89-3ae2fbad7cd3 |
ManagedTenants.ReadWrite.All | Delegated | b31fa710-c9b3-4d9e-8f5e-8036eecddab9 |
Member.Read.Hidden | Application | 658aa5d8-239f-45c4-aa12-864f4fc7e490 |
Member.Read.Hidden | Delegated | f6a3db3e-f7e8-4ed2-a414-557c8c9830be |
NetworkAccessBranch.Read.All | Application | 39ae4a24-1ef0-49e8-9d63-2a66f5c39edd |
NetworkAccessBranch.Read.All | Delegated | 4051c7fc-b429-4804-8d80-8f1f8c24a6f7 |
NetworkAccessBranch.ReadWrite.All | Application | 8137102d-ec16-4191-aaf8-7aeda8026183 |
NetworkAccessBranch.ReadWrite.All | Delegated | b8a36cc2-b810-461a-baa4-a7281e50bd5c |
NetworkAccessPolicy.Read.All | Application | 8a3d36bf-cb46-4bcc-bec9-8d92829dab84 |
NetworkAccessPolicy.Read.All | Delegated | ba22922b-752c-446f-89d7-a2d92398fceb |
NetworkAccessPolicy.ReadWrite.All | Application | f0c341be-8348-4989-8e43-660324294538 |
NetworkAccessPolicy.ReadWrite.All | Delegated | b1fbad0f-ef6e-42ed-8676-bca7fa3e7291 |
Notes.Create | Delegated | 9d822255-d64d-4b7a-afdb-833b9a97ed02 |
Notes.Read | Delegated | 371361e4-b9e2-4a3f-8315-2a301a3b0a3d |
Notes.Read.All | Application | 3aeca27b-ee3a-4c2b-8ded-80376e2134a4 |
Notes.Read.All | Delegated | dfabfca6-ee36-4db2-8208-7a28381419b3 |
Notes.ReadWrite | Delegated | 615e26af-c38a-4150-ae3e-c3b0d4cb1d6a |
Notes.ReadWrite.All | Application | 0c458cef-11f3-48c2-a568-c66751c238c0 |
Notes.ReadWrite.All | Delegated | 64ac0503-b4fa-45d9-b544-71a463f05da0 |
Notes.ReadWrite.CreatedByApp | Delegated | ed68249d-017c-4df5-9113-e684c7f8760b |
Notifications.ReadWrite.CreatedByApp | Delegated | 89497502-6e42-46a2-8cb2-427fd3df970a |
offline_access | Delegated | 7427e0e9-2fba-42fe-b0c0-848c9e6a8182 |
OnlineMeetingArtifact.Read.All | Application | df01ed3b-eb61-4eca-9965-6b3d789751b2 |
OnlineMeetingArtifact.Read.All | Delegated | 110e5abb-a10c-4b59-8b55-9b4daa4ef743 |
OnlineMeetingRecording.Read.All | Application | a4a08342-c95d-476b-b943-97e100569c8d |
OnlineMeetingRecording.Read.All | Delegated | 190c2bb6-1fdd-4fec-9aa2-7d571b5e1fe3 |
OnlineMeetings.Read | Delegated | 9be106e1-f4e3-4df5-bdff-e4bc531cbe43 |
OnlineMeetings.Read.All | Application | c1684f21-1984-47fa-9d61-2dc8c296bb70 |
OnlineMeetings.ReadWrite | Delegated | a65f2972-a4f8-4f5e-afd7-69ccb046d5dc |
OnlineMeetings.ReadWrite.All | Application | b8bb2037-6e08-44ac-a4ea-4674e010e2a4 |
OnlineMeetingTranscript.Read.All | Application | a4a80d8d-d283-4bd8-8504-555ec3870630 |
OnlineMeetingTranscript.Read.All | Delegated | 30b87d18-ebb1-45db-97f8-82ccb1f0190c |
OnPremDirectorySynchronization.Read.All | Delegated | f6609722-4100-44eb-b747-e6ca0536989d |
OnPremDirectorySynchronization.ReadWrite.All | Delegated | c2d95988-7604-4ba1-aaed-38a5f82a51c7 |
OnPremisesPublishingProfiles.ReadWrite.All | Application | 0b57845e-aa49-4e6f-8109-ce654fffa618 |
OnPremisesPublishingProfiles.ReadWrite.All | Delegated | 8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42 |
openid | Delegated | 37f7f235-527c-4136-accd-4a02d197296e |
Organization.Read.All | Application | 498476ce-e0fe-48b0-b801-37ba7e2685c6 |
Organization.Read.All | Delegated | 4908d5b9-3fb2-4b1e-9336-1888b7937185 |
Organization.ReadWrite.All | Application | 292d869f-3427-49a8-9dab-8c70152b74e9 |
Organization.ReadWrite.All | Delegated | 46ca0847-7e6b-426e-9775-ea810a948356 |
OrgContact.Read.All | Application | e1a88a34-94c4-4418-be12-c87b00e26bea |
OrgContact.Read.All | Delegated | 08432d1b-5911-483c-86df-7980af5cdee0 |
People.Read | Delegated | ba47897c-39ec-4d83-8086-ee8256fa737d |
People.Read.All | Application | b528084d-ad10-4598-8b93-929746b4d7d6 |
People.Read.All | Delegated | b89f9189-71a5-4e70-b041-9887f0bc7e4a |
PeopleSettings.Read.All | Application | ef02f2e7-e22d-4c77-8614-8f765683b86e |
PeopleSettings.Read.All | Delegated | ec762c5f-388b-4b16-8693-ac1efbc611bc |
PeopleSettings.ReadWrite.All | Application | b6890674-9dd5-4e42-bb15-5af07f541ae1 |
PeopleSettings.ReadWrite.All | Delegated | e67e6727-c080-415e-b521-e3f35d5248e9 |
Place.Read.All | Application | 913b9306-0ce1-42b8-9137-6a7df690a760 |
Place.Read.All | Delegated | cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec |
Place.ReadWrite.All | Delegated | 4c06a06a-098a-4063-868e-5dfee3827264 |
