Microsoft Graph permissions reference

For your app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process. This topic lists the permissions associated with each major set of Microsoft Graph APIs. It also provides guidance about how to use the permissions.

To learn more about how permissions work, see Authentication and authorization basics, and watch the following video.

Microsoft Graph permission names

Microsoft Graph permission names follow a simple pattern: resource.operation.constraint. For example, User.Read grants permission to read the profile of the signed-in user, User.ReadWrite grants permission to read and modify the profile of the signed-in user, and Mail.Send grants permission to send mail on behalf of the signed-in user.

The constraint element of the name determines the potential extent of access your app will have within the directory. Currently Microsoft Graph supports the following constraints:

  • All grants permission for the app to perform the operations on all of the resources of the specified type in a directory. For example, User.Read.All potentially grants the app privileges to read the profiles of all of the users in a directory.
  • Shared grants permission for the app to perform the operations on resources that other users have shared with the signed-in user. This constraint is mainly used with Outlook resources like mail, calendars, and contacts. For example, Mail.Read.Shared, grants privileges to read mail in the mailbox of the signed-in user as well as mail in mailboxes that other users in the organization have shared with the signed-in user.
  • AppFolder grants permission for the app to read and write files in a dedicated folder in OneDrive. This constraint is only exposed on Files permissions and is only valid for Microsoft accounts.
  • If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, User.Read grants privileges to read the profile of the signed-in user only, and Mail.Read grants permission to read only mail in the mailbox of the signed-in user.

Note: In delegated scenarios, the effective permissions granted to your app may be constrained by the privileges of the signed-in user in the organization.

Microsoft accounts and work or school accounts

Not all permissions are valid for both Microsoft accounts and work or school accounts. You can check the Microsoft Account Supported column for each permission group to determine whether a specific permission is valid for Microsoft accounts, work or school accounts, or both.

Permissions availability status

Microsoft Graph permissions in the Azure portal are generally available and in GA status for all apps to use, except for a few sets that are in preview or private preview status. Permissions in preview are available to the public; they may change and may not be promoted to GA status. Permissions in private preview status are not and may never become available to the public. Do not use permissions in preview or private preview status in production apps.

User and group search limitations for guest users in organizations

User and group search capabilities allow the app to search for any user or group in an organization's directory by performing queries against the /users or /groups resource set (for example, https://graph.microsoft.com/v1.0/users). Both administrators and users have this capability; however, guest users do not.

If the signed-in user is a guest user, depending on the permissions an app has been granted, it can read the profile of a specific user or group (for example, https://graph.microsoft.com/v1.0/users/241f22af-f634-44c0-9a15-c8cd2cea5531); however, it cannot perform queries against the /users or /groups resource set that potentially return more than a single resource.

With the appropriate permissions, the app can read the profiles of users or groups that it obtains by following links in navigation properties; for example, /users/{id}/directReports or /groups/{id}/members.

Limited information returned for inaccessible member objects

Container objects such as groups support members of various types, for example users and devices. When an application queries the membership of a container object and does not have permission to read a certain type, members of that type are returned but with limited information. The application receives a 200 response and a collection of objects. Complete information is returned for the object types that the application has permissions to read. For the object types which the application does not have permission to read, only the the object type and ID are returned.

This is applied to all relationships that are of directoryObject type (not just member links). Examples include /groups/{id}/members, /users/{id}/memberOf or me/ownedObjects.

For example, let's say an application has User.Read.All and Group.Read.All permissions for Microsoft Graph. A group has been created and that group contains a user, a group, and a device. The application calls list group members. The application has access to the user and group objects in the group, but not the device object. In the response, all the selected properties of the user and group objects are returned. For the device object, however, only limited information is returned. The data type and object ID are returned for the device, but all other properties have a value of null. Apps without permission will not be able to use the ID to get the actual object.

GET https://graph.microsoft.com/v1.0/groups/{id}/members?$select=id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl HTTP/1.1

The following is the JSON response:

{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl)",
    "value":[
        {
            "@odata.type":"#microsoft.graph.user",
            "id":"69d035a3-29c9-469f-809d-d21a4ae69e65",
            "displayName":"Jane Dane",
            "createdDateTime":"2019-09-18T09:06:51Z",
            "deletedDateTime":null
        },
        {
            "@odata.type":"#microsoft.graph.group",
            "id":"c43a7cc9-2d95-44b6-bf6a-6392e41949b4",
            "displayName":"Group 1",
            "description":null,
            "createdDateTime":"2019-10-24T01:34:35Z",
            "deletedDateTime":null
        },
        {
            "@odata.type":"#microsoft.graph.device",
            "id": "d282309e-f91d-43b6-badb-9e68aa4b4fc8",
            "accountEnabled":null,
            "deviceId":null,
            "displayName":null,
            "operatingSystem":null,
            "operatingSystemVersion":null
        }
    ]
}

Access reviews permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
AccessReview.Read.All Read all access reviews Allows the app to read access reviews on behalf of the signed-in user. Yes No
AccessReview.ReadWrite.All Manage all access reviews Allows the app to read and write access reviews on behalf of the signed-in user. Yes No
AccessReview.ReadWrite.Membership Manage access reviews for group and app memberships Allows the app to read and write access reviews of groups and apps on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
AccessReview.Read.All Read all access reviews Allows the app to read access reviews without a signed-in user. Yes
AccessReview.ReadWrite.Membership Manage access reviews for group and app memberships Allows the app to manage access reviews of groups and apps without a signed-in user. Yes

Remarks

AccessReview.Read.All, AccessReview.ReadWrite.All and AccessReview.ReadWrite.Membership are valid only for work or school accounts.

For an app with delegated permissions to read access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. For an app with delegated permissions to write access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator.

For an app with delegated permissions to read access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or Privileged Role Administrator. For an app with delegated permissions to write access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator or Privileged Role Administrator.

For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.


Administrative units permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
AdministrativeUnit.Read.All Read administrative units Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user. Yes No
AdministrativeUnit.ReadWrite.All Read and write administrative units Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
AdministrativeUnit.Read.All Read all administrative units Allows the app to read administrative units and administrative unit membership without a signed-in user. Yes
AdministrativeUnit.ReadWrite.All Read and write all administrative units Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. Yes

Remarks

With the AdministrativeUnit.Read.All permission an application can read administrative unit information including members.

With the AdministrativeUnit.ReadWrite.All permission an application can create, read, update, and delete administrative unit information including members.

AdministrativeUnit.Read.All and AdministrativeUnit.ReadWrite.All are valid only for work or school accounts.

Example usage

  • AdministrativeUnit.Read.All: Read administrative units (GET /beta/administrativeUnits)
  • AdministrativeUnit.Read.All: Read members list of an administrative unit (GET /beta/administrativeUnits/<id>/members)
  • AdministrativeUnit.ReadWrite.All: Create an administrative unit (POST /beta/administrativeUnits)
  • AdministrativeUnit.ReadWrite.All: Update an administrative unit (PATCH /beta/administrativeUnits/<id>)
  • AdministrativeUnit.ReadWrite.All: Add members to an administrative unit (POST /beta/administrativeUnits/<id>/members)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Analytics resource permissions

Delegated permissions

Permission Display String Description Admin Consent Required
Analytics.Read Read user activity statistics. Allows the app to read the signed-in user's activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions. No

Application permissions

None.

Example usage

Delegated

Application

None.


AppCatalog resource permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account Required
AppCatalog.Read.All Read all app catalogs Allows the app to read the apps in the app catalogs. No No
AppCatalog.ReadWrite.All Read and write to all app catalogs Allows the app to create, read, update, and delete apps in the app catalogs. Yes No

Application permissions

None.

Remarks

Currently the only catalog is the list of applications in Microsoft Teams.

Example usage

Delegated

Application

None.


Application resource permissions

Delegated permissions

Permission Display String Description Admin Consent Required
Application.Read.All Read applications Allows the app to read applications and service principals on behalf of the signed-in user. Yes
Application.ReadWrite.All Read and write all apps Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Yes
AppRoleAssignment.ReadWrite.All Manage app permission grants and app role assignments Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. Yes

Application permissions

Permission Display String Description Admin Consent Required
Application.Read.All Read applications Allows the app to read applications and service principals without a signed-in user. Yes
Application.ReadWrite.All Read and write all apps Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. Does not allow management of consent grants or application assignments to users or groups. Yes
Application.ReadWrite.OwnedBy Manage apps that this app creates or owns Allows the calling app to create other applications and service principals, and fully manage those applications and service principals (read, update, update application secrets and delete), without a signed-in user. It cannot update any applications that it is not an owner of. Does not allow management of consent grants or application assignments to users or groups. Yes
AppRoleAssignment.ReadWrite.All Manage app permission grants and app role assignments Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. Yes

Remarks

The Application.ReadWrite.OwnedBy permission allows the same operations as Application.ReadWrite.All except that the former allows these operations only on applications and service principals that the calling app is an owner of. Ownership is indicated by the owners navigation property on the target application or service principal resource.

NOTE: Using the Application.ReadWrite.OwnedBy permission to call GET /applications to list applications will fail with a 403. Instead use GET servicePrincipals/{id}/ownedObjects to list the applications owned by the calling application.

Example usage

Delegated

  • Application.Read.All: List all applications (GET /beta/applications)
  • Application.ReadWrite.All: Update a service principal (PATCH /beta/servicePrincipals/{id})

Application

  • Application.Read.All: List all applications (GET /beta/applications)
  • Application.ReadWrite.All: Delete a service principal (DELETE /beta/servicePrincipals/{id})
  • Application.ReadWrite.OwnedBy: Create an application (POST /beta/applications)
  • Application.ReadWrite.OwnedBy: List all applications owned by the calling application (GET /beta/servicePrincipals/{id}/ownedObjects)
  • Application.ReadWrite.OwnedBy: Add another owner to an owned application (POST /applications/{id}/owners/$ref).

NOTE: This may require additional permissions.


Bookings permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Bookings.Read.All Allows an app to read Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Intended for read-only applications. Typical target user is the customer of a booking business. No No
BookingsAppointment.ReadWrite.All Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff on behalf of the signed-in user. Intended for scheduling applications which need to manipulate appointments and customers. Cannot change fundamental information about the booking business, nor its services and staff members. Typical target user is the customer of a booking business. No No
Bookings.ReadWrite.All Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete, or publish of Bookings businesses. Intended for management applications that manipulate existing businesses, their services and staff members. Cannot create, delete, or change the publishing status of a booking business. Typical target user is the support staff of an organization. No No
Bookings.Manage.All Allows an app to read, write, and manage Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Allows the app to have full access.
Intended for a full management experience. Typical target user is the administrator of an organization.
No No

Application permissions

None.

