Microsoft Graph 权限引用Microsoft Graph permissions reference

若要使你的应用可访问 Microsoft Graph 中的数据,用户或管理员必须通过同意过程向其授予正确的权限。For your app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process. 本主题列出了与每个主要 Microsoft Graph API 集关联的权限。This topic lists the permissions associated with each major set of Microsoft Graph APIs. 它还提供有关如何使用权限的指导。It also provides guidance about how to use the permissions.

若要详细了解权限的工作原理,请参阅身份验证和授权基础知识,并观看以下视频。To learn more about how permissions work, see Authentication and authorization basics, and watch the following video.

Microsoft Graph 权限名称Microsoft Graph permission names

Microsoft Graph 权限名称遵循简单模式:resource.operation.constraint。例如,User.Read 授予读取已登录用户的配置文件的权限,User.ReadWrite 授予读取和修改已登录用户的配置文件的权限,而 Mail.Send 则授予代表已登录用户发送邮件的权限。Microsoft Graph permission names follow a simple pattern: resource.operation.constraint. For example, User.Read grants permission to read the profile of the signed-in user, User.ReadWrite grants permission to read and modify the profile of the signed-in user, and Mail.Send grants permission to send mail on behalf of the signed-in user.

名称的 constraint 元素决定了你的应用程序在目录中具有的潜在访问范围。Microsoft Graph 当前支持以下约束:The constraint element of the name determines the potential extent of access your app will have within the directory. Currently Microsoft Graph supports the following constraints:

  • All 授予应用对目录中指定类型的所有资源执行操作的权限。例如,User.Read.All 可能授予应用读取目录中所有用户的配置文件的特权。All grants permission for the app to perform the operations on all of the resources of the specified type in a directory. For example, User.Read.All potentially grants the app privileges to read the profiles of all of the users in a directory.
  • Shared 授予该应用对其他用户与已登录用户共享的资源执行操作的权限。此约束主要用于 Outlook 资源,如邮件、日历和联系人。例如,Mail.Read.Shared 授予在已登录用户的邮箱中以及组织中的其他用户与已登录用户共享的邮箱中读取邮件的权限。Shared grants permission for the app to perform the operations on resources that other users have shared with the signed-in user. This constraint is mainly used with Outlook resources like mail, calendars, and contacts. For example, Mail.Read.Shared, grants privileges to read mail in the mailbox of the signed-in user as well as mail in mailboxes that other users in the organization have shared with the signed-in user.
  • AppFolder 授予应用在 OneDrive 专用文件夹中读取和写入文件的权限。此约束仅在文件权限上公开,并且仅适用于 Microsoft 帐户。AppFolder grants permission for the app to read and write files in a dedicated folder in OneDrive. This constraint is only exposed on Files permissions and is only valid for Microsoft accounts.
  • 如果未指定任何约束,则应用程序仅限于对已登录用户拥有的资源执行操作。例如,User.Read 仅授予读取已登录用户的配置文件的特权,Mail.Read 仅授予读取已登录用户邮箱中的邮件的权限。If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, User.Read grants privileges to read the profile of the signed-in user only, and Mail.Read grants permission to read only mail in the mailbox of the signed-in user.

注意:在委托场景中,授予应用的有效权限可能受到组织中已登录用户的特权的限制。Note: In delegated scenarios, the effective permissions granted to your app may be constrained by the privileges of the signed-in user in the organization.

Microsoft 帐户和工作或学校帐户Microsoft accounts and work or school accounts

并非所有权限都适用于 Microsoft 帐户和工作或学校帐户。Not all permissions are valid for both Microsoft accounts and work or school accounts. 你可以检查每个权限组的支持的 Microsoft 帐户列,以确定特定权限是否对 Microsoft 帐户和/或工作或学校帐户有效。You can check the Microsoft Account Supported column for each permission group to determine whether a specific permission is valid for Microsoft accounts, work or school accounts, or both.

权限可用性状态Permissions availability status

Azure 门户中的 Microsoft Graph 权限通常可用,并且处于 GA 状态,可供所有应用程序使用,除了少数处于预览或个人预览状态的集。Microsoft Graph permissions in the Azure portal are generally available and in GA status for all apps to use, except for a few sets that are in preview or private preview status. 预览中的权限对公众可用;它们可能会更改,并且可能无法升级到 GA 状态。Permissions in preview are available to the public; they may change and may not be promoted to GA status. 个人预览状态中的权限不可用,并且永远不会对公众可用。Permissions in private preview status are not and may never become available to the public. 不要在生产应用中使用预览或个人预览状态中的权限。Do not use permissions in preview or private preview status in production apps.