Policy.Read.All | Application | 246dd0d5-5bd0-4def-940b-0421030a5b68 |
Policy.Read.All | Delegated | 572fea84-0151-49b2-9301-11cb16974376 |
Policy.Read.ConditionalAccess | Application | 37730810-e9ba-4e46-b07e-8ca78d182097 |
Policy.Read.ConditionalAccess | Delegated | 633e0fce-8c58-4cfb-9495-12bbd5a24f7c |
Policy.Read.PermissionGrant | Application | 9e640839-a198-48fb-8b9a-013fd6f6cbcd |
Policy.Read.PermissionGrant | Delegated | 414de6ea-2d92-462f-b120-6e2a809a6d01 |
Policy.ReadWrite.AccessReview | Application | 77c863fd-06c0-47ce-a7eb-49773e89d319 |
Policy.ReadWrite.AccessReview | Delegated | 4f5bc9c8-ea54-4772-973a-9ca119cb0409 |
Policy.ReadWrite.ApplicationConfiguration | Application | be74164b-cff1-491c-8741-e671cb536e13 |
Policy.ReadWrite.ApplicationConfiguration | Delegated | b27add92-efb2-4f16-84f5-8108ba77985c |
Policy.ReadWrite.AuthenticationFlows | Application | 25f85f3c-f66c-4205-8cd5-de92dd7f0cec |
Policy.ReadWrite.AuthenticationFlows | Delegated | edb72de9-4252-4d03-a925-451deef99db7 |
Policy.ReadWrite.AuthenticationMethod | Application | 29c18626-4985-4dcd-85c0-193eef327366 |
Policy.ReadWrite.AuthenticationMethod | Delegated | 7e823077-d88e-468f-a337-e18f1f0e6c7c |
Policy.ReadWrite.Authorization | Application | fb221be6-99f2-473f-bd32-01c6a0e9ca3b |
Policy.ReadWrite.Authorization | Delegated | edd3c878-b384-41fd-95ad-e7407dd775be |
Policy.ReadWrite.ConditionalAccess | Application | 01c0a623-fc9b-48e9-b794-0756f8e8f067 |
Policy.ReadWrite.ConditionalAccess | Delegated | ad902697-1014-4ef5-81ef-2b4301988e8c |
Policy.ReadWrite.ConsentRequest | Application | 999f8c63-0a38-4f1b-91fd-ed1947bdd1a9 |
Policy.ReadWrite.ConsentRequest | Delegated | 4d135e65-66b8-41a8-9f8b-081452c91774 |
Policy.ReadWrite.CrossTenantAccess | Application | 338163d7-f101-4c92-94ba-ca46fe52447c |
Policy.ReadWrite.CrossTenantAccess | Delegated | 014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85 |
Policy.ReadWrite.DeviceConfiguration | Delegated | 40b534c3-9552-4550-901b-23879c90bcf9 |
Policy.ReadWrite.ExternalIdentities | Application | 03cc4f92-788e-4ede-b93f-199424d144a5 |
Policy.ReadWrite.ExternalIdentities | Delegated | b5219784-1215-45b5-b3f1-88fe1081f9c0 |
Policy.ReadWrite.FeatureRollout | Application | 2044e4f1-e56c-435b-925c-44cd8f6ba89a |
Policy.ReadWrite.FeatureRollout | Delegated | 92a38652-f13b-4875-bc77-6e1dbb63e1b2 |
Policy.ReadWrite.MobilityManagement | Delegated | a8ead177-1889-4546-9387-f25e658e2a79 |
Policy.ReadWrite.PermissionGrant | Application | a402ca1c-2696-4531-972d-6e5ee4aa11ea |
Policy.ReadWrite.PermissionGrant | Delegated | 2672f8bb-fd5e-42e0-85e1-ec764dd2614e |
Policy.ReadWrite.SecurityDefaults | Application | 1c6e93a6-28e2-4cbb-9f64-1a46a821124d |
Policy.ReadWrite.SecurityDefaults | Delegated | 0b2a744c-2abf-4f1e-ad7e-17a087e2be99 |
Policy.ReadWrite.TrustFramework | Application | 79a677f7-b79d-40d0-a36a-3e6f8688dd7a |
Policy.ReadWrite.TrustFramework | Delegated | cefba324-1a70-4a6e-9c1d-fd670b7ae392 |
POP.AccessAsUser.All | Delegated | d7b7f2d9-0f45-4ea1-9d42-e50810c06991 |
Presence.Read | Delegated | 76bc735e-aecd-4a1d-8b4c-2b915deabb79 |
Presence.Read.All | Delegated | 9c7a330d-35b3-4aa1-963d-cb2b9f927841 |
Presence.ReadWrite | Delegated | 8d3c54a7-cf58-4773-bf81-c0cd6ad522bb |
Presence.ReadWrite.All | Application | 83cded22-8297-4ff6-a7fa-e97e9545a259 |
PrintConnector.Read.All | Delegated | d69c2d6d-4f72-4f99-a6b9-663e32f8cf68 |
PrintConnector.ReadWrite.All | Delegated | 79ef9967-7d59-4213-9c64-4b10687637d8 |
Printer.Create | Delegated | 90c30bed-6fd1-4279-bf39-714069619721 |
Printer.FullControl.All | Delegated | 93dae4bd-43a1-4a23-9a1a-92957e1d9121 |
Printer.Read.All | Application | 9709bb33-4549-49d4-8ed9-a8f65e45bb0f |
Printer.Read.All | Delegated | 3a736c8a-018e-460a-b60c-863b2683e8bf |
Printer.ReadWrite.All | Application | f5b3f73d-6247-44df-a74c-866173fddab0 |
Printer.ReadWrite.All | Delegated | 89f66824-725f-4b8f-928e-e1c5258dc565 |
PrinterShare.Read.All | Delegated | ed11134d-2f3f-440d-a2e1-411efada2502 |
PrinterShare.ReadBasic.All | Delegated | 5fa075e9-b951-4165-947b-c63396ff0a37 |
PrinterShare.ReadWrite.All | Delegated | 06ceea37-85e2-40d7-bec3-91337a46038f |
PrintJob.Create | Delegated | 21f0d9c0-9f13-48b3-94e0-b6b231c7d320 |