Example usage

Delegated

  • Bookings.Read.All: Get the ID and names of the collection of Bookings businesses that has been created for a tenant (GET /bookingBusinesses).
  • BookingsAppointment.ReadWrite.All: Create an appointment for a service at a Bookings business (POST /bookingBusinesses/{id}/appointments).
  • Bookings.ReadWrite.All: Create a new service for the specified Bookings business (POST /bookingBusinesses/{id}/services).
  • Bookings.Manage.All: Make the scheduling page of this business available to external customers (POST /bookingBusinesses/{id}/publish).

Calendars permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Calendars.Read Read user calendars Allows the app to read events in user calendars. No Yes
Calendars.Read.Shared Read user and shared calendars  Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.  No No
Calendars.ReadWrite Have full access to user calendars Allows the app to create, read, update, and delete events in user calendars. No Yes
Calendars.ReadWrite.Shared Read and write user and shared calendars  Allows the app to create, read, update and delete events in all calendars the user has permissions to access. This includes delegate and shared calendars. No No

Application permissions

Permission Display String Description Admin Consent Required
Calendars.Read Read calendars in all mailboxes Allows the app to read events of all calendars without a signed-in user. Yes
Calendars.ReadWrite Read and write calendars in all mailboxes Allows the app to create, read, update, and delete events of all calendars without a signed-in user. Yes

Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Calendars.Read or Calendars.ReadWrite.

Example usage

Delegated

  • Calendars.Read: Get events on the user's calendar between April 23, 2017 and April 29, 2017 (GET /me/calendarView?startDateTime=2017-04-23T00:00:00&endDateTime=2017-04-29T00:00:00).
  • Calendars.Read.Shared: Find meeting times where all attendees are available (POST /users/{id|userPrincipalName}/findMeetingTimes).
  • Calendars.ReadWrite: Add an event to the user's calendar (POST /me/events).

Application

  • Calendars.Read: Find events in a conference room's calendar organized by bob@contoso.com (GET /users/{id | userPrincipalName}/events?$filter=organizer/emailAddress/address eq 'bob@contoso.com').
  • Calendars.Read: List all events on a user's calendar for the month of May (GET /users/{id | userPrincipalName}/calendarView?startDateTime=2017-05-01T00:00:00&endDateTime=2017-06-01T00:00:00)
  • Calendars.ReadWrite: Add an event to a user's calendar for approved time off (POST /users/{id | userPrincipalName}/events).
  • Calendars.Send: Send a message (POST /users/{id | userPrincipalName}/sendCalendars).

For more complex scenarios involving multiple permissions, see Permission scenarios.

Channel permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Channel.ReadBasic.All Read the names and descriptions of channels. Read channel names and channel descriptions, on behalf of the signed-in user. No No
Channel.Create Create channels. Create channels in any team, on behalf of the signed-in user. Yes No
Channel.Delete.All Delete channels. Delete channels in any team, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Channel.ReadBasic.All Read the names and descriptions of all channels. Read all channel names and channel descriptions, without a signed-in user. Yes No
Channel.Create Create channels. Create channels in any team, without a signed-in user. Yes No
Channel.Delete.All Delete channels. Delete channels in any team, without a signed-in user. Yes No

Channel settings permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelSettings.Read.All Read the names, descriptions, and settings of channels. Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user. Yes No
ChannelSettings.ReadWrite.All Read and write the names, descriptions, and settings of channels. Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelSettings.Read.All Read the names, descriptions, and settings of all channels. Read all channel names, channel descriptions, and channel settings, without a signed-in user. Yes No
ChannelSettings.ReadWrite.All Read and write the names, descriptions, and settings of all channels. Read and write the names, descriptions, and settings of all channels, without a signed-in user. Yes No

Calls permissions

Delegated permissions

None.


Application permissions

Permission Display String Description Admin Consent Required
Calls.Initiate.All Initiate outgoing 1:1 calls from the app (preview) Allows the app to place outbound calls to a single user and transfer calls to users in your organization’s directory, without a signed-in user. Yes
Calls.InitiateGroupCall.All Initiate outgoing group calls from the app (preview) Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. Yes
Calls.JoinGroupCall.All Join group calls and meetings as an app (preview) Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your tenant. Yes
Calls.JoinGroupCallasGuest.All Join group calls and meetings as a guest (preview) Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined as a guest to meetings in your tenant. Yes
Calls.AccessMedia.All* Access media streams in a call as an app (preview) Allows the app to get direct access to media streams in a call, without a signed-in user. Yes

*Important: You may NOT use the Cloud Communications APIs to record or otherwise persist media content from calls or meetings that your application accesses, or data derived from that media content. Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. Please see the Terms of Use and consult with your legal counsel for more information.


Example usage

Application

  • Calls.Initiate.All: Make a peer-to-peer call from the application to a user in the organization (POST /beta/communications/calls).
  • Calls.InitiateGroupCall.All: Make a group call from the application to a group of users in the organization (POST /beta/communications/calls).
  • Calls.JoinGroupCall.All: Join a group call or online meeting from the application (POST /beta/communications/calls).
  • Calls.JoinGroupCallasGuest.All: Join a group call or online meeting from the application, but the application only has guest privileges in the meeting (POST /beta/communications/calls).
  • Calls.AccessMedia.All: Create or join a call and the app gets direct access to participant media streams in the call (POST /beta/communications/calls).

Note: For request examples, see Create call.

For more complex scenarios involving multiple permissions, see Permission scenarios.

Call records permissions

Delegated permissions

None.


Application permissions

Permission Display String Description Admin Consent Required
CallRecords.Read.All Read all call records Allows the app to read call records for all calls and online meetings without a signed-in user. Yes

Remarks

The CallRecords.Read.All permission grants an application privileged access to callRecords for every call and online meeting within your organization, including calls to and from external phone numbers. This includes potentially sensitive details about who participated in the call, as well as technical information pertaining to these calls and meetings that can be used for network troubleshooting, such as IP addresses, device details, and other network information.

Important: Discretion should be used when granting this permission to applications. Call records can provide insights into the operation of your business, and so can be a target for malicious actors. Only grant this permission to applications you trust to meet your data protection requirements.

Important: Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. Please see the Terms of Use and consult with your legal counsel for more information.


Example usage

Application

  • CallRecords.Read.All: Retrieve a call record (GET /v1.0/communications/callRecords/{id}).
  • CallRecords.Read.All: Subscribe to new call records (POST /v1.0/subscriptions).

For more complex scenarios involving multiple permissions, see Permission scenarios.

Channel permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Channel.ReadBasic.All Read the names and descriptions of channels. Read channel names and channel descriptions, on behalf of the signed-in user. No No
Channel.Create Create channels. Create channels in any team, on behalf of the signed-in user. Yes No
Channel.Delete.All Delete channels. Delete channels in any team, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Channel.ReadBasic.All Read the names and descriptions of all channels. Read all channel names and channel descriptions, without a signed-in user. Yes No
Channel.Create Create channels. Create channels in any team, without a signed-in user. Yes No
Channel.Delete.All Delete channels. Delete channels in any team, without a signed-in user. Yes No

Channel member permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelMember.Read.All Read the members of channels. Read the members of channels, on behalf of the signed-in user. Yes No
ChannelMember.ReadWrite.All Add and remove members from channels. Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelMember.Read.All Read the members of all channels. Read the members of all channels, without a signed-in user. Yes No
ChannelMember.ReadWrite.All Add and remove members from all channels. Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner. Yes No

Channel message permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelMessage.Delete (private preview) Delete user's channel messages Allows an app to delete channel messages in Microsoft Teams, on behalf of the signed-in user. Yes No
ChannelMessage.Edit (private preview) Edit user's channel messages Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user. Yes No
ChannelMessage.Read.All Read user channel messages Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user. Yes No
ChannelMessage.Send Send channel messages Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelMessage.Read.All Read all channel messages  Allows the app to read all channel messages in Microsoft Teams, without a signed-in user. Yes No
ChannelMessage.UpdatePolicyViolation.All Flag channel messages for violating policy Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Yes No

Note: See also Group.Read.All.

Channel settings permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelSettings.Read.All Read the names, descriptions, and settings of channels. Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user. Yes No
ChannelSettings.ReadWrite.All Read and write the names, descriptions, and settings of channels. Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChannelSettings.Read.All Read the names, descriptions, and settings of all channels. Read all channel names, channel descriptions, and channel settings, without a signed-in user. Yes No
ChannelSettings.ReadWrite.All Read and write the names, descriptions, and settings of all channels. Read and write the names, descriptions, and settings of all channels, without a signed-in user. Yes No

Chats permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Chat.Read Read your chat messages  Allows an app to read your 1:1 or group chat messages in Microsoft Teams, on your behalf. No No
Chat.ReadBasic Read names and members of user chat threads Allows an app to read the members and descriptions of 1:1 and group chats threads, on behalf of the signed-in user. No No
Chat.ReadWrite Read your chat messages and send new ones  Allows an app to read and send your 1:1 or group chat messages in Microsoft Teams, on your behalf. No No
Chat.Send (private preview) Send user chat messages Allows an app to send 1:1 and group chat messages in Microsoft Teams, on behalf of the signed-in user. No No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Chat.Read.All Read all chat messages  Allows the app to read all 1:1 or group chat messages in Microsoft Teams, without a signed-in user. Yes No
Chat.ReadBasic.All Read names and members of user chat threads Read names and members of all chat threads. No No
Chat.UpdatePolicyViolation.All Flag chat messages for violating policy Allows the app to update Microsoft Teams 1:1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Yes No
Chat.Send.All (private preview) Send user chat messages Allows an app to send 1:1 and group chat messages in Microsoft Teams without a signed-in user. No No

Note: For messages in a channel, see ChannelMessage permissions.