组织中来宾用户的用户和组搜索限制User and group search limitations for guest users in organizations

用户和组搜索功能允许应用通过对 /users/groups 资源集(例如 https://graph.microsoft.com/v1.0/users)执行查询来搜索组织目录中的任何用户或组。User and group search capabilities allow the app to search for any user or group in an organization's directory by performing queries against the /users or /groups resource set (for example, https://graph.microsoft.com/v1.0/users). 管理员和用户都可以使用此功能;但来宾用户不可以。Both administrators and users have this capability; however, guest users do not.

如果登录用户是来宾用户,应用程序可以读取特定用户或组的配置文件(例如,https://graph.microsoft.com/v1.0/users/241f22af-f634-44c0-9a15-c8cd2cea5531),具体视应用程序获得的授权而定;不过,不能对可能返回多个资源的 /users/groups 资源集执行查询。If the signed-in user is a guest user, depending on the permissions an app has been granted, it can read the profile of a specific user or group (for example, https://graph.microsoft.com/v1.0/users/241f22af-f634-44c0-9a15-c8cd2cea5531); however, it cannot perform queries against the /users or /groups resource set that potentially return more than a single resource.

借助授予的适当权限,应用程序可以读取用户或组的配置文件,具体是通过导航属性中的链接获取;例如,/users/{id}/directReports/groups/{id}/membersWith the appropriate permissions, the app can read the profiles of users or groups that it obtains by following links in navigation properties; for example, /users/{id}/directReports or /groups/{id}/members.

为不可访问的成员对象返回有限的信息Limited information returned for inaccessible member objects

容器对象(例如组)支持各种类型的成员(例如用户和设备)。Container objects such as groups support members of various types, for example users and devices. 当应用程序查询容器对象的成员身份,但无读取特定类型的权限时,将返回该类型的成员,但信息有限。When an application queries the membership of a container object and does not have permission to read a certain type, members of that type are returned but with limited information. 应用程序将收到 200 响应和一个对象集合。The application receives a 200 response and a collection of objects. 对于应用程序有权读取的对象类型,返回完整信息。Complete information is returned for the object types that the application has permissions to read. 对于应用程序没有读取权限的对象类型,仅返回对象类型和 ID。For the object types which the application does not have permission to read, only the the object type and ID are returned.

这适用于 directoryObject 类型的所有关系(而不仅仅是成员链接)。This is applied to all relationships that are of directoryObject type (not just member links). 示例包括 /groups/{id}/members/users/{id}/memberOfme/ownedObjectsExamples include /groups/{id}/members, /users/{id}/memberOf or me/ownedObjects.

例如,假设一个应用程序具有 Microsoft Graph 的 User.Read.AllGroup.Read.All 权限。For example, let's say an application has User.Read.All and Group.Read.All permissions for Microsoft Graph. 当前已创建一个组,且该组包含用户、组和设备。A group has been created and that group contains a user, a group, and a device. 应用程序调用列出组成员The application calls list group members. 应用程序可以访问组中的用户和组对象,而不能访问设备对象。The application has access to the user and group objects in the group, but not the device object. 在响应中,将返回用户和组对象的所有选定属性。In the response, all the selected properties of the user and group objects are returned. 但是对于设备对象,仅返回有限的信息。For the device object, however, only limited information is returned. 返回内容包括设备的数据类型和对象 ID,但所有其他属性的值均为 nullThe data type and object ID are returned for the device, but all other properties have a value of null. 没有权限的应用将不能使用 ID 获取实际对象。Apps without permission will not be able to use the ID to get the actual object.