PrintJob.Manage.All | Application | 58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8 |
PrintJob.Read | Delegated | 248f5528-65c0-4c88-8326-876c7236df5e |
PrintJob.Read.All | Application | ac6f956c-edea-44e4-bd06-64b1b4b9aec9 |
PrintJob.Read.All | Delegated | afdd6933-a0d8-40f7-bd1a-b5d778e8624b |
PrintJob.ReadBasic | Delegated | 6a71a747-280f-4670-9ca0-a9cbf882b274 |
PrintJob.ReadBasic.All | Application | fbf67eee-e074-4ef7-b965-ab5ce1c1f689 |
PrintJob.ReadBasic.All | Delegated | 04ce8d60-72ce-4867-85cf-6d82f36922f3 |
PrintJob.ReadWrite | Delegated | b81dd597-8abb-4b3f-a07a-820b0316ed04 |
PrintJob.ReadWrite.All | Application | 5114b07b-2898-4de7-a541-53b0004e2e13 |
PrintJob.ReadWrite.All | Delegated | 036b9544-e8c5-46ef-900a-0646cc42b271 |
PrintJob.ReadWriteBasic | Delegated | 6f2d22f2-1cb6-412c-a17c-3336817eaa82 |
PrintJob.ReadWriteBasic.All | Application | 57878358-37f4-4d3a-8c20-4816e0d457b1 |
PrintJob.ReadWriteBasic.All | Delegated | 3a0db2f6-0d2a-4c19-971b-49109b19ad3d |
PrintSettings.Read.All | Application | b5991872-94cf-4652-9765-29535087c6d8 |
PrintSettings.Read.All | Delegated | 490f32fd-d90f-4dd7-a601-ff6cdc1a3f6c |
PrintSettings.ReadWrite.All | Delegated | 9ccc526a-c51c-4e5c-a1fd-74726ef50b8f |
PrintTaskDefinition.ReadWrite.All | Application | 456b71a7-0ee0-4588-9842-c123fcc8f664 |
PrivilegedAccess.Read.AzureAD | Application | 4cdc2547-9148-4295-8d11-be0db1391d6b |
PrivilegedAccess.Read.AzureAD | Delegated | b3a539c9-59cb-4ad5-825a-041ddbdc2bdb |
PrivilegedAccess.Read.AzureADGroup | Application | 01e37dc9-c035-40bd-b438-b2879c4870a6 |
PrivilegedAccess.Read.AzureADGroup | Delegated | d329c81c-20ad-4772-abf9-3f6fdb7e5988 |
PrivilegedAccess.Read.AzureResources | Application | 5df6fe86-1be0-44eb-b916-7bd443a71236 |
PrivilegedAccess.Read.AzureResources | Delegated | 1d89d70c-dcac-4248-b214-903c457af83a |
PrivilegedAccess.ReadWrite.AzureAD | Application | 854d9ab1-6657-4ec8-be45-823027bcd009 |
PrivilegedAccess.ReadWrite.AzureAD | Delegated | 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37 |
PrivilegedAccess.ReadWrite.AzureADGroup | Application | 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e |
PrivilegedAccess.ReadWrite.AzureADGroup | Delegated | 32531c59-1f32-461f-b8df-6f8a3b89f73b |
PrivilegedAccess.ReadWrite.AzureResources | Application | 6f9d5abc-2db6-400b-a267-7de22a40fb87 |
PrivilegedAccess.ReadWrite.AzureResources | Delegated | a84a9652-ffd3-496e-a991-22ba5529156a |
PrivilegedAssignmentSchedule.Read.AzureADGroup | Application | cd4161cb-f098-48f8-a884-1eda9a42434c |
PrivilegedAssignmentSchedule.Read.AzureADGroup | Delegated | 02a32cc4-7ab5-4b58-879a-0586e0f7c495 |
PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Application | 41202f2c-f7ab-45be-b001-85c9728b9d69 |
PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Delegated | 06dbc45d-6708-4ef0-a797-f797ee68bf4b |
PrivilegedEligibilitySchedule.Read.AzureADGroup | Application | edb419d6-7edc-42a3-9345-509bfdf5d87c |
PrivilegedEligibilitySchedule.Read.AzureADGroup | Delegated | 8f44f93d-ecef-46ae-a9bf-338508d44d6b |
PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Application | 618b6020-bca8-4de6-99f6-ef445fa4d857 |
PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Delegated | ba974594-d163-484e-ba39-c330d5897667 |
profile | Delegated | 14dad69e-099b-42c9-810b-d002981feec1 |
ProgramControl.Read.All | Application | eedb7fdd-7539-4345-a38b-4839e4a84cbd |
ProgramControl.Read.All | Delegated | c492a2e1-2f8f-4caa-b076-99bbf6e40fe4 |
ProgramControl.ReadWrite.All | Application | 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36 |
ProgramControl.ReadWrite.All | Delegated | 50fd364f-9d93-4ae1-b170-300e87cccf84 |
QnA.Read.All | Application | ee49e170-1dd1-4030-b44c-61ad6e98f743 |
QnA.Read.All | Delegated | f73fa04f-b9a5-4df9-8843-993ce928925e |
RecordsManagement.Read.All | Application | ac3a2b8e-03a3-4da9-9ce0-cbe28bf1accd |
RecordsManagement.Read.All | Delegated | 07f995eb-fc67-4522-ad66-2b8ca8ea3efd |
RecordsManagement.ReadWrite.All | Application | eb158f57-df43-4751-8b21-b8932adb3d34 |
RecordsManagement.ReadWrite.All | Delegated | f2833d75-a4e6-40ab-86d4-6dfe73c97605 |
Reports.Read.All | Application | 230c1aed-a721-4c5d-9cb4-a90514e508ef |