ChatMessage permissions (private preview)

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ChatMessage.Send (private preview) Send user chat messages Allows an app to send 1:1 and group chat messages in Microsoft Teams, on behalf of the signed-in user. No No

Cloud printing permissions

Application permissions

Permission Display String Description Admin Consent Required
Printer.ReadWrite.All Read and update printers Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting (unregistering) printers. Yes
PrintJob.Read.All Read print jobs Allows the application to read the metadata and document content of print jobs without a signed-in user. Yes
PrintJob.ReadBasic.All Read basic information for print jobs Allows the application to read the metadata of print jobs without a signed-in user. Does not allow access to print job document content. Yes
PrintJob.ReadWrite.All Read and write print jobs Allows the application to read and update the metadata and document content of print jobs without a signed-in user. Yes
PrintJob.ReadWriteBasic.All Read and write basic information for print jobs Allows the application to read and update the metadata of print jobs without a signed-in user. Does not allow access to print job document content. Yes

Contacts permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Contacts.Read Read user contacts  Allows the app to read user contacts. No Yes
Contacts.Read.Shared Read user and shared contacts Allows the app to read contacts that the user has permissions to access, including the user's own and shared contacts.  No No
Contacts.ReadWrite Have full access to user contacts Allows the app to create, read, update, and delete user contacts. No Yes
Contacts.ReadWrite.Shared Read and write user and shared contacts Allows the app to create, read, update and delete contacts that the user has permissions to, including the user's own and shared contacts. No No

Application permissions

Permission Display String Description Admin Consent Required
Contacts.Read Read contacts in all mailboxes  Allows the app to read all contacts in all mailboxes without a signed-in user.  Yes
Contacts.ReadWrite Read and write contacts in all mailboxes Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. Yes

Important Administrators can configure application access policy to limit app access to specific mailboxes and not all the mailboxes in the organization, even if the app has been granted the application permissions of Contacts.Read or Contacts.ReadWrite.

Example usage

Delegated

  • Contacts.Read: Read a contact from one of the top-level contact folders of the signed-in user (GET /me/contactfolders/{Id}/contacts/{id}).
  • Contacts.ReadWrite: Update the contact photo of one of the signed-in user's contacts (PUT /me/contactfolders/{contactFolderId}/contacts/{id}/photo/$value).
  • Contacts.ReadWrite: Add contacts to the root folder of the signed-in user (POST /me/contacts).

Application

  • Contacts.Read: Read contacts from one of the top-level contact folders of any user in the organization (GET /users/{id | userPrincipalName}/contactfolders/{Id}/contacts/{id}).
  • Contacts.ReadWrite: Update the photo for any contact of any user in an organization (PUT /user/{id | userPrincipalName}/contactfolders/{contactFolderId}/contacts/{id}/photo/$value).
  • Contacts.ReadWrite: Add contacts to the root folder of any user in the organization (POST /users/{id | userPrincipalName}/contacts).

For more complex scenarios involving multiple permissions, see Permission scenarios.

Device permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Device.Read Read user devices Allows the app to read a user's list of devices on behalf of the signed-in user. No Yes
Device.Command Communicate with user devices Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user. No Yes

Application permissions

Permission Display String Description Admin Consent Required
Device.ReadWrite.All Read and write devices Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion, or update of device alternative security identifiers. Yes

Example usage

Application

  • Device.ReadWrite.All: Read all registered devices in the organization (GET /devices).

For more complex scenarios involving multiple permissions, see Permission scenarios.


Directory permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Directory.Read.All Read directory data Allows the app to read data in your organization's directory, such as users, groups and apps. Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. Yes No
Directory.ReadWrite.All Read and write directory data Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. Yes No
Directory.AccessAsUser.All Access directory as the signed-in user Allows the app to have the same access to information in the directory as the signed-in user. Yes No
PrivilegedAccess.ReadWrite.AzureAD Read and write Privileged Identity Management data for Directory Allows the app to have read and write access to Privileged Identity Management APIs for Azure AD. Yes No
PrivilegedAccess.ReadWrite.AzureResources Read and write Privileged Identity Management data for Azure Resources Allows the app to have read and write access to Privileged Identity Management APIs for Azure resources. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Directory.Read.All Read directory data Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. Yes
Directory.ReadWrite.All Read and write directory data Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. Yes

Remarks

Directory permissions provide the highest level of privilege for accessing directory resources such as User, Group, and Device in an organization.

They also exclusively control access to other directory resources like: organizational contacts, schema extension APIs, Privileged Identity Management (PIM) APIs, as well as many of the resources and APIs listed under the Azure Active Directory node in the v1.0 and beta API reference documentation. These include administrative units, directory roles, directory settings, policy, and many more.

The Directory.ReadWrite.All permission grants the following privileges:

  • Full read of all directory resources (both declared properties and navigation properties)
  • Create and update users
  • Disable and enable users (but not company administrator)
  • Set user alternative security id (but not administrators)
  • Create and update groups
  • Manage group memberships
  • Update group owner
  • Manage license assignments
  • Define schema extensions on applications

Note:

  • No rights to reset user passwords.
  • Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
  • No rights to delete resources (including users or groups).
  • Specifically excludes create or update for resources not listed above. This includes: application, oAauth2Permissiongrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.

Example usage

Delegated

  • Directory.Read.All: List all administrative units in an organization (GET /beta/administrativeUnits)
  • Directory.ReadWrite.All: Add members to a directory role (POST /directoryRoles/{id}/members/$ref)

Application

  • Directory.Read.All: List all memberships of a user, including directory roles and administrative units (GET /beta/users/{id}/memberOf)
  • Directory.Read.All: List all group members, including service principals (GET /beta/groups/{id}/members)
  • Directory.ReadWrite.All: Add an owner to a group (POST /groups/{id}/owners/$ref)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Domain permissions

Application permissions

Permission Display String Description Admin Consent Required
Domain.ReadWrite.All Read and write domains Allows the app to read and write domains without a signed-in user. Yes

Education permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
EduAdministration.Read Read education app settings Allows the app to read education app settings on behalf of the user. Yes No
EduAdministration.ReadWrite Manage education app settings Allows the app to manage education app settings on behalf of the user. Yes No
EduAssignments.ReadBasic Read users' class assignments without grades Allows the app to read assignments without grades on behalf of the user Yes No
EduAssignments.ReadWriteBasic Read and write users' class assignments without grades Allows the app to read and write assignments without grades on behalf of the user Yes No
EduAssignments.Read Read users' view of class assignments and their grades Allows the app to read assignments and their grades on behalf of the user Yes No
EduAssignments.ReadWrite Read and write users' view of class assignments and their grades Allows the app to read and write assignments and their grades on behalf of the user Yes No
EduRoster.ReadBasic Read a limited subset of users' view of the roster Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization's roster and a limited subset of properties about users to be read on behalf of the user. Includes name, status, education role, email address and photo. Yes No
EduRoster.Read Read users' view of the roster Allows the app to read the structure of schools and classes in an organization's roster and education-specific information about users to be read on behalf of the user. Yes
EduRoster.ReadWrite Read and write users' view of the roster Allows the app to read and write the structure of schools and classes in an organization's roster and education-specific information about users to be read and written on behalf of the user. Yes

Application permissions

Permission Display String Description Admin Consent Required
EduAdministration.Read.All Read Education app settings Read the state and settings of all Microsoft education apps on behalf of the user Yes
EduAdministration.ReadWrite.All Manage education app settings Manage the state and settings of all Microsoft education apps on behalf of the user yes
EduAssignments.ReadBasic.All Read class assignments without grades Allows the app to read assignments without grades for all users Yes
EduAssignments.ReadWriteBasic.All Read and write class assignments without grades Allows the app to read and write assignments without grades for all users Yes
EduAssignments.Read.All Read class assignments with grades Allows the app to read assignments and their grades for all users Yes
EduAssignments.ReadWrite.All Read and write class assignments with grades Allows the app to read and write assignments and their grades for all users Yes
EduRoster.ReadBasic.All Read a limited subset of the organization's roster. Allows the app to read a limited subset of both the structure of schools and classes in an organization's roster and education-specific information about all users. Yes
EduRoster.Read.All Read the organization's roster. Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about all users to be read. Yes
EduRoster.ReadWrite.All Read and write the organization's roster. Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written. Yes

Example usage

Delegated

  • EduAssignments.Read: Get the signed-in student's assignment information (GET /education/classes/{id}/assignments/{id})
  • EduAssignments.ReadWriteBasic: Submit signed-in student assignment (GET /education/classes/{id}/assignments/{id}submit)
  • EduRoster.ReadBasic: Classes a signed-in user attends or teaches (GET /education/classes/{id}/members)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Entitlement management permissions

Delegated permissions

Permission Display String Description Admin Consent Required
EntitlementManagement.ReadWrite.All Read and write entitlement management resources Allows the app to request access to read and manage access packages and related entitlement management resources on behalf of the signed-in user. Yes
EntitlementManagement.Read.All Read entitlement management resources Allows the app to request access to read access packages and related entitlement management resources on behalf of the signed-in user. Yes

Files permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Files.Read Read user files Allows the app to read the signed-in user's files. No Yes
Files.Read.All Read all files that user can access Allows the app to read all files the signed-in user can access. No Yes
Files.ReadWrite Have full access to user files Allows the app to read, create, update, and delete the signed-in user's files. No Yes
Files.ReadWrite.All Have full access to all files user can access Allows the app to read, create, update, and delete all files the signed-in user can access. No Yes
Files.ReadWrite.AppFolder Have full access to the application's folder (preview) (Preview) Allows the app to read, create, update, and delete files in the application's folder. No No
Files.Read.Selected Read files that the user selects Limited support in Microsoft Graph; see Remarks
(Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file.
No No
Files.ReadWrite.Selected Read and write files that the user selects Limited support in Microsoft Graph; see Remarks
(Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file.
No No

Application permissions

Permission Display String Description Admin Consent Required
Files.Read.All Read files in all site collections Allows the app to read all files in all site collections without a signed in user. Yes
Files.ReadWrite.All Read and write files in all site collections Allows the app to read, create, update, and delete all files in all site collections without a signed in user. Yes

Remarks

Note: For personal accounts, Files.Read and Files.ReadWrite also grant access to files shared with the signed-in user.

The Files.Read.Selected and Files.ReadWrite.Selected delegated permissions are only valid on work or school accounts and are only exposed for working with Office 365 file handlers (v1.0). They should not be used for directly calling Microsoft Graph APIs.

The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the App Root special folder with the OneDrive Get special folder Microsoft Graph API.

Example usage

Delegated

  • Files.Read: Read files stored in the signed-in user's OneDrive (GET /me/drive/root/children)
  • Files.Read.All: Read files shared with the signed-in user (GET /me/drive/root/sharedWithMe)
  • Files.ReadWrite: Write a file in the signed-in user's OneDrive (PUT /me/drive/root/children/filename.txt/content)
  • Files.ReadWrite.All: Write a file shared with the user (PUT /users/rgregg@contoso.com/drive/root/children/file.txt/content)
  • Files.ReadWrite.AppFolder: Write files into the app's folder in OneDrive (PUT /me/drive/special/approot/children/file.txt/content)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Financials permissions

Delegated permissions

Permission Display String Description Admin Consent Required
Financials.ReadWrite.All Read and write financials data Allows the app to read and write financials data on behalf of the signed-in user No

Group permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Group.Read.All Read all groups Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. Yes No
Group.ReadWrite.All Read and write all groups Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendar, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content. Yes No
GroupMember.Read.All Read group memberships Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. Yes No
GroupMember.ReadWrite.All Read and write group memberships Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Group.Read.All Read all groups Allows the app to read memberships for all groups without a signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups.

