This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
it looks like GraphExplorer might be using ALL of it's authorized scopes to make the query, not just the ones mentioned on the Modify permissions tab, so if you have authorized it for Users.ReadWrite.All or Sites.ReadWrite.All or any other heavy-level permission, and you try to make a query for something that does not need anywhere near that much permissions, you might still be persisting those extra perms it needs For Example ![image][1] If you go look at the Access Token tab, and open it in jwt.ms you can see it has me requesting with MANY scopes, some of which I have not been using in the last several weeks or months ![image][2] ![image][3] [1]: /api/attachments/65968-image.png?platform=QnA [2]: /api/attachments/66121-image.png?platform=QnA [3]: /api/attachments/66131-image.png?platform=QnA
The token will always contain all the scopes you've consented to, afaik that's the expected behavior. If you dont like it, you can delete the Graph explorer entry under Enterprise apps to force a re-consent.
Right - the main confusion I had is that you may be testing a query with a Permission not in the list, and not realize it is using 15 other scopes aside from the one that you thought it was using. Perhaps my expectations were off because when I authenticate to Graph with App Only authentication, I can easily reauthenticate with a different set of Permissions than my full permissions. For example, if I am running a Graph Query in an Azure Function and using App Authentication with a tool like Connect-MgGraph, I would prefer to have it checking with a lower Permission only, and then reconnecting at higher Permission if needed Connect-MgGraph -ClientId $ClientID -CertificateThumbprint $Thumbprint -TenantId $tenant -Verbose -Scope 'User.Read.All' Select-MgProfile -Name beta Invoke-GraphRequest -Uri "https://graph.microsoft.com/beta/users/$($updateUser)" -Method GET -Verbose -ContentType 'application/json' #Check User for correct settings using Users.Read.All (App) permission > if ( Change is Needed ) Connect-MgGraph -ClientId $ClientID -CertificateThumbprint $Thumbprint -TenantId $tenant -Verbose -Scope 'User.ReadWrite.All','MailboxSettings.ReadWrite.All' Invoke-GraphRequest -Uri "https://graph.microsoft.com/beta/users/$($updateUser)/mailboxsettings" -Method PATCH $patch -Verbose -ContentType 'application/json' Options like this definitely made me think that I was only going to use the permissions that I checked, not all Permissions that have ever been consented - like that sneaky email permission down at the bottom, or all of the permissions across all of those collapsed subsets that might have been authorized or Admin authorized. ![66559-image.png][1] ![66548-image.png][2] Maybe it would be helpful if there was a tab or message that just showed "You are using X MANY Permissions" or similar? That would have at least prevented my confusion, even if it might make trying to use the least permissions possible an annoying task with Resetting Permissions through PowerShell sometimes . [1]: /api/attachments/66559-image.png?platform=QnA [2]: /api/attachments/66548-image.png?platform=QnA