Reports.Read.All | Delegated | 02e97553-ed7b-43d0-ab3c-f8bace0d040c |
ReportSettings.Read.All | Application | ee353f83-55ef-4b78-82da-555bfa2b4b95 |
ReportSettings.Read.All | Delegated | 84fac5f4-33a9-4100-aa38-a20c6d29e5e7 |
ReportSettings.ReadWrite.All | Application | 2a60023f-3219-47ad-baa4-40e17cd02a1d |
ReportSettings.ReadWrite.All | Delegated | b955410e-7715-4a88-a940-dfd551018df3 |
RoleAssignmentSchedule.Read.Directory | Application | d5fe8ce8-684c-4c83-a52c-46e882ce4be1 |
RoleAssignmentSchedule.Read.Directory | Delegated | 344a729c-0285-42c6-9014-f12b9b8d6129 |
RoleAssignmentSchedule.ReadWrite.Directory | Application | dd199f4a-f148-40a4-a2ec-f0069cc799ec |
RoleAssignmentSchedule.ReadWrite.Directory | Delegated | 8c026be3-8e26-4774-9372-8d5d6f21daff |
RoleEligibilitySchedule.Read.Directory | Application | ff278e11-4a33-4d0c-83d2-d01dc58929a5 |
RoleEligibilitySchedule.Read.Directory | Delegated | eb0788c2-6d4e-4658-8c9e-c0fb8053f03d |
RoleEligibilitySchedule.ReadWrite.Directory | Application | fee28b28-e1f3-4841-818e-2704dc62245f |
RoleEligibilitySchedule.ReadWrite.Directory | Delegated | 62ade113-f8e0-4bf9-a6ba-5acb31db32fd |
RoleManagement.Read.All | Application | c7fbd983-d9aa-4fa7-84b8-17382c103bc4 |
RoleManagement.Read.All | Delegated | 48fec646-b2ba-4019-8681-8eb31435aded |
RoleManagement.Read.CloudPC | Application | 031a549a-bb80-49b6-8032-2068448c6a3c |
RoleManagement.Read.CloudPC | Delegated | 9619b88a-8a25-48a7-9571-d23be0337a79 |
RoleManagement.Read.Directory | Application | 483bed4a-2ad3-4361-a73b-c83ccdbdc53c |
RoleManagement.Read.Directory | Delegated | 741c54c3-0c1e-44a1-818b-3f97ab4e8c83 |
RoleManagement.Read.Exchange | Application | c769435f-f061-4d0b-8ff1-3d39870e5f85 |
RoleManagement.Read.Exchange | Delegated | 3bc15058-7858-4141-b24f-ae43b4e80b52 |
RoleManagement.ReadWrite.CloudPC | Application | 274d0592-d1b6-44bd-af1d-26d259bcb43a |
RoleManagement.ReadWrite.CloudPC | Delegated | 501d06f8-07b8-4f18-b5c6-c191a4af7a82 |
RoleManagement.ReadWrite.Directory | Application | 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 |
RoleManagement.ReadWrite.Directory | Delegated | d01b97e9-cbc0-49fe-810a-750afd5527a3 |
RoleManagement.ReadWrite.Exchange | Application | 025d3225-3f02-4882-b4c0-cd5b541a4e80 |
RoleManagement.ReadWrite.Exchange | Delegated | c1499fe0-52b1-4b22-bed2-7a244e0e879f |
RoleManagementAlert.Read.Directory | Application | ef31918f-2d50-4755-8943-b8638c0a077e |
RoleManagementAlert.Read.Directory | Delegated | cce71173-f76d-446e-97ff-efb2d82e11b1 |
RoleManagementAlert.ReadWrite.Directory | Application | 11059518-d6a6-4851-98ed-509268489c4a |
RoleManagementAlert.ReadWrite.Directory | Delegated | 435644c6-a5b1-40bf-8f52-fe8e5b53e19c |
RoleManagementPolicy.Read.Directory | Application | fdc4c997-9942-4479-bfcb-75a36d1138df |
RoleManagementPolicy.Read.Directory | Delegated | 3de2cdbe-0ff5-47d5-bdee-7f45b4749ead |
RoleManagementPolicy.ReadWrite.Directory | Application | 31e08e0a-d3f7-4ca2-ac39-7343fb83e8ad |
RoleManagementPolicy.ReadWrite.Directory | Delegated | 1ff1be21-34eb-448c-9ac9-ce1f506b2a68 |
Schedule.Read.All | Application | 7b2ebf90-d836-437f-b90d-7b62722c4456 |
Schedule.Read.All | Delegated | fccf6dd8-5706-49fa-811f-69e2e1b585d0 |
Schedule.ReadWrite.All | Application | b7760610-0545-4e8a-9ec3-cce9e63db01c |
Schedule.ReadWrite.All | Delegated | 63f27281-c9d9-4f29-94dd-6942f7f1feb0 |
SearchConfiguration.Read.All | Application | ada977a5-b8b1-493b-9a91-66c206d76ecf |
SearchConfiguration.Read.All | Delegated | 7d307522-aa38-4cd0-bd60-90c6f0ac50bd |
SearchConfiguration.ReadWrite.All | Application | 0e778b85-fefa-466d-9eec-750569d92122 |
SearchConfiguration.ReadWrite.All | Delegated | b1a7d408-cab0-47d2-a2a5-a74a3733600d |
SecurityActions.Read.All | Application | 5e0edab9-c148-49d0-b423-ac253e121825 |
SecurityActions.Read.All | Delegated | 1638cddf-07a4-4de2-8645-69c96cacad73 |
SecurityActions.ReadWrite.All | Application | f2bf083f-0179-402a-bedb-b2784de8a49b |
SecurityActions.ReadWrite.All | Delegated | dc38509c-b87d-4da0-bd92-6bec988bac4a |
SecurityAlert.Read.All | Application | 472e4a4d-bb4a-4026-98d1-0b0d74cb74a5 |
SecurityAlert.Read.All | Delegated | bc257fb8-46b4-4b15-8713-01e91bfbe4ea |