Note: Not all group APIs support access using app-only permissions. See known issues for examples.
Yes
Group.ReadWrite.All Read and write all groups Allows the app to create groups, read and update group memberships, and delete groups. Also allows the app to read and write calendar, conversations, files, and other group content for all groups. All of these operations can be performed by the app without a signed-in user.

Note: Not all group APIs support access using app-only permissions. See known issues for examples.
Yes
Group.Selected Access selected groups Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change. Yes
GroupMember.Read.All Read group memberships Allows the app to read memberships and basic group properties for all groups without a signed-in user. Yes
GroupMember.ReadWrite.All Read and write group memberships Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. Yes
Group.Create Create groups Allows the calling app to create groups without a signed-in user. Does not allow read, update, or deletion of any groups. Yes

Remarks

Group functionality is not supported on personal Microsoft accounts.

For Microsoft 365 groups, Group permissions grant the app access to the contents of the group; for example, conversations, files, notes, and so on.

For application permissions, there are some limitations for the APIs that are supported. For more information, see known issues.

In some cases, an app may need Directory permissions to read some group properties like member and memberOf. For example, if a group has a one or more servicePrincipals as members, the app will need effective permissions to read service principals through being granted one of the Directory.* permissions, otherwise Microsoft Graph will return an error. (In the case of delegated permissions, the signed-in user will also need sufficient privileges in the organization to read service principals.) The same guidance applies for the memberOf property, which can return administrativeUnits.

To set a Microsoft 365 group's preferredDataLocation attribute, an app needs Directory.ReadWrite.All permission. When users in a multi-geo environment create a Microsoft 365 group, the preferredDataLocation value for the group is automatically set to that of the user. For more information about groups' preferred data location, see Create a Microsoft 365 group with a specific PDL.

Group permissions are used to control access to Microsoft Teams resources and APIs. Personal Microsoft accounts are not supported.

Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are not supported.

Example usage

Delegated

  • Group.Read.All: Read all Microsoft 365 groups that the signed-in user is a member of (GET /me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified')).
  • Group.Read.All: Read all Microsoft 365 group content like conversations (GET /groups/{id}/conversations).
  • Group.ReadWrite.All: Update group properties, like photo (PUT /groups/{id}/photo/$value).
  • GroupMember.ReadWrite.All: Update group members (POST /groups/{id}/members/$ref).

Note:: This also requires User.ReadBasic.All to read the user to add as a member.

Application

  • Group.Read.All: Find all groups with name that starts with 'Sales' (GET /groups?$filter=startswith(displayName,'Sales')).
  • Group.ReadWrite.All: Daemon service creates new events on a Microsoft 365 group's calendar (POST /groups/{id}/events).
  • Group.Create: Creates a new group (POST /groups).

For more complex scenarios involving multiple permissions, see Permission scenarios.


Identity provider permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
IdentityProvider.Read.All Read identity provider information Allows the app to read identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. Yes No
IdentityProvider.ReadWrite.All Read and write identity provider information Allows the app to read or write identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. Yes No

Remarks

IdentityProvider.Read.All and IdentityProvider.ReadWrite.All are valid only for work or school accounts. For an app to read or write identity providers with delegated permissions, the signed-in user must be assigned the Global Administrator role. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

Example usage

Delegated

The following usages are valid for both delegated permissions:

  • IdentityProvider.Read.All: Read all identity providers configured in the tenant (GET /beta/identityProviders)
  • IdentityProvider.Read.All: Read an existing identity provider (GET /beta/identityProviders/{id})
  • IdentityProvider.ReadWrite.All Create an identity provider (POST /beta/identityProviders)
  • IdentityProvider.ReadWrite.All Update an existing identity provider (PATCH /beta/identityProviders/{id})
  • IdentityProvider.ReadWrite.All Delete an existing identity provider (DELETE /beta/identityProviders/{id})

For more complex scenarios involving multiple permissions, see Permission scenarios.


Identity risk event permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
IdentityRiskEvent.Read.All Read identity risk event information Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
IdentityRiskEvent.Read.All Read identity risk event information Allows the app to read identity risk event information for all users in your organization without a signed-in user. Yes

Remarks

IdentityRiskEvent.Read.All is valid only for work or school accounts. For an app with delegated permissions to read identity risk information, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, or Security Reader. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

Example usage

Delegated and Application

The following usages are valid for both delegated and application permissions:

  • Read all risk events generated for all users in the tenant (GET /beta/identityRiskEvents)
  • Read malware risk events generated by the Dorknet botnet (GET /beta/malwareRiskEvents?$filter=malwareName eq 'Dorkbot')
  • Read most recent 50 risk events (GET /beta/identityRiskEvents?$orderBy=riskEventDateTime desc&top=50)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Identity risky user permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
IdentityRiskyUser.Read.All Read identity user risk information Allows the app to read identity user risk information for all users in your organization on behalf of the signed-in user. Yes No
IdentityRiskyUser.ReadWrite.All Read and update identity user risk information Allows the app to read and update identity user risk information for all users in your organization on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
IdentityRiskyUser.Read.All Read identity user risk information Allows the app to read identity user risk information for all users in your organization without a signed-in user. Yes
IdentityRiskyUser.ReadWrite.All Read and update identity user risk information Allows the app to read and update identity user risk information for all users in your organization without a signed-in user. Yes

Remarks

IdentityRiskyUser.Read.All and IdentityRiskyUser.ReadWrite.ALL is valid only for work or school accounts. For an app with delegated permissions to read identity user risk information, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, or Security Reader. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

Example usage

Delegated and Application

The following usages are valid for both delegated and application permissions:

  • Read all risky users and properties in the tenant (GET /beta/riskyUsers)
  • Read all risky users whose aggregate risk level is Medium (GET /beta/riskyUsers?$filter=risk/riskLevelAggregated eq microsoft.graph.riskLevel'medium')
  • Read the risk information for a specific user (GET /beta/riskyUsers/$filter=id eq ‘{userObjectId}’)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Intune device management permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
DeviceManagementApps.Read.All Read Microsoft Intune apps Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementApps.ReadWrite.All Read and write Microsoft Intune apps Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementConfiguration.Read.All Read Microsoft Intune device configuration and policies Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementConfiguration.ReadWrite.All Read and write Microsoft Intune device configuration and policies Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementManagedDevices.PrivilegedOperations.All Perform user-impacting remote actions on Microsoft Intune devices Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.Read.All Read Microsoft Intune devices Allows the app to read the properties of devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.ReadWrite.All Read and write Microsoft Intune devices Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. Yes No
DeviceManagementRBAC.Read.All Read Microsoft Intune RBAC settings Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementRBAC.ReadWrite.All Read and write Microsoft Intune RBAC settings Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementServiceConfig.Read.All Read Microsoft Intune configuration Allows the app to read Intune service properties including device enrollment and third party service connection configuration. Yes No
DeviceManagementServiceConfig.ReadWrite.All Read and write Microsoft Intune configuration Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
DeviceManagementApps.Read.All Read Microsoft Intune apps Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementApps.ReadWrite.All Read and write Microsoft Intune apps Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementConfiguration.Read.All Read Microsoft Intune device configuration and policies Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementConfiguration.ReadWrite.All Read and write Microsoft Intune device configuration and policies Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementManagedDevices.PrivilegedOperations.All Perform user-impacting remote actions on Microsoft Intune devices Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.Read.All Read Microsoft Intune devices Allows the app to read the properties of devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.ReadWrite.All Read and write Microsoft Intune devices Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. Yes No
DeviceManagementRBAC.Read.All Read Microsoft Intune RBAC settings Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementRBAC.ReadWrite.All Read and write Microsoft Intune RBAC settings Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementServiceConfig.Read.All Read Microsoft Intune configuration Allows the app to read Intune service properties including device enrollment and third party service connection configuration. Yes No
DeviceManagementServiceConfig.ReadWrite.All Read and write Microsoft Intune configuration Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. Yes No

Remarks

Note: Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

These permissions are only valid for work or school accounts.

Example usage

Delegated

  • DeviceManagementServiceConfiguration.Read.All: Check the current state of the Intune subscription (GET /deviceManagement/subscriptionState).
  • DeviceManagementServiceConfiguration.ReadWrite.All: Create new Terms and Conditions (POST /deviceManagement/termsAndConditions).
  • DeviceManagementConfiguration.Read.All: Find the status of a device configuration (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses).
  • DeviceManagementConfiguration.ReadWrite.All: Assign a device compliance policy to a group (POST deviceCompliancePolicies/{id}/assign).
  • DeviceManagementApps.Read.All: Find all the Windows Store apps published to Intune (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp')).
  • DeviceManagementApps.ReadWrite.All: Publish a new application (POST /deviceAppManagement/mobileApps).
  • DeviceManagementRBAC.Read.All: Find a role assignment by name (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment').
  • DeviceManagementRBAC.ReadWrite.All: Create a new custom role (POST /deviceManagement/roleDefinitions).
  • DeviceManagementManagedDevices.Read.All: Find a managed device by name (GET /managedDevices/?$filter=deviceName eq 'My Device').
  • DeviceManagementManagedDevices.ReadWrite.All: Remove a managed device (DELETE /managedDevices/{id}).
  • DeviceManagementManagedDevices.PrivilegedOperations.All: Reset the passcode on a user's managed device (POST /managedDevices/{id}/resetPasscode).

Application

  • DeviceManagementServiceConfiguration.Read.All: Check the current state of the Intune subscription (GET /deviceManagement/subscriptionState).
  • DeviceManagementServiceConfiguration.ReadWrite.All: Create new Terms and Conditions (POST /deviceManagement/termsAndConditions).
  • DeviceManagementConfiguration.Read.All: Find the status of a device configuration (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses).
  • DeviceManagementConfiguration.ReadWrite.All: Assign a device compliance policy to a group (POST deviceCompliancePolicies/{id}/assign).
  • DeviceManagementApps.Read.All: Find all the Windows Store apps published to Intune (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp')).
  • DeviceManagementApps.ReadWrite.All: Publish a new application (POST /deviceAppManagement/mobileApps).
  • DeviceManagementRBAC.Read.All: Find a role assignment by name (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment').
  • DeviceManagementRBAC.ReadWrite.All: Create a new custom role (POST /deviceManagement/roleDefinitions).
  • DeviceManagementManagedDevices.Read.All: Find a managed device by name (GET /managedDevices/?$filter=deviceName eq 'My Device').
  • DeviceManagementManagedDevices.ReadWrite.All: Remove a managed device (DELETE /managedDevices/{id}).
  • DeviceManagementManagedDevices.PrivilegedOperations.All: Reset the passcode on a user's managed device (POST /managedDevices/{id}/resetPasscode).