GET https://graph.microsoft.com/v1.0/groups/{id}/members?$select=id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl HTTP/1.1

以下是 JSON 响应:The following is the JSON response:

{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id,displayName,description,createdDateTime,deletedDateTime,homepage,loginUrl)",
    "value":[
        {
            "@odata.type":"#microsoft.graph.user",
            "id":"69d035a3-29c9-469f-809d-d21a4ae69e65",
            "displayName":"Jane Dane",
            "createdDateTime":"2019-09-18T09:06:51Z",
            "deletedDateTime":null
        },
        {
            "@odata.type":"#microsoft.graph.group",
            "id":"c43a7cc9-2d95-44b6-bf6a-6392e41949b4",
            "displayName":"Group 1",
            "description":null,
            "createdDateTime":"2019-10-24T01:34:35Z",
            "deletedDateTime":null
        },
        {
            "@odata.type":"#microsoft.graph.device",
            "id": "d282309e-f91d-43b6-badb-9e68aa4b4fc8",
            "accountEnabled":null,
            "deviceId":null,
            "displayName":null,
            "operatingSystem":null,
            "operatingSystemVersion":null
        }
    ]
}

访问评审权限Access reviews permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
AccessReview.Read.AllAccessReview.Read.All 读取所有访问评审Read all access reviews 允许应用代表已登录的用户读取访问评审。Allows the app to read access reviews on behalf of the signed-in user. Yes No
AccessReview.ReadWrite.AllAccessReview.ReadWrite.All 管理所有访问评审Manage all access reviews 允许应用代表已登录的用户读取和写入访问评审。Allows the app to read and write access reviews on behalf of the signed-in user. Yes No
AccessReview.ReadWrite.MembershipAccessReview.ReadWrite.Membership 管理组和应用成员身份的访问评审Manage access reviews for group and app memberships 允许应用代表已登录的用户读取和写入组和应用的访问评审。Allows the app to read and write access reviews of groups and apps on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
AccessReview.Read.AllAccessReview.Read.All 读取所有访问评审Read all access reviews 允许应用在没有登录的用户的情况下读取访问评审。Allows the app to read access reviews without a signed-in user. Yes
AccessReview.ReadWrite.MembershipAccessReview.ReadWrite.Membership 管理组和应用成员身份的访问评审Manage access reviews for group and app memberships 允许应用在没有已登录用户的情况下管理组和应用的访问评审。Allows the app to manage access reviews of groups and apps without a signed-in user. Yes

注解Remarks

AccessReview.Read.AllAccessReview.ReadWrite.AllAccessReview.ReadWrite.Membership 仅对于工作或学校帐户有效。AccessReview.Read.All, AccessReview.ReadWrite.All and AccessReview.ReadWrite.Membership are valid only for work or school accounts.

对于通过委派权限读取组或应用的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或用户管理员。For an app with delegated permissions to read access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. 对于通过委派权限读取组或应用的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员或用户管理员。For an app with delegated permissions to write access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator.

对于通过委派权限读取 Azure AD 角色的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或特权角色管理员。For an app with delegated permissions to read access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or Privileged Role Administrator. 对于通过委派权限写入 Azure AD 角色的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员或特权角色管理员。For an app with delegated permissions to write access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator or Privileged Role Administrator.

若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.


管理单元权限Administrative units permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
AdministrativeUnit.Read.AllAdministrativeUnit.Read.All 读取管理单元Read administrative units 允许应用代表已登录的用户读取管理单元和管理单元成员身份。Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user. Yes No
AdministrativeUnit.ReadWrite.AllAdministrativeUnit.ReadWrite.All 读取和写入管理单元Read and write administrative units 允许应用代表已登录的用户创建、读取、更新和删除管理单元并管理管理单元成员身份。Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
AdministrativeUnit.Read.AllAdministrativeUnit.Read.All 读取所有管理单元Read all administrative units 允许应用在没有登录用户的情况下读取管理单元和管理单元成员身份。Allows the app to read administrative units and administrative unit membership without a signed-in user. Yes
AdministrativeUnit.ReadWrite.AllAdministrativeUnit.ReadWrite.All 读取和写入所有管理单元Read and write all administrative units 允许应用在没有登录用户的情况下创建、读取、更新和删除管理单元并管理管理单元成员身份。Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. Yes

说明Remarks

使用 AdministrativeUnit.Read.All 权限,应用程序可以读取包括成员在内的管理单元信息。With the AdministrativeUnit.Read.All permission an application can read administrative unit information including members.

使用 AdministrativeUnit.ReadWrite.All 权限,应用程序可以创建、读取、更新和删除包括成员在内的管理单元信息。With the AdministrativeUnit.ReadWrite.All permission an application can create, read, update, and delete administrative unit information including members.