SecurityAlert.ReadWrite.All | Application | ed4fca05-be46-441f-9803-1873825f8fdb |
SecurityAlert.ReadWrite.All | Delegated | 471f2a7f-2a42-4d45-a2bf-594d0838070d |
SecurityAnalyzedMessage.Read.All | Application | b48f7ac2-044d-4281-b02f-75db744d6f5f |
SecurityAnalyzedMessage.Read.All | Delegated | 53e6783e-b127-4a35-ab3a-6a52d80a9077 |
SecurityAnalyzedMessage.ReadWrite.All | Application | 04c55753-2244-4c25-87fc-704ab82a4f69 |
SecurityAnalyzedMessage.ReadWrite.All | Delegated | 48eb8c83-6e58-46e7-a6d3-8805822f5940 |
SecurityEvents.Read.All | Application | bf394140-e372-4bf9-a898-299cfc7564e5 |
SecurityEvents.Read.All | Delegated | 64733abd-851e-478a-bffb-e47a14b18235 |
SecurityEvents.ReadWrite.All | Application | d903a879-88e0-4c09-b0c9-82f6a1333f84 |
SecurityEvents.ReadWrite.All | Delegated | 6aedf524-7e1c-45a7-bd76-ded8cab8d0fc |
SecurityIncident.Read.All | Application | 45cc0394-e837-488b-a098-1918f48d186c |
SecurityIncident.Read.All | Delegated | b9abcc4f-94fc-4457-9141-d20ce80ec952 |
SecurityIncident.ReadWrite.All | Application | 34bf0e97-1971-4929-b999-9e2442d941d7 |
SecurityIncident.ReadWrite.All | Delegated | 128ca929-1a19-45e6-a3b8-435ec44a36ba |
ServiceHealth.Read.All | Application | 79c261e0-fe76-4144-aad5-bdc68fbe4037 |
ServiceHealth.Read.All | Delegated | 55896846-df78-47a7-aa94-8d3d4442ca7f |
ServiceMessage.Read.All | Application | 1b620472-6534-4fe6-9df2-4680e8aa28ec |
ServiceMessage.Read.All | Delegated | eda39fa6-f8cf-4c3c-a909-432c683e4c9b |
ServiceMessageViewpoint.Write | Delegated | 636e1b0b-1cc2-4b1c-9aa9-4eeed9b9761b |
ServicePrincipalEndpoint.Read.All | Application | 5256681e-b7f6-40c0-8447-2d9db68797a0 |
ServicePrincipalEndpoint.Read.All | Delegated | 9f9ce928-e038-4e3b-8faf-7b59049a8ddc |
ServicePrincipalEndpoint.ReadWrite.All | Application | 89c8469c-83ad-45f7-8ff2-6e3d4285709e |
ServicePrincipalEndpoint.ReadWrite.All | Delegated | 7297d82c-9546-4aed-91df-3d4f0a9b3ff0 |
SharePointTenantSettings.Read.All | Application | 83d4163d-a2d8-4d3b-9695-4ae3ca98f888 |
SharePointTenantSettings.Read.All | Delegated | 2ef70e10-5bfd-4ede-a5f6-67720500b258 |
SharePointTenantSettings.ReadWrite.All | Application | 19b94e34-907c-4f43-bde9-38b1909ed408 |
SharePointTenantSettings.ReadWrite.All | Delegated | aa07f155-3612-49b8-a147-6c590df35536 |
ShortNotes.Read | Delegated | 50f66e47-eb56-45b7-aaa2-75057d9afe08 |
ShortNotes.Read.All | Application | 0c7d31ec-31ca-4f58-b6ec-9950b6b0de69 |
ShortNotes.ReadWrite | Delegated | 328438b7-4c01-4c07-a840-e625a749bb89 |
ShortNotes.ReadWrite.All | Application | 842c284c-763d-4a97-838d-79787d129bab |
Sites.FullControl.All | Application | a82116e5-55eb-4c41-a434-62fe8a61c773 |
Sites.FullControl.All | Delegated | 5a54b8b3-347c-476d-8f8e-42d5c7424d29 |
Sites.Manage.All | Application | 0c0bf378-bf22-4481-8f81-9e89a9b4960a |
Sites.Manage.All | Delegated | 65e50fdc-43b7-4915-933e-e8138f11f40a |
Sites.Read.All | Application | 332a536c-c7ef-4017-ab91-336970924f0d |
Sites.Read.All | Delegated | 205e70e5-aba6-4c52-a976-6d2d46c48043 |
Sites.ReadWrite.All | Application | 9492366f-7969-46a4-8d15-ed1a20078fff |
Sites.ReadWrite.All | Delegated | 89fe6a52-be36-487e-b7d8-d061c450a026 |
Sites.Selected | Application | 883ea226-0bf2-4a8f-9f9d-92c9162a727d |
SMTP.Send | Delegated | 258f6531-6087-4cc4-bb90-092c5fb3ed3f |
SubjectRightsRequest.Read.All | Application | ee1460f0-368b-4153-870a-4e1ca7e72c42 |
SubjectRightsRequest.Read.All | Delegated | 9c3af74c-fd0f-4db4-b17a-71939e2a9d77 |
SubjectRightsRequest.ReadWrite.All | Application | 8387eaa4-1a3c-41f5-b261-f888138e6041 |
SubjectRightsRequest.ReadWrite.All | Delegated | 2b8fcc74-bce1-4ae3-a0e8-60c53739299d |
Subscription.Read.All | Delegated | 5f88184c-80bb-4d52-9ff2-757288b2e9b7 |
Synchronization.Read.All | Application | 5ba43d2f-fa88-4db2-bd1c-a67c5f0fb1ce |
Synchronization.Read.All | Delegated | 7aa02aeb-824f-4fbe-a3f7-611f751f5b55 |
Synchronization.ReadWrite.All | Application | 9b50c33d-700f-43b1-b2eb-87e89b703581 |
Synchronization.ReadWrite.All | Delegated | 7bb27fa3-ea8f-4d67-a916-87715b6188bd |
Tasks.Read | Delegated | f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb |
Tasks.Read.All | Application | f10e1f91-74ed-437f-a6fd-d6ae88e26c1f |