For more complex scenarios involving multiple permissions, see Permission scenarios.


Mail permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Mail.Read Read user mail  Allows the app to read email in user mailboxes.  No Yes
Mail.ReadBasic Read user basic mail Allows the app to read email in the signed-in user's mailbox, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties. Does not include permissions to search messages. No No
Mail.ReadWrite Read and write access to user mail  Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. No Yes
Mail.Read.Shared Read user and shared mail Allows the app to read mail that the user can access, including the user's own and shared mail.  No No
Mail.ReadWrite.Shared Read and write user and shared mail  Allows the app to create, read, update, and delete mail that the user has permission to access, including the user's own and shared mail. Does not include permission to send mail. No No
Mail.Send Send mail as a user  Allows the app to send mail as users in the organization.  No Yes
Mail.Send.Shared Send mail on behalf of others  Allows the app to send mail as the signed-in user, including sending on-behalf of others.  No No
MailboxSettings.Read Read user mailbox settings  Allows the app to the read user's mailbox settings. Does not include permission to send mail. No Yes
MailboxSettings.ReadWrite Read and write user mailbox settings  Allows the app to create, read, update, and delete user's mailbox settings. Does not include permission to directly send mail, but allows the app to create rules that can forward or redirect messages. No Yes

Application permissions

Permission Display String Description Admin Consent Required
Mail.Read Read mail in all mailboxes Allows the app to read mail in all mailboxes without a signed-in user. Yes
Mail.ReadBasic.All Read all users basic mail Allows the app to read all users mailboxes except Body, BodyPreview, UniqueBody, Attachments, ExtendedProperties, and Extensions. Does not include permissions to search messages. Yes
Mail.ReadWrite Read and write mail in all mailboxes Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. Yes
Mail.Send Send mail as any user Allows the app to send mail as any user without a signed-in user. Yes
MailboxSettings.Read Read all user mailbox settings Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. No
MailboxSettings.ReadWrite Read and write all user mailbox settings Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail. Yes

Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.

Remarks

Mail.Read.Shared, Mail.ReadWrite.Shared, and Mail.Send.Shared are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.

With the Mail.Send or Mail.Send.Shared permission, an app can send mail and save a copy to the user's Sent Items folder, even if the app does not use a corresponding Mail.ReadWrite or Mail.ReadWrite.Shared permission.

Example usage

Delegated

  • Mail.Read: List messages in the user's inbox, sorted by receivedDateTime (GET /me/mailfolders/inbox/messages?$orderby=receivedDateTime DESC).
  • Mail.Read.Shared: Find all messages with attachments in a user's inbox that has shared their inbox with the signed-in user (GET /users{id | userPrincipalName}/mailfolders/inbox/messages?$filter=hasAttachments eq true).
  • Mail.ReadWrite: Mark a message read (PATCH /me/messages/{id}).
  • Mail.Send: Send a message (POST /me/sendmail).
  • MailboxSettings.ReadWrite: Update the user's automatic reply (PATCH /me/mailboxSettings).

Application

  • Mail.Read: Find messages from bob@contoso.com (GET /users/{id | userPrincipalName}/messages?$filter=from/emailAddress/address eq 'bob@contoso.com').
  • Mail.ReadWrite: Create a new folder in the Inbox named Expense Reports (POST /users/{id | userPrincipalName}/mailfolders).
  • Mail.Send: Send a message (POST /users/{id | userPrincipalName}/sendmail).
  • MailboxSettings.Read: Get the default timezone for the user's mailbox (GET /users/{id | userPrincipalName}/mailboxSettings/timeZone)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Member permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Member.Read.Hidden Read hidden memberships Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Member.Read.Hidden Read all hidden memberships Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. Yes

Remarks

Member.Read.Hidden is valid only on work or school accounts.

Membership in some Microsoft 365 groups can be hidden. This means that only the members of the group can view its members. This feature can be used to help comply with regulations that require an organization to hide group membership from outsiders (for example, a Microsoft 365 group that represents students enrolled in a class).

Example usage

Delegated

  • Member.Read.Hidden: Read the members of an administrative unit with hidden membership on behalf of the signed-in user (GET /administrativeUnits/{id}/members).
  • Member.Read.Hidden: Read the members of a group with hidden membership on behalf of the signed-in user (GET /groups/{id}/members).

Application

  • Member.Read.Hidden: Read the members of an administrative unit with hidden membership (GET /administrativeUnits/{id}/members).
  • Member.Read.Hidden: Read the members of a group with hidden membership (GET /groups/{id}/members).

For more complex scenarios involving multiple permissions, see Permission scenarios.

Notes permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Notes.Read Read user OneNote notebooks Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. No Yes
Notes.Create Create user OneNote notebooks Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. No Yes
Notes.ReadWrite Read and write user OneNote notebooks Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user. No Yes
Notes.Read.All Read all OneNote notebooks that user can access Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. No No
Notes.ReadWrite.All Read and write all OneNote notebooks that user can access Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. No No
Notes.ReadWrite.CreatedByApp Limited notebook access (deprecated) Deprecated
Do not use. No privileges are granted by this permission.
No No

Application permissions

Permission Display String Description Admin Consent Required
Notes.Read.All Read all OneNote notebooks Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. Yes
Notes.ReadWrite.All Read and write all OneNote notebooks Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user. Yes

Remarks

Notes.Read.All and Notes.ReadWrite.All are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.

With the Notes.Create permission, an app can view the OneNote notebook hierarchy of the signed-in user and create OneNote content (notebooks, section groups, sections, pages, etc.).

Notes.ReadWrite and Notes.ReadWrite.All also allow the app to modify the permissions on the OneNote content that can be accessed by the signed-in user.

For work or school accounts, Notes.Read.All and Notes.ReadWrite.All allow the app to access other users' OneNote content that the signed-in user has permission to within the organization.

Example usage

Delegated

  • Notes.Create: Create a new notebooks for the signed-in user (POST /me/onenote/notebooks).
  • Notes.Read: Read the notebooks for the signed-in user (GET /me/onenote/notebooks).
  • Notes.Read.All: Get all notebooks that the signed-in user has access to within the organization (GET /me/onenote/notebooks?includesharednotebooks=true).
  • Notes.ReadWrite: Update the page of the signed-in user (PATCH /me/onenote/pages/{id}/$value).
  • Notes.ReadWrite.All: Create a page in another user's notebook that the signed-in user has access to within the organization (POST /users/{id}/onenote/pages).

Application

  • Notes.Read.All: Read all users notebooks in a group (GET /groups/{id}/onenote/notebooks).
  • Notes.ReadWrite.All: Update the page in a notebook for any user in the organization (PATCH /users/{id}/onenote/pages/{id}/$value).

For more complex scenarios involving multiple permissions, see Permission scenarios.

Notifications permissions

Delegated permissions

Permission Display String Description Admin Consent Required
Notifications.ReadWrite.CreatedByApp Deliver and manage notifications for this app. Allow the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user’s notification items for this app. No

Remarks

Notifications.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts. The CreatedByApp constraint associated with this permission indicates that the service will apply implicit filtering to results based on the identity of the calling app, either the Microsoft account app ID or a set of app IDs configured for a cross-platform application identity.

Example usage

Delegated

  • Notifications.ReadWrite.CreatedByApp: Publish a user-centric notification, which might then be delivered to the user’s multiple application clients running on different endpoints. (POST /me/notifications/).

Online meetings permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
OnlineMeetings.Read Read Online Meeting. Allows an app to read online meeting details on behalf of the signed-in user. No No
OnlineMeetings.ReadWrite Read and Create Online Meetings. Allows an app to create, read online meetings on behalf of the signed-in user. No No

Application permissions

Permission Display String Description Admin Consent Required
OnlineMeetings.Read.All Read Online Meeting details from the app Allows the app to read VTC associated online meeting details in your organization without a signed-in user. Yes
OnlineMeetings.ReadWrite.All Read Online Meeting details from the app Allows an app to create, read online meetings without a signed-in user. Yes

Example usage

Delegated

  • OnlineMeetings.Read: Retrieve the properties and relationships of an online meeting (GET /beta/communications/onlinemeetings/{default id}).
  • OnlineMeetings.ReadWrite: Create an online meeting (POST /beta/communications/onlinemeetings).

Application

  • OnlineMeetings.Read.All: Retrieve the properties and relationships of an online meeting (GET /beta/communications/onlinemeetings/?$filter=VideoTeleconferenceId%20eq%20'{id}').

Note: Creating an online meeting creates a meeting on behalf of a user, but does not show it on the user's Calendar.

For more complex scenarios involving multiple permissions, see Permission scenarios.


On-premises publishing profiles permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
OnPremisesPublishingProfiles.ReadWrite.All Access On-Premises Publishing Profiles Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. No No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
OnPremisesPublishingProfiles.ReadWrite.All Access On-Premises Publishing Profiles Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. No No

OpenID permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
email View users' email address Allows the app to read your users' primary email address. No No
offline_access Access user's data anytime Allows the app to read and update user data, even when they are not currently using the app. No No
openid Sign users in Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. No No
profile View users' basic profile Allows the app to see your users' basic profile (name, picture, user name). No No

Application permissions

None.

Remarks

You can use these permissions to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.

With the Azure AD (v1.0) endpoint, only the openid permission is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.

With the Azure AD v2.0 endpoint, you specify the offline_access permission in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid permission to request an ID token. You can also specify the email permission, profile permission, or both to return additional claims in the ID token. You do not need to specify User.Read to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.

Important The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these permissions explicitly, Azure AD may return an error.


Organization permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Organization.Read.All Read organization information Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. Yes No
Organization.ReadWrite.All Read and write organization information Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed SKUs and tenant branding information. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Organization.Read.All Read organization information Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information. Yes
Organization.ReadWrite.All Read and write organization information Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed SKUs and tenant branding information. Yes

Example usage

Delegated

  • Organization.Read.All: Get organization information (GET /organization).
  • Organization.Read.All: Get the SKUs that the organization has subscribed to (GET /subscribedSkus).