AdministrativeUnit.Read.AllAdministrativeUnit.ReadWrite.All 仅对工作或学校帐户有效。AdministrativeUnit.Read.All and AdministrativeUnit.ReadWrite.All are valid only for work or school accounts.

用法示例Example usage

  • AdministrativeUnit.Read.All:读取管理单元 (GET /beta/administrativeUnits)AdministrativeUnit.Read.All: Read administrative units (GET /beta/administrativeUnits)
  • AdministrativeUnit.Read.All:读取管理单元成员列表 (GET /beta/administrativeUnits/<id>/members)AdministrativeUnit.Read.All: Read members list of an administrative unit (GET /beta/administrativeUnits/<id>/members)
  • AdministrativeUnit.ReadWrite.All:创建管理单元 (POST /beta/administrativeUnits)AdministrativeUnit.ReadWrite.All: Create an administrative unit (POST /beta/administrativeUnits)
  • AdministrativeUnit.ReadWrite.All:更新管理单元 (PATCH /beta/administrativeUnits/<id>)AdministrativeUnit.ReadWrite.All: Update an administrative unit (PATCH /beta/administrativeUnits/<id>)
  • AdministrativeUnit.ReadWrite.All:将成员添加到管理单元 (POST /beta/administrativeUnits/<id>/members)AdministrativeUnit.ReadWrite.All: Add members to an administrative unit (POST /beta/administrativeUnits/<id>/members)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


分析资源权限Analytics resource permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Analytics.ReadAnalytics.Read 读取用户活动统计信息。Read user activity statistics. 允许应用读取已登录用户的活动统计消息,例如该用户在电子邮件、会议或聊天会话中花费的时间。Allows the app to read the signed-in user's activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions. No

应用程序权限Application permissions

无。None.

用法示例Example usage

DelegatedDelegated

应用程序Application

无。None.


AppCatalog 资源权限AppCatalog resource permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 需要 Microsoft 帐户Microsoft Account Required
AppCatalog.Read.AllAppCatalog.Read.All 读取所有应用目录Read all app catalogs 允许应用读取应用目录中的应用。Allows the app to read the apps in the app catalogs. No No
AppCatalog.ReadWrite.AllAppCatalog.ReadWrite.All 读取和写入所有应用目录Read and write to all app catalogs 允许应用在应用目录中创建、读取、更新和删除应用。Allows the app to create, read, update, and delete apps in the app catalogs. Yes No

应用程序权限Application permissions

无。None.

注解Remarks

当前的唯一目录是 Microsoft Teams 中的应用程序列表。Currently the only catalog is the list of applications in Microsoft Teams.

用法示例Example usage

委派Delegated

应用程序Application

无。None.


应用程序资源权限Application resource permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Application.Read.AllApplication.Read.All 读取应用程序Read applications 允许此应用代表已登录的用户读取应用程序和服务主体。Allows the app to read applications and service principals on behalf of the signed-in user. Yes
Application.ReadWrite.AllApplication.ReadWrite.All 读取和写入所有应用Read and write all apps 允许此应用代表已登录的用户创建、读取、更新和删除应用程序和服务主体。Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Yes
AppRoleAssignment.ReadWrite.AllAppRoleAssignment.ReadWrite.All 管理应用权限授予和应用角色分配Manage app permission grants and app role assignments 允许应用代表已登录用户管理任何 API(包括 Microsoft Graph)的应用程序权限授予和任何应用的应用程序分配。Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. Yes

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Application.Read.AllApplication.Read.All 读取应用程序Read applications 允许此应用在没有登录用户的情况下读取应用程序和服务主体。Allows the app to read applications and service principals without a signed-in user. Yes
Application.ReadWrite.AllApplication.ReadWrite.All 读取和写入所有应用Read and write all apps 允许调用应用在没有登录用户的情况下创建和管理(读取、更新、更新应用程序密码和删除)应用程序和服务主体。Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. 不允许管理对用户或组的同意授权或应用程序分配。Does not allow management of consent grants or application assignments to users or groups. Yes
Application.ReadWrite.OwnedByApplication.ReadWrite.OwnedBy 管理此应用创建或拥有的应用Manage apps that this app creates or owns 允许调用应用在没有登录用户的情况下创建其他应用程序和服务主体,以及完全管理这些应用程序和服务主体(读取、更新、更新应用程序密码和删除)。Allows the calling app to create other applications and service principals, and fully manage those applications and service principals (read, update, update application secrets and delete), without a signed-in user. 它无法更新任何不是其所有者的应用程序。It cannot update any applications that it is not an owner of. 不允许管理对用户或组的同意授权或应用程序分配。Does not allow management of consent grants or application assignments to users or groups. Yes
AppRoleAssignment.ReadWrite.AllAppRoleAssignment.ReadWrite.All 管理应用权限授予和应用角色分配Manage app permission grants and app role assignments 允许应用在没有登录用户的情况下管理任何 API(包括 Microsoft Graph)的应用程序权限授予和任何应用的应用程序分配。Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. Yes