Tasks.Read.Shared | Delegated | 88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72 |
Tasks.ReadWrite | Delegated | 2219042f-cab5-40cc-b0d2-16b1540b4c5f |
Tasks.ReadWrite.All | Application | 44e666d1-d276-445b-a5fc-8815eeb81d55 |
Tasks.ReadWrite.Shared | Delegated | c5ddf11b-c114-4886-8558-8a4e557cd52b |
Team.Create | Application | 23fc2474-f741-46ce-8465-674744c5c361 |
Team.Create | Delegated | 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 |
Team.ReadBasic.All | Application | 2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e |
Team.ReadBasic.All | Delegated | 485be79e-c497-4b35-9400-0e3fa7f2a5d4 |
TeamMember.Read.All | Application | 660b7406-55f1-41ca-a0ed-0b035e182f3e |
TeamMember.Read.All | Delegated | 2497278c-d82d-46a2-b1ce-39d4cdde5570 |
TeamMember.ReadWrite.All | Application | 0121dc95-1b9f-4aed-8bac-58c5ac466691 |
TeamMember.ReadWrite.All | Delegated | 4a06efd2-f825-4e34-813e-82a57b03d1ee |
TeamMember.ReadWriteNonOwnerRole.All | Application | 4437522e-9a86-4a41-a7da-e380edd4a97d |
TeamMember.ReadWriteNonOwnerRole.All | Delegated | 2104a4db-3a2f-4ea0-9dba-143d457dc666 |
TeamsActivity.Read | Delegated | 0e755559-83fb-4b44-91d0-4cc721b9323e |
TeamsActivity.Read.All | Application | 70dec828-f620-4914-aa83-a29117306807 |
TeamsActivity.Send | Application | a267235f-af13-44dc-8385-c1dc93023186 |
TeamsActivity.Send | Delegated | 7ab1d787-bae7-4d5d-8db6-37ea32df9186 |
TeamsAppInstallation.ReadForChat | Delegated | bf3fbf03-f35f-4e93-963e-47e4d874c37a |
TeamsAppInstallation.ReadForChat.All | Application | cc7e7635-2586-41d6-adaa-a8d3bcad5ee5 |
TeamsAppInstallation.ReadForTeam | Delegated | 5248dcb1-f83b-4ec3-9f4d-a4428a961a72 |
TeamsAppInstallation.ReadForTeam.All | Application | 1f615aea-6bf9-4b05-84bd-46388e138537 |
TeamsAppInstallation.ReadForUser | Delegated | c395395c-ff9a-4dba-bc1f-8372ba9dca84 |
TeamsAppInstallation.ReadForUser.All | Application | 9ce09611-f4f7-4abd-a629-a05450422a97 |
TeamsAppInstallation.ReadWriteAndConsentForChat | Delegated | e1408a66-8f82-451b-a2f3-3c3e38f7413f |
TeamsAppInstallation.ReadWriteAndConsentForChat.All | Application | 6e74eff9-4a21-45d6-bc03-3a20f61f8281 |
TeamsAppInstallation.ReadWriteAndConsentForTeam | Delegated | 946349d5-2a9d-4535-abc0-7beeacaedd1d |
TeamsAppInstallation.ReadWriteAndConsentForTeam.All | Application | b0c13be0-8e20-4bc5-8c55-963c23a39ce9 |
TeamsAppInstallation.ReadWriteAndConsentSelfForChat | Delegated | a0e0e18b-8fb2-458f-8130-da2d7cab9c75 |
TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All | Application | ba1ba90b-2d8f-487e-9f16-80728d85bb5c |
TeamsAppInstallation.ReadWriteAndConsentSelfForTeam | Delegated | 4a6bbf29-a0e1-4a4d-a7d1-cef17f772975 |
TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All | Application | 1e4be56c-312e-42b8-a2c9-009600d732c0 |
TeamsAppInstallation.ReadWriteForChat | Delegated | aa85bf13-d771-4d5d-a9e6-bca04ce44edf |
TeamsAppInstallation.ReadWriteForChat.All | Application | 9e19bae1-2623-4c4f-ab6e-2664615ff9a0 |
TeamsAppInstallation.ReadWriteForTeam | Delegated | 2e25a044-2580-450d-8859-42eeb6e996c0 |
TeamsAppInstallation.ReadWriteForTeam.All | Application | 5dad17ba-f6cc-4954-a5a2-a0dcc95154f0 |
TeamsAppInstallation.ReadWriteForUser | Delegated | 093f8818-d05f-49b8-95bc-9d2a73e9a43c |
TeamsAppInstallation.ReadWriteForUser.All | Application | 74ef0291-ca83-4d02-8c7e-d2391e6a444f |
TeamsAppInstallation.ReadWriteSelfForChat | Delegated | 0ce33576-30e8-43b7-99e5-62f8569a4002 |
TeamsAppInstallation.ReadWriteSelfForChat.All | Application | 73a45059-f39c-4baf-9182-4954ac0e55cf |
TeamsAppInstallation.ReadWriteSelfForTeam | Delegated | 0f4595f7-64b1-4e13-81bc-11a249df07a9 |
TeamsAppInstallation.ReadWriteSelfForTeam.All | Application | 9f67436c-5415-4e7f-8ac1-3014a7132630 |
TeamsAppInstallation.ReadWriteSelfForUser | Delegated | 207e0cb1-3ce7-4922-b991-5a760c346ebc |
TeamsAppInstallation.ReadWriteSelfForUser.All | Application | 908de74d-f8b2-4d6b-a9ed-2a17b3b78179 |
TeamSettings.Read.All | Application | 242607bd-1d2c-432c-82eb-bdb27baa23ab |
TeamSettings.Read.All | Delegated | 48638b3c-ad68-4383-8ac4-e6880ee6ca57 |
TeamSettings.ReadWrite.All | Application | bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f |