Application

  • Organization.ReadWrite.All: Update organization information (such as technicalNotificationMails) (PATCH /organization/{id}).

Organizational contact permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
OrgContact.Read.All Read organizational contacts Allows the app to read all organizational contacts on behalf of the signed-in user. These contacts are managed by the organization and are different from a user's personal contacts. Yes No

Application permissions

Permission Display String Description Admin Consent Required
OrgContact.Read.All Read organizational contacts Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user's personal contacts. Yes

Example usage

Delegated

  • OrgContact.Read.All: Get all organizational contacts (GET /contacts).

People permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
People.Read Read users' relevant people lists Allows the app to read a scored list of people relevant to the signed-in user. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). No Yes
People.Read.All Read all users' relevant people lists Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). Also allows the app to search the entire directory of the signed-in user's organization.  Yes No

Application permissions

Permission Display String Description Admin Consent Required
People.Read.All Read all users' relevant people lists Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization.

The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). Also allows the app to search the entire directory of the signed-in user's organization. 
Yes

Remarks

The People.Read.All permission is only valid for work and school accounts.

Example usage

Delegated

  • People.Read: Read a list of relevant people (GET /me/people)
  • People.Read.All: Read a list of relevant people to another user in the same organization (GET /users('{id})/people)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Places permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Place.Read.All Read all company places Allows the app to read company places (conference rooms and room lists) set up in Exchange Online for the tenant. Yes No
Place.ReadWrite.All Read and write all company places Allows the app to read and write company places (conference rooms and room lists) set up in Exchange Online for the tenant. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Place.Read.All Read all company places Allows the app to read company places (conference rooms and room lists) for calendar events and other applications. Yes

Policy permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Policy.Read.All Read your organization's policies Allows the app to read your organization's policies on behalf of the signed-in user. Yes No
Policy.ReadWrite.ApplicationConfiguration Read and write your organization's application configuration policies Allows the app to read and write your organization's application configuration policies on behalf of the signed-in user. Yes No
Policy.ReadWrite.AuthenticationFlows Read and write your organization's authentication flow policies Allows the app to read and write the authentication flow policies, on behalf of the signed-in user. Yes No
Policy.ReadWrite.ConditionalAccess Read and write your organization's conditional access policies Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user. Yes No
Policy.ReadWrite.FeatureRollout Read and write your organization's feature rollout policies Allows the app to read and write your organization's feature rollout policies on behalf of the signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. Yes No
Policy.ReadWrite.TrustFramework Read and write your organization's trust framework policies Allows the app to read and write your organization's trust framework policies on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Policy.Read.All Read your organization's policies Allows the app to read all your organization's policies without a signed in user. Yes
Policy.Read.ApplicationConfiguration Read your organization's application configuration policies Allows the app to read all your organization's application configuration policies without a signed in user. Yes
Policy.ReadWrite.AuthenticationFlows Read and write your organization's authentication flow policies Allows the app to read and write the authentication flow policies for the tenant, without a signed in user. Yes
Policy.ReadWrite.FeatureRollout Read and write feature rollout policies Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. Yes
Policy.ReadWrite.TrustFramework Read and write your organization's trust framework policies Allows the app to read and write your organization's trust framework policies without a signed in user. Yes

Example usage

The following usages are valid for both delegated and application permissions:

  • Policy.Read.All: Read your organization's policies (GET /policies)
  • Policy.Read.All: Read your organization's trust framework policies (GET /beta/trustFramework/policies)
  • Policy.Read.All: Read your organization's feature rollout policies (GET /beta/directory/featureRolloutPolicies)
  • _Policy.ReadWrite.ApplicationConfiguration: Read and write your organization's application configuration policies (POST /beta/policies/tokenLifetimePolicies)
  • Policy.ReadWrite.AuthenticationFlows: Read and write your organization's authentication flows policy (PATCH /beta/policies/authenticationFlowsPolicy)
  • Policy.ReadWrite.ConditionalAccess: Read and write your organization's conditional access policies (POST /beta/identity/conditionalAccess/policies)
  • Policy.ReadWrite.FeatureRollout: Read and write your organization's feature rollout policies (POST /beta/directory/featureRolloutPolicies)
  • Policy.ReadWrite.TrustFramework: Read and write your organization's trust framework policies (POST /beta/trustFramework/policies)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Presence permissions

Delegated permissions

Permission Display String Description Admin Consent Required
Presence.Read Read user's presence information Allows the app to read presence information on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. No
Presence.Read.All Read presence information of all users in your organization Allows the app to read presence information of all users in the directory on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. No

Example usage

  • Presence.Read: If you're signed in, retrieve your own presence information (GET /me/presence)
  • Presence.Read.All: Retrieve the presence information of another user (GET /users/{id}/presence)
  • Presence.Read.All: Retrieve the presence information of multiple users (POST /communications/getPresencesByUserId)

Programs and program controls permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ProgramControl.Read.All Read all programs Allows the app to read programs on behalf of the signed-in user. Yes No
ProgramControl.ReadWrite.All Manage all programs Allows the app to read and write programs on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
ProgramControl.Read.All Read all programs Allows the app to read programs without a signed-in user. Yes
ProgramControl.ReadWrite.All Manage all programs Allows the app to read and write programs without a signed-in user. Yes

Remarks

ProgramControl.Read.All and ProgramControl.ReadWrite.All are valid only for work or school accounts.

For an app with delegated permissions to read programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. For an app with delegated permissions to write programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.


Reports permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Reports.Read.All Read all usage reports Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Reports.Read.All Read all usage reports Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory. Yes

Remarks

  • Reports permissions are only valid for work or school accounts.
  • For delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user an Azure AD limited administrator role. For more details, see Authorization for APIs to read Microsoft 365 usage reports.

Example usage

Application

  • Reports.Read.All: Read usage detail report of email apps with period of 7 days (GET /reports/EmailAppUsage(view='Detail',period='D7')/content).
  • Reports.Read.All: Read activity detail report of email with date of '2017-01-01' (GET /reports/EmailActivity(view='Detail',data='2017-01-01')/content).
  • Reports.Read.All: Read Microsoft 365 activations detail report (GET /reports/Office365Activations(view='Detail')/content).

For more complex scenarios involving multiple permissions, see Permission scenarios.


Role management permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
RoleManagement.Read.Directory Read directory RBAC settings Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes reading directory role templates, directory roles and memberships. Yes No
RoleManagement.ReadWrite.Directory Read and write directory RBAC settings Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. Yes No

Application permissions

Permission Display String Description Admin Consent Required
RoleManagement.Read.Directory Read all directory RBAC settings Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships. Yes
RoleManagement.ReadWrite.Directory Read and write all directory RBAC settings Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. Yes

Remarks

With the RoleManagement.Read.Directory permission an application can read directoryRoles and directoryRoleTemplates. This includes reading membership information for directory roles.

With the RoleManagement.ReadWrite.Directory permission an application can read and write directoryRoles (directoryRoleTemplates are readonly resources). This includes adding and removing members to and from directory roles.

Role management permissions are only valid for work or school accounts.

Example usage

  • RoleManagement.Read.Directory: Read the list of available role templates (GET /directoryRoleTemplates)
  • RoleManagement.Read.Directory: Read the list of activated roles in your directory (GET /directoryRoles)
  • RoleManagement.Read.Directory: Read the list of members for a role (GET /directoryRoles/<id>/members)
  • RoleManagement.Read.Directory: Read the list of administrative unit-scoped members for a role (GET /directoryRoles/<id>/scopedMembers)
  • RoleManagement.ReadWrite.Directory: Activate a directory role from a role template (POST /directoryRoles)
  • RoleManagement.ReadWrite.Directory: Add a member to a directory role (POST /directoryRoles/<id>/members)
  • RoleManagement.ReadWrite.Directory: Add an administrative unit-scoped member to a directory role (POST /directoryRoles/<id>/scopedMembers)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Schedule management permissions (private preview)

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Schedule.ReadWrite.All (private preview) Read and Write Shifts service (Teams) data Allows an app to read and write schedule, schedule groups, shifts, and associated entities in shifts applications without a signed-in user. Yes No
Schedule.Read.All (private preview) Read Shifts service (Teams) data Allows the app to read schedule, schedule groups, shifts, and associated entities in shifts applications without a signed-in user. Yes No

Search permissions

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ExternalItem.ReadWrite.All Read and Write external data Allows an app to write external data into the indexing API. Yes No

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ExternalItem.Read.All Read external data Allows an app to read external data ingested via the Microsoft Search indexing API Yes No

Remarks

Search permissions are only valid for work or school accounts.

This search permission is only applicable to ingested data from the indexing API.

Access to data via search requires the corresponding permission. Ex : Files.Read.All to access files via search.

Example usage

Application

  • ExternalItem.Read.All_: Access external data from the search API (POST /search/query).

Security permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
SecurityEvents.Read.All Read your organization’s security events Allows the app to read your organization’s security events on behalf of the signed-in user. Yes No
SecurityEvents.ReadWrite.All Read and update your organization’s security events Allows the app to read your organization’s security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user. Yes No
SecurityActions.Read.All Read your organization's security actions Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No
SecurityActions.ReadWrite.All Read and update your organization's security actions Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No
ThreatIndicators.ReadWrite.OwnedBy Manage threat indicators this app creates or owns Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete) on behalf of the signed-in user. Yes No
ThreatIndicators.Read.All Read your organization's threat indicators Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
SecurityEvents.Read.All Read your organization’s security events Allows the app to read your organization’s security events. Yes
SecurityEvents.ReadWrite.All Read and update your organization’s security events Allows the app to read your organization’s security events. Also allows the app to update editable properties in security events. Yes
SecurityActions.Read.All Read your organization’s security events Allows the app to read your organization’s security actions. Yes
SecurityActions.ReadWrite.All Create and read your organization's security actions Allows the app to read or create security actions, without a signed-in user. Yes
ThreatIndicators.ReadWrite.OwnedBy Manage threat indicators this app creates or owns Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. It cannot update any threat indicators it does not own. Yes
ThreatIndicators.Read.All Manage threat indicators this app creates or owns Allows the app to read all the indicators for your organization, without a signed-in user. Yes

Remarks

Security permissions are valid only on work or school accounts.