备注Remarks

Application.ReadWrite.OwnedBy 权限允许与 Application.ReadWrite.All 相同的操作,只不过前者只允许对调用应用充当所有者的应用程序和服务主体执行这些操作。The Application.ReadWrite.OwnedBy permission allows the same operations as Application.ReadWrite.All except that the former allows these operations only on applications and service principals that the calling app is an owner of. 所有权由目标 applicationservice principal 资源上的 owners 导航属性指示。Ownership is indicated by the owners navigation property on the target application or service principal resource.

注意:使用 Application.Read Write.Owned by 权限调用 GET /applications 以列出应用程序将失败,并显示 403。NOTE: Using the Application.ReadWrite.OwnedBy permission to call GET /applications to list applications will fail with a 403. 请改为使用 GET servicePrincipals/{id}/ownedObjects 列出调用应用程序充当所有者的应用程序。Instead use GET servicePrincipals/{id}/ownedObjects to list the applications owned by the calling application.

用法示例Example usage

委派Delegated

  • Application.Read.All:列出所有应用程序 (GET /beta/applications)Application.Read.All: List all applications (GET /beta/applications)
  • Application.ReadWrite.All:更新服务主体 (PATCH /beta/servicePrincipals/{id})Application.ReadWrite.All: Update a service principal (PATCH /beta/servicePrincipals/{id})

应用程序Application

  • Application.Read.All:列出所有应用程序 (GET /beta/applications)Application.Read.All: List all applications (GET /beta/applications)
  • Application.ReadWrite.All:删除服务主体 (DELETE /beta/servicePrincipals/{id})Application.ReadWrite.All: Delete a service principal (DELETE /beta/servicePrincipals/{id})
  • Application.ReadWrite.OwnedBy:创建应用程序 (POST /beta/applications)Application.ReadWrite.OwnedBy: Create an application (POST /beta/applications)
  • Application.ReadWrite.OwnedBy:列出调用应用程序拥有的所有应用程序 (GET /beta/servicePrincipals/{id}/ownedObjects)Application.ReadWrite.OwnedBy: List all applications owned by the calling application (GET /beta/servicePrincipals/{id}/ownedObjects)
  • Application.ReadWrite.OwnedBy:向拥有的应用程序添加另一个所有者 (POST /applications/{id}/owners/$ref)。Application.ReadWrite.OwnedBy: Add another owner to an owned application (POST /applications/{id}/owners/$ref).

注意:这可能需要其他权限。NOTE: This may require additional permissions.


预订权限Bookings permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Bookings.Read.AllBookings.Read.All 允许应用代表登录用户读取预订约会、业务、客户、服务和员工。Allows an app to read Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. 适用于只读应用程序。Intended for read-only applications. 典型目标用户是某预订业务的客户。Typical target user is the customer of a booking business. No No
BookingsAppointment.ReadWrite.AllBookingsAppointment.ReadWrite.All 允许应用代表登录用户读取和写入预订约会和客户,此外,还允许读取业务、服务和员工。Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff on behalf of the signed-in user. 适用于需要操作约会和客户的安排日程的应用程序。Intended for scheduling applications which need to manipulate appointments and customers. 无法更改有关预订业务的基本信息及其服务和员工成员。Cannot change fundamental information about the booking business, nor its services and staff members. 典型目标用户是某预订业务的客户。Typical target user is the customer of a booking business. No No
Bookings.ReadWrite.AllBookings.ReadWrite.All 允许应用代表登录用户读取和编写预订约会、业务、客户、服务和员工。Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. 不允许创建、删除或发布预订业务。Does not allow create, delete, or publish of Bookings businesses. 适用于操纵现有业务、其服务和员工成员的管理应用程序。Intended for management applications that manipulate existing businesses, their services and staff members. 无法创建、删除或更改预订业务的发布状态。Cannot create, delete, or change the publishing status of a booking business. 典型目标用户是组织的支持人员。Typical target user is the support staff of an organization. No No
Bookings.Manage.AllBookings.Manage.All 允许应用代表登录用户读取、编写和管理预订约会、业务、客户、服务和员工。Allows an app to read, write, and manage Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. 允许应用具有完全访问权限。Allows the app to have full access.
适用于完全管理体验。Intended for a full management experience. 典型目标用户是组织的管理员。Typical target user is the administrator of an organization.
No No

应用程序权限Application permissions

无。None.