TeamSettings.ReadWrite.All | Delegated | 39d65650-9d3e-4223-80db-a335590d027e |
TeamsTab.Create | Application | 49981c42-fd7b-4530-be03-e77b21aed25e |
TeamsTab.Create | Delegated | a9ff19c2-f369-4a95-9a25-ba9d460efc8e |
TeamsTab.Read.All | Application | 46890524-499a-4bb2-ad64-1476b4f3e1cf |
TeamsTab.Read.All | Delegated | 59dacb05-e88d-4c13-a684-59f1afc8cc98 |
TeamsTab.ReadWrite.All | Application | a96d855f-016b-47d7-b51c-1218a98d791c |
TeamsTab.ReadWrite.All | Delegated | b98bfd41-87c6-45cc-b104-e2de4f0dafb9 |
TeamsTab.ReadWriteForChat | Delegated | ee928332-e9c2-4747-b4a0-f8c164b68de6 |
TeamsTab.ReadWriteForChat.All | Application | fd9ce730-a250-40dc-bd44-8dc8d20f39ea |
TeamsTab.ReadWriteForTeam | Delegated | c975dd04-a06e-4fbb-9704-62daad77bb49 |
TeamsTab.ReadWriteForTeam.All | Application | 6163d4f4-fbf8-43da-a7b4-060fe85ed148 |
TeamsTab.ReadWriteForUser | Delegated | c37c9b61-7762-4bff-a156-afc0005847a0 |
TeamsTab.ReadWriteForUser.All | Application | 425b4b59-d5af-45c8-832f-bb0b7402348a |
TeamsTab.ReadWriteSelfForChat | Delegated | 0c219d04-3abf-47f7-912d-5cca239e90e6 |
TeamsTab.ReadWriteSelfForChat.All | Application | 9f62e4a2-a2d6-4350-b28b-d244728c4f86 |
TeamsTab.ReadWriteSelfForTeam | Delegated | f266662f-120a-4314-b26a-99b08617c7ef |
TeamsTab.ReadWriteSelfForTeam.All | Application | 91c32b81-0ef0-453f-a5c7-4ce2e562f449 |
TeamsTab.ReadWriteSelfForUser | Delegated | 395dfec1-a0b9-465f-a783-8250a430cb8c |
TeamsTab.ReadWriteSelfForUser.All | Application | 3c42dec6-49e8-4a0a-b469-36cff0d9da93 |
TeamTemplates.Read | Delegated | cd87405c-5792-4f15-92f7-debc0db6d1d6 |
TeamTemplates.Read.All | Application | 6323133e-1f6e-46d4-9372-ac33a0870636 |
Teamwork.Migrate.All | Application | dfb0dd15-61de-45b2-be36-d6a69fba3c79 |
TeamworkAppSettings.Read.All | Application | 475ebe88-f071-4bd7-af2b-642952bd4986 |
TeamworkAppSettings.Read.All | Delegated | 44e060c4-bbdc-4256-a0b9-dcc0396db368 |
TeamworkAppSettings.ReadWrite.All | Application | ab5b445e-8f10-45f4-9c79-dd3f8062cc4e |
TeamworkAppSettings.ReadWrite.All | Delegated | 87c556f0-2bd9-4eed-bd74-5dd8af6eaf7e |
TeamworkDevice.Read.All | Application | 0591bafd-7c1c-4c30-a2a5-2b9aacb1dfe8 |
TeamworkDevice.Read.All | Delegated | b659488b-9d28-4208-b2be-1c6652b3c970 |
TeamworkDevice.ReadWrite.All | Application | 79c02f5b-bd4f-4713-bc2c-a8a4a66e127b |
TeamworkDevice.ReadWrite.All | Delegated | ddd97ecb-5c31-43db-a235-0ee20e635c40 |
TeamworkTag.Read | Delegated | 57587d0b-8399-45be-b207-8050cec54575 |
TeamworkTag.Read.All | Application | b74fd6c4-4bde-488e-9695-eeb100e4907f |
TeamworkTag.ReadWrite | Delegated | 539dabd7-b5b6-4117-b164-d60cd15a8671 |
TeamworkTag.ReadWrite.All | Application | a3371ca5-911d-46d6-901c-42c8c7a937d8 |
TermStore.Read.All | Application | ea047cc2-df29-4f3e-83a3-205de61501ca |
TermStore.Read.All | Delegated | 297f747b-0005-475b-8fef-c890f5152b38 |
TermStore.ReadWrite.All | Application | f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95 |
TermStore.ReadWrite.All | Delegated | 6c37c71d-f50f-4bff-8fd3-8a41da390140 |
ThreatAssessment.Read.All | Application | f8f035bb-2cce-47fb-8bf5-7baf3ecbee48 |
ThreatAssessment.ReadWrite.All | Delegated | cac97e40-6730-457d-ad8d-4852fddab7ad |
ThreatHunting.Read.All | Application | dd98c7f5-2d42-42d3-a0e4-633161547251 |
ThreatHunting.Read.All | Delegated | b152eca8-ea73-4a48-8c98-1a6742673d99 |
ThreatIndicators.Read.All | Application | 197ee4e9-b993-4066-898f-d6aecc55125b |
ThreatIndicators.Read.All | Delegated | 9cc427b4-2004-41c5-aa22-757b755e9796 |
ThreatIndicators.ReadWrite.OwnedBy | Application | 21792b6c-c986-4ffc-85de-df9da54b52fa |
ThreatIndicators.ReadWrite.OwnedBy | Delegated | 91e7d36d-022a-490f-a748-f8e011357b42 |
ThreatIntelligence.Read.All | Application | e0b77adb-e790-44a3-b0a0-257d06303687 |
ThreatIntelligence.Read.All | Delegated | f266d9c0-ccb9-4fb8-a228-01ac0d8d6627 |
ThreatSubmission.Read | Delegated | fd5353c6-26dd-449f-a565-c4e16b9fce78 |
ThreatSubmission.Read.All | Application | 86632667-cd15-4845-ad89-48a88e8412e1 |
ThreatSubmission.Read.All | Delegated | 7083913a-4966-44b6-9886-c5822a5fd910 |
ThreatSubmission.ReadWrite | Delegated | 68a3156e-46c9-443c-b85c-921397f082b5 |