Example usage

Delegated and Application

  • SecurityEvents.Read.All: Read the list of all security alerts from all licensed security providers available to your tenant (GET /beta/security/alerts)
  • SecurityEvents.ReadWrite.All: Update or read security alerts from all licensed security providers available to your tenant (PATCH /beta/security/alerts/{id})

Sites permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Sites.Read.All Read items in all site collections Allows the app to read documents and list items in all site collections on behalf of the signed-in user. No No
Sites.ReadWrite.All Read and write items in all site collections Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. No No
Sites.Manage.All Create, edit, and delete items and lists in all site collections Allows the app to manage and create lists, documents, and list items in all site collections on behalf of the signed-in user. No No
Sites.FullControl.All Have full control of all site collections Allows the app to have full control to SharePoint sites in all site collections on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
Sites.Read.All Read items in all site collections Allows the app to read documents and list items in all site collections without a signed in user. Yes
Sites.ReadWrite.All Read and write items in all site collections Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. Yes
Sites.Manage.All Create, edit, and delete items and lists in all site collections Allows the app to manage and create lists, documents, and list items in all site collections without a signed-in user. Yes
Sites.FullControl.All Have full control of all site collections Allows the app to have full control to SharePoint sites in all site collections without a signed-in user. Yes

Remarks

Sites permissions are valid only on work or school accounts.

Example usage

Delegated

  • Sites.Read.All: Read the lists on the SharePoint root site (GET /v1.0/sites/root/lists)
  • Sites.ReadWrite.All: Create new list items in a SharePoint list (POST /v1.0/sites/root/lists/123/items)
  • Sites.Manage.All: Add a new list to a SharePoint site (POST /v1.0/sites/root/lists)
  • Sites.FullControl.All: Complete access to SharePoint sites and lists.

Tasks permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Tasks.Read Read user tasks (preview) Allows the app to read user tasks. No Yes
Tasks.Read.Shared Read user and shared tasks (preview) Allows the app to read tasks a user has permissions to access, including their own and shared tasks. No No
Tasks.ReadWrite Create, read, update and delete user tasks and containers (preview) Allows the app to create, read, update and delete tasks and containers (and tasks in them) that are assigned to or shared with the signed-in user. No Yes
Tasks.ReadWrite.Shared Read and write user and shared tasks (preview) Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks. No No

Application permissions

None.

Remarks

Tasks permissions are used to control access for Outlook tasks. Access for Microsoft Planner tasks is controlled by Group permissions.

Shared permissions are currently only supported for work or school accounts. Even with Shared permissions, reads and writes may fail if the user who owns the shared content has not granted the accessing user permissions to modify content within the folder.

Example usage

Delegated

  • Tasks.Read: Get all tasks in a user's mailbox (GET /me/outlook/tasks).
  • Tasks.Read.Shared: Access tasks in a folder shared to you by another user in your organization (Get /users{id|userPrincipalName}/outlook/taskfolders/{id}/tasks).
  • Tasks.ReadWrite: Add an event to the user's default task folder (POST /me/outlook/tasks).
  • Tasks.Read: Get all uncompleted tasks in a user's mailbox (GET /users/{id | userPrincipalName}/outlook/tasks?$filter=status ne 'completed').
  • Tasks.ReadWrite: Update a task in a user's mailbox (PATCH /users/{id | userPrincipalName}/outlook/tasks/id).
  • Tasks.ReadWrite.Shared: Complete a task on behalf of another user (POST /users/{id | userPrincipalName}/outlook/tasks/id/complete).

For more complex scenarios involving multiple permissions, see Permission scenarios.


Teams permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Teams.ReadBasic.All Read the names and descriptions of teams Read the names and descriptions of teams, on behalf of the signed-in user. No No
Teams.Create (private preview) Create teams Create teams, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Teams.ReadBasic.All Get a list of all teams Get a list of all teams, without a signed-in user. Yes No
Teams.Create (private preview) Create teams Create teams, without a signed-in user. Yes No

Team settings permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsSettings.Read.All Read teams' settings Read this team's settings, on behalf of the signed-in user. Yes No
TeamsSettings.ReadWrite.All Read and change teams' settings Read and change all teams' settings, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsSettings.Read.All Read all teams' settings Read this team's settings, without a signed-in user. Yes No
TeamsSettings.ReadWrite.All Read and change all teams' settings. Read and change all teams' settings, without a signed-in user. Yes No

Teams activity permissions (private preview)

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsActivity.Read (private preview) Read user's teamwork activity feed Allows the app to read the signed-in user's teamwork activity feed. No No
TeamsActivity.Send (private preview) Send a teamwork activity as the user Allows the app to create new activities in the user's teamwork activity feed, and send new activities to other users' activity feed, on behalf of the signed-in user. No No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsActivity.Read.All (private preview) Read all users' teamwork activity feed Allows the app to read all users' teamwork activity feed, without a signed-in user. Yes No
TeamsActivity.Send (private preview) Send a teamwork activity to any user Allows the app to send new activities to any users' teamwork activity feed, without a signed-in user. Yes No

Teams app permissions (deprecated)

Note

These permissions are deprecated. Use the equivalent TeamsAppInstallation.*.All permissions instead.

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsApp.Read.All (Deprecated) Read all installed Teams apps Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. Does not give the ability to read application-specific settings. Yes No
TeamsApp.ReadWrite.All (Deprecated) Manage all Teams apps Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. Does not give the ability to read or write application-specific settings. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsApp.Read.All (Deprecated) Read all users' installed Teams apps Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. Yes No
TeamsApp.ReadWrite.All (Deprecated) Manage all users' Teams apps Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read or write application-specific settings. Yes No

Teams app installation permissions (private preview)

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsAppInstallation.ReadForUser (private preview) Read user's installed Teams apps Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteForUser (private preview) Manage user's installed Teams apps Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed in user. Does not give the ability to read application-specific settings. No No
TeamsAppInstallation.ReadWriteSelfForUser (private preview) Allow the app to manage itself in teams Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. Yes No
TeamsAppInstallation.ReadForTeam (private preview) Read installed Teams apps in teams Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteForTeam (private preview) Manage installed Teams apps in teams Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteSelfForTeam (private preview) Allow the app to manage itself in teams Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. Yes No

Application permissions

Permission Display String Description Admin Consent Required
TeamsAppInstallation.ReadForUser.All (private preview) Read installed Teams apps for all users Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForUser.All (private preview) Manage Teams apps for all users Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForUser.All (private preview) Allow the app to manage itself for all users Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. Yes
TeamsAppInstallation.ReadForTeam.All (private preview) Read installed Teams apps for all teams Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForTeam.All (private preview) Manage Teams apps for all teams Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForTeam.All (private preview) Allow the Teams app to manage itself for all teams Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. Yes

Team member permissions (private preview)

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamMember.Read.All Read the members of teams. Read the members of teams, on behalf of the signed-in user. Yes No
TeamMember.ReadWrite.All Add and remove members from teams. Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamMember.Read.All Read the members of all teams. Read the members of all teams, without a signed-in user. Yes No
TeamMember.ReadWrite.All Add and remove members from all teams. Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner. Yes No
Permission Display String Description Admin Consent Required Microsoft Account supported
TeamSettings.Read.Group Read this team's settings. Read this team's settings, without a signed-in user. No No
ChannelSettings.Read.Group Read the names, descriptions, and settings of this team’s channels. Read this group's channel names, channel descriptions, and channel settings, without a signed-in user. No No
ChannelSettings.Edit.Group Edit the names, descriptions, and settings of this team’s channels. Edit this group's channel names, channel descriptions, and channel settings, without a signed-in user. No No
Channel.Create.Group Create channels in this team. Create channels in this group, without a signed-in user. No No
Channel.Delete.Group Delete this team's channels. Delete this group's channels, without a signed-in user. No No
ChannelMessage.Read.Group Read the team’s channel messages. Allows an app to read this group's channel's messages, without a signed-in user. No No
TeamsApp.Read.Group See which apps are installed in this team. See which apps are installed in this group, without a signed-in user. No No
TeamsTab.Read.Group Read this team's tabs. Read this group's tabs, without a signed-in user. No No
TeamsTab.Create.Group Create tabs in this team. Create tabs in this group, without a signed-in user. No No
TeamsTab.Edit.Group Edit this team's tabs. Edit this group's tabs, without a signed-in user. No No
TeamsTab.Delete.Group Delete this team's tabs. Delete this group's tabs, without a signed-in user. No No
Member.Read.Group Read this team's members. Read this group's members, without a signed-in user. No No
Owner.Read.Group Read this team's owners. Read this group's owners, without a signed-in user. No No

Teams settings permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Team.ReadBasic.All Read the names and descriptions of teams Read the names and descriptions of teams, on behalf of the signed-in user. Yes No
TeamSettings.Read.All Read teams' settings Read all teams' settings, on behalf of the signed-in user. Yes No
TeamSettings.ReadWrite.All Read and change teams' settings. Read and change all teams' settings, on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Team.ReadBasic.All Get a list of all teams. Get a list of all teams, without a signed-in user. Yes No
TeamSettings.Read.All Read all teams' settings Read this team's settings, without a signed-in user. Yes No
TeamSettings.ReadWrite.All Read and change all teams' settings Read and change all teams' settings, without a signed-in user. No No

Teams tab permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsTab.Read.All Read tabs in Microsoft Teams. Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. Does not give the ability to read application-specific settings. Yes No
TeamsTab.ReadWrite.All Read and write tabs in Microsoft Teams. Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. Does not give the ability to read or write application-specific settings. Yes No
TeamsTab.Create Create tabs in Microsoft Teams. Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. Yes No

Application permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsTab.Read.All Read tabs in Microsoft Teams. Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. Yes No
TeamsTab.ReadWrite.All Read and write tabs in Microsoft Teams. Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. Yes No
TeamsTab.Create Create tabs in Microsoft Teams. Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. Yes No

Terms of use permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
Agreement.Read.All Read all terms of use agreements Allows the app to read terms of use agreements on behalf of the signed-in user. Yes No
Agreement.ReadWrite.All Read and write all terms of use agreements Allows the app to read and write terms of use agreements on behalf of the signed-in user. Yes No
AgreementAcceptance.Read Read user terms of use acceptance statuses Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. Yes No
AgreementAcceptance.Read.All Read terms of use acceptance statuses that user can access Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. Yes No

Remarks

All the permissions above are valid only for work or school accounts.

For an app to read or write all agreements or agreement acceptances with delegated permissions, the signed-in user must be assigned the Global Administrator, Conditional Access Administrator or Security Administrator role. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

Example usage

Delegated

The following usages are valid for both delegated permissions:

  • Agreement.Read.All: Read all terms of use agreements (GET /beta/agreements)
  • Agreement.ReadWrite.All: Read and write all terms of use agreements (POST /beta/agreements)
  • AgreementAcceptance.Read Read user terms of use acceptance statuses (GET /beta/me/agreementAcceptances)

For more complex scenarios involving multiple permissions, see Permission scenarios.


