question

dodoc-1307 avatar image
0 Votes"
dodoc-1307 asked DanKershaw-5643 answered

Microsoft Graph Permission user.read.all and user.readbasic.all

It's pretty straight forward as to what's included with user.readbasic.all but if granted user.read.all, what's included in the "full profile" so I can asses the risk of granting this permission? Does it really grant access to everything listed here including password and password policies?

https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#json-representation


https://docs.microsoft.com/en-us/graph/permissions-reference

User.ReadBasic.All Read all users' basic profiles Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.

User.Read.All Read all users' full profiles Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:

displayName
givenName
mail
photo
surname
userPrincipalName

microsoft-graph-users
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DanKershaw-5643 avatar image
0 Votes"
DanKershaw-5643 answered

Yes - full profile means all the properties on the user object, including password profile and password policies. NOTE: for password profile, the API never return the user's password. That property is write-only.

Hope this helps,
Dan

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.