ThreatSubmission.ReadWrite.All | Application | d72bdbf4-a59b-405c-8b04-5995895819ac |
ThreatSubmission.ReadWrite.All | Delegated | 8458e264-4eb9-4922-abe9-768d58f13c7f |
ThreatSubmissionPolicy.ReadWrite.All | Application | 926a6798-b100-4a20-a22f-a4918f13951d |
ThreatSubmissionPolicy.ReadWrite.All | Delegated | 059e5840-5353-4c68-b1da-666a033fc5e8 |
TrustFrameworkKeySet.Read.All | Application | fff194f1-7dce-4428-8301-1badb5518201 |
TrustFrameworkKeySet.Read.All | Delegated | 7ad34336-f5b1-44ce-8682-31d7dfcd9ab9 |
TrustFrameworkKeySet.ReadWrite.All | Application | 4a771c9a-1cf2-4609-b88e-3d3e02d539cd |
TrustFrameworkKeySet.ReadWrite.All | Delegated | 39244520-1e7d-4b4a-aee0-57c65826e427 |
UnifiedGroupMember.Read.AsGuest | Delegated | 73e75199-7c3e-41bb-9357-167164dbb415 |
User.EnableDisableAccount.All | Application | 3011c876-62b7-4ada-afa2-506cbbecc68c |
User.EnableDisableAccount.All | Delegated | f92e74e7-2563-467f-9dd0-902688cb5863 |
User.Export.All | Application | 405a51b5-8d8d-430b-9842-8be4b0e9f324 |
User.Export.All | Delegated | 405a51b5-8d8d-430b-9842-8be4b0e9f324 |
User.Invite.All | Application | 09850681-111b-4a89-9bed-3f2cae46d706 |
User.Invite.All | Delegated | 63dd7cd9-b489-4adf-a28c-ac38b9a0f962 |
User.ManageIdentities.All | Application | c529cfca-c91b-489c-af2b-d92990b66ce6 |
User.ManageIdentities.All | Delegated | 637d7bec-b31e-4deb-acc9-24275642a2c9 |
User.Read | Delegated | e1fe6dd8-ba31-4d61-89e7-88639da4683d |
User.Read.All | Application | df021288-bdef-4463-88db-98f22de89214 |
User.Read.All | Delegated | a154be20-db9c-4678-8ab7-66f6cc099a59 |
User.ReadBasic.All | Delegated | b340eb25-3456-403f-be2f-af7a0d370277 |
User.ReadWrite | Delegated | b4e74841-8e56-480b-be8b-910348b18b4c |
User.ReadWrite.All | Application | 741f803b-c850-494e-b5df-cde7c675a1ca |
User.ReadWrite.All | Delegated | 204e0828-b5ca-4ad8-b9f3-f32a958e7cc4 |
UserActivity.ReadWrite.CreatedByApp | Delegated | 47607519-5fb1-47d9-99c7-da4b48f369b1 |
UserAuthenticationMethod.Read | Delegated | 1f6b61c5-2f65-4135-9c9f-31c0f8d32b52 |
UserAuthenticationMethod.Read.All | Application | 38d9df27-64da-44fd-b7c5-a6fbac20248f |
UserAuthenticationMethod.Read.All | Delegated | aec28ec7-4d02-4e8c-b864-50163aea77eb |
UserAuthenticationMethod.ReadWrite | Delegated | 48971fc1-70d7-4245-af77-0beb29b53ee2 |
UserAuthenticationMethod.ReadWrite.All | Application | 50483e42-d915-4231-9639-7fdb7fd190e5 |
UserAuthenticationMethod.ReadWrite.All | Delegated | b7887744-6746-4312-813d-72daeaee7e2d |
User-LifeCycleInfo.Read.All | Application | 8556a004-db57-4d7a-8b82-97a13428e96f |
User-LifeCycleInfo.Read.All | Delegated | ed8d2a04-0374-41f1-aefe-da8ac87ccc87 |
User-LifeCycleInfo.ReadWrite.All | Application | 925f1248-0f97-47b9-8ec8-538c54e01325 |
User-LifeCycleInfo.ReadWrite.All | Delegated | 7ee7473e-bd4b-4c9f-987c-bd58481f5fa2 |
UserNotification.ReadWrite.CreatedByApp | Application | 4e774092-a092-48d1-90bd-baad67c7eb47 |
UserNotification.ReadWrite.CreatedByApp | Delegated | 26e2f3e8-b2a1-47fc-9620-89bb5b042024 |
UserShiftPreferences.Read.All | Application | de023814-96df-4f53-9376-1e2891ef5a18 |
UserShiftPreferences.ReadWrite.All | Application | d1eec298-80f3-49b0-9efb-d90e224798ac |
UserTimelineActivity.Write.CreatedByApp | Delegated | 367492fc-594d-4972-a9b5-0d58c622c91c |
VirtualAppointment.Read | Delegated | 27470298-d3b8-4b9c-aad4-6334312a3eac |
VirtualAppointment.Read.All | Application | d4f67ec2-59b5-4bdc-b4af-d78f6f9c1954 |
VirtualAppointment.ReadWrite | Delegated | 2ccc2926-a528-4b17-b8bb-860eed29d64c |
VirtualAppointment.ReadWrite.All | Application | bf46a256-f47d-448f-ab78-f226fff08d40 |
VirtualEvent.Read | Delegated | 6b616635-ae58-433a-a918-8c45e4f304dc |
VirtualEvent.Read.All | Application | 1dccb351-c4e4-4e09-a8d1-7a9ecbf027cc |
WindowsUpdates.ReadWrite.All | Application | 7dd1be58-6e76-4401-bf8d-31d1e8180d5b |
WindowsUpdates.ReadWrite.All | Delegated | 11776c0c-6138-4db3-a668-ee621bea2555 |
WorkforceIntegration.Read.All | Delegated | f1ccd5a7-6383-466a-8db8-1a656f7d06fa |
WorkforceIntegration.ReadWrite.All | Application | 202bf709-e8e6-478e-bcfd-5d63c50b68e3 |
WorkforceIntegration.ReadWrite.All | Delegated | 08c4b377-0d23-4a8b-be2a-23c1c1d88545 |
Feedback
Submit and view feedback for