Teams app installation permissions (private preview)

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
TeamsAppInstallation.ReadForUser (private preview) Read user's installed Teams apps Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteForUser (private preview) Manage user's installed Teams apps Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed in user. Does not give the ability to read application-specific settings. No No
TeamsAppInstallation.ReadWriteSelfForUser (private preview) Allow the app to manage itself in teams Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. Yes No
TeamsAppInstallation.ReadForTeam (private preview) Read installed Teams apps in teams Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteForTeam (private preview) Manage installed Teams apps in teams Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteSelfForTeam (private preview) Allow the app to manage itself in teams Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. Yes No

Application permissions

Permission Display String Description Admin Consent Required
TeamsAppInstallation.ReadForUser.All (private preview) Read installed Teams apps for all users Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForUser.All (private preview) Manage Teams apps for all users Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForUser.All (private preview) Allow the app to manage itself for all users Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. Yes
TeamsAppInstallation.ReadForTeam.All (private preview) Read installed Teams apps for all teams Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForTeam.All (private preview) Manage Teams apps for all teams Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForTeam.All (private preview) Allow the Teams app to manage itself for all teams Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. Yes

Threat assessment permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
ThreatAssessment.ReadWrite.All Read and write threat assessment requests Allows an app to read your organization's threat assessment requests on behalf of the signed-in user. Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user. Yes No

Application permissions

Permission Display String Description Admin Consent Required
ThreatAssessment.Read.All Read threat assessment requests Allows an app to read your organization's threat assessment requests, without a signed-in user. Yes

Remarks

Threat assessment permissions are valid only on work or school accounts.

Example usage

Delegated

  • ThreatAssessment.ReadWrite.All: Read and write threat assessment requests (POST /informationProtection/threatAssessmentRequests)

Application

  • ThreatAssessment.Read.All: Read threat assessment requests (GET /informationProtection/threatAssessmentRequests)

User permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
User.Read Sign-in and read user profile Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. No Yes
User.ReadWrite Read and write access to user profile Allows the app to read the signed-in user's full profile. It also allows the app to update the signed-in user's profile information on their behalf. No Yes
User.ReadBasic.All Read all users' basic profiles Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user. No No
User.Read.All Read all users' full profiles Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Yes No
User.ReadWrite.All Read and write all users' full profiles Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. Yes No
User.Invite.All Invite guest users to the organization Allows the app to invite guest users to your organization, on behalf of the signed-in user. Yes No
User.Export.All Export users' data Allows the app to export an organizational user's data, when performed by a Company Administrator. Yes No
User.ManageIdentities.All Manage user identities Allows an application to read, update and delete identities that are associated with a user's account, that the signed-in user has access to. This controls which identities your users can sign-in with. Yes No

Application permissions

Permission Display String Description Admin Consent Required
User.Read.All Read all users' full profiles Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Yes
User.ReadWrite.All Read and write all users' full profiles Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords. Yes
User.Invite.All Invite guest users to the organization Allows the app to invite guest users to your organization, without a signed-in user. Yes
User.Export.All Export users' data Allows the app to export organizational users' data, without a signed-in user. Yes
User.ManageIdentities.All Manage all user identities Allows an application to read, update and delete identities that are associated with a user's account, without a signed in user. This controls which identities users can sign-in with. Yes

Remarks

With the User.Read permission, an app can also read the basic company information of the signed-in user for a work or school account through the organization resource. The following properties are available: id, displayName, and verifiedDomains.

For work or school accounts, the full profile includes all of the declared properties of the User resource. On reads, only a limited number of properties are returned by default. To read properties that are not in the default set, use $select. The default properties are:

  • displayName
  • givenName
  • jobTitle
  • mail
  • mobilePhone
  • officeLocation
  • preferredLanguage
  • surname
  • userPrincipalName

User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:

  • aboutMe
  • birthday
  • hireDate
  • interests
  • mobilePhone
  • mySite
  • pastProjects
  • photo
  • preferredName
  • responsibilities
  • schools
  • skills

With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.

With the User.ReadWrite.All delegated or application permission, updating another user's businessPhones, mobilePhone or otherMails is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles.

To read or write direct reports (directReports) or the manager (manager) of a work or school account, the app must have either User.Read.All (read only) or User.ReadWrite.All.

The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:

  • displayName
  • givenName
  • mail
  • photo
  • surname
  • userPrincipalName

To read the group memberships of a user (memberOf), the app must have either Group.Read.All or Group.ReadWrite.All. However, if the user also has membership in a directoryRole or an administrativeUnit, the app will need effective permissions to read those resources too, or Microsoft Graph will return an error. This means the app will also need Directory permissions, and, for delegated permissions, the signed-in user will also need sufficient privileges in the organization to access directory roles and administrative units.

With the User.ManageIdentities.All delegated or application permission, it is possible to update the identities (identities) of a user. This includes federated (or social identities) or local identities with email or name-based sign-in names.

Example usage

Delegated

  • User.Read: Read the full profile for the signed-in user (GET /me).
  • User.ReadWrite: Update the photo of the signed-in user (PUT /me/photo/$value).
  • User.ReadBasic.All: Find all users whose name starts with "David" (GET /users?$filter=startswith(displayName,'David')).
  • User.Read.All: Read a user's manager (GET /user/{id | userPrincipalName}/manager).

Application

  • User.Read.All: Read all users and relationships through delta query (GET /beta/users/delta?$select=displayName,givenName,surname).
  • User.ReadWrite.All: Update the photo for any user in the organization (PUT /user/{id | userPrincipalName}/photo/$value).

For more complex scenarios involving multiple permissions, see Permission scenarios.

User activity permissions

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
UserActivity.ReadWrite.CreatedByApp Read and write app activity to users' activity feed Allows the app to read and report the signed-in user's activity in the app. No Yes

Application permissions

None.

Remarks

UserActivity.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts.

The CreatedByApp constraint associated with this permission indicates the service will apply implicit filtering to results based on the identity of the calling app, either the MSA app id or a set of app ids configured for a cross-platform application identity.

Example usage

Delegated

  • UserActivity.ReadWrite.CreatedByApp: Get a list of recent unique user activities based on associated history items published in the last day. (GET /me/activities/recent).
  • UserActivity.ReadWrite.CreatedByApp: Publish or update a user activity which may be resumed by the user of the application. (PUT /me/activities/%2Farticle%3F12345).
  • UserActivity.ReadWrite.CreatedByApp: Publish or update a history item for a specified user activity in order to represent the period of user engagement. (PUT /me/activities/{id}/historyItems/{id}).
  • UserActivity.ReadWrite.CreatedByApp: Delete a user activity in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id}).
  • UserActivity.ReadWrite.CreatedByApp: Delete a history item in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id}/historyItems/{id}).

User authentication method permissions (preview)

Delegated permissions

Permission Display String Description Admin Consent Required Microsoft Account supported
UserAuthenticationMethod.Read (preview) Read own authentication methods Allows the app to read the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods. Yes No
UserAuthenticationMethod.Read.All (preview) Read users' authentication methods Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes No
UserAuthenticationMethod.ReadWrite (preview) Manage own authentication methods Allows the app to read and write the signed-in user's authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods. Yes No
UserAuthenticationMethod.ReadWrite.All (preview) Manage users' authentication methods Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes No

Application permissions

Permission Display String Description Admin Consent Required
UserAuthenticationMethod.Read.All (private preview) Read users' authentication methods Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes
UserAuthenticationMethod.ReadWrite.All (private preview) Manage users' authentication methods Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes

Remarks

User authentication method permissions are used to manage authentication methods on users. With these permissions, a delegated user or application can register new authentication methods on a user, read the authentication methods the user already has registered, update those authentication methods, and remove them from the user.

With these permissions, all authentication methods can be read and managed on a user. This includes methods used for:

  • Primary authentication (password)
  • Second factor of multi-factor authentication/MFA (phone numbers)
  • Self-Service Password Reset/SSPR (email address)

Permission scenarios

This section shows some common scenarios that target user and group resources in an organization. The tables show the permissions that an app needs to be able to perform specific operations required by the scenario. Note that in some cases the ability of the app to perform specific operations will depend on whether a permission is an application or delegated permission. In the case of delegated permissions, the app's effective permissions will also depend on the privileges of the signed-in user within the organization. For more information, see Delegated permissions, Application permissions, and effective permissions.

Access scenarios on the User resource

App tasks involving User Required permissions Permission strings
App wants to read other users' basic information (only display name and picture), for example to show in a people picking experience User.ReadBasic.All Read all user's basic profiles
App wants to read complete user profile for signed in user (see direct reports, and manager, etc.) User.Read Enable sign-in and read user profile
App wants to read complete user profile all users User.Read.All Read all user's full profiles
App wants to read files, mail and calendar information for the signed in user User.Read, Files.Read, Mail.Read, Calendars.Read Enable sign-in and read user profile, Read users' files, Read user mail, Read user calendars
App wants to read the signed-in user's (my) files and files that other users have shared with the signed-in user (me). User.Read, Files.Read, Sites.Read.All Enable sign-in and read user profile, Read users' files, Read items in all site collections
App wants to read and write complete user profile for signed in user User.ReadWrite Read and write access to user profile
App wants to read and write complete user profile all users User.ReadWrite.All Read and write all user's full profiles
App wants to read and write files, mail and calendar information for the signed in user User.ReadWrite, Files.ReadWrite, Mail.ReadWrite, Calendars.ReadWrite Read and write access to user profile, Read and write access to user profile, Read and write access to user mail, Have full access to user calendars
App wants to submit a data policy operation request to export a user's personal data User.Export.All Export a user'a personal data.

Access scenarios on the Group resource

App tasks involving Group Required permissions Permission strings
App wants to read basic group info (only display name and picture), for example to show in a group picking experience Group.Read.All Read all groups
App wants to read all content in all Microsoft 365 groups, including files, conversations. It also needs to show group memberships, be able to update group memberships, (if owner). Group.Read.All Read items in all site collections, Read all groups
App wants to read and write all content in all Microsoft 365 groups, including files, conversations. It also needs to show group memberships, be able to update group memberships, (if owner). Group.ReadWrite.All, Sites.ReadWrite.All Read and write all groups, Edit or delete items in all site collections
App wants to discover (find) a Microsoft 365 group. It allows the user to search for a particular group and choose one from the enumerated list to allow the user to join the group. Group.ReadWrite.All Read and write all groups
App wants to create a group through AAD Graph Group.ReadWrite.All Read and write all groups