用法示例Example usage

委派Delegated

  • Bookings.Read.All:获取为租户创建的预订业务集合的 ID 和名称 (GET /bookingBusinesses)。Bookings.Read.All: Get the ID and names of the collection of Bookings businesses that has been created for a tenant (GET /bookingBusinesses).
  • BookingsAppointment.ReadWrite.All:为预订业务中的服务创建约会 (POST /bookingBusinesses/{id}/appointments)。BookingsAppointment.ReadWrite.All: Create an appointment for a service at a Bookings business (POST /bookingBusinesses/{id}/appointments).
  • Bookings.ReadWrite.All:为指定的预订业务创建新服务 (POST /bookingBusinesses/{id}/services)。Bookings.ReadWrite.All: Create a new service for the specified Bookings business (POST /bookingBusinesses/{id}/services).
  • Bookings.Manage.All:使此业务的日程安排页对外部客户可用 (POST /bookingBusinesses/{id}/publish)。Bookings.Manage.All: Make the scheduling page of this business available to external customers (POST /bookingBusinesses/{id}/publish).

日历权限Calendars permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Calendars.ReadCalendars.Read 读取用户日历Read user calendars 允许应用读取用户日历中的事件。Allows the app to read events in user calendars. No Yes
Calendars.Read.SharedCalendars.Read.Shared 读取用户日历和共享日历Read user and shared calendars  允许应用读取用户可以访问的所有日历(包括委派日历和共享日历)中的事件。Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.  No No
Calendars.ReadWriteCalendars.ReadWrite 具有对用户日历的完整访问权限Have full access to user calendars 允许应用创建、读取、更新和删除用户日历中的事件。Allows the app to create, read, update, and delete events in user calendars. No Yes
Calendars.ReadWrite.SharedCalendars.ReadWrite.Shared 读取和写入用户日历和共享日历Read and write user and shared calendars  允许应用创建、读取、更新和删除用户有权访问的所有日历中的事件。这包括委派日历和共享日历。Allows the app to create, read, update and delete events in all calendars the user has permissions to access. This includes delegate and shared calendars. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Calendars.ReadCalendars.Read 读取所有邮箱中的日历Read calendars in all mailboxes 允许应用在没有登录用户的情况下读取所有日历的事件。Allows the app to read events of all calendars without a signed-in user. Yes
Calendars.ReadWriteCalendars.ReadWrite 读取和写入所有邮箱中的日历Read and write calendars in all mailboxes 允许应用在没有登录用户的情况下创建、读取、更新和删除所有日历的事件。Allows the app to create, read, update, and delete events of all calendars without a signed-in user. Yes

重要说明 管理员可以配置应用程序访问策略,以限制应用程序访问_特定_邮箱,而不是组织中的所有邮箱,即使该应用程序已被授予 Calendars.Read 或Calendars.ReadWrite 的应用程序权限。Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Calendars.Read or Calendars.ReadWrite.

用法示例Example usage

委派Delegated

  • Calendars.Read:获取从 2017 年 4 月 23 日到 2017 年 4 月 29 日用户日历中的事件 (GET /me/calendarView?startDateTime=2017-04-23T00:00:00&endDateTime=2017-04-29T00:00:00)。Calendars.Read: Get events on the user's calendar between April 23, 2017 and April 29, 2017 (GET /me/calendarView?startDateTime=2017-04-23T00:00:00&endDateTime=2017-04-29T00:00:00).
  • Calendars.Read.Shared:查找所有与会者都均有空参加的会议时间 (POST /users/{id|userPrincipalName}/findMeetingTimes)。Calendars.Read.Shared: Find meeting times where all attendees are available (POST /users/{id|userPrincipalName}/findMeetingTimes).
  • Calendars.ReadWrite:将事件添加到用户日历 (POST /me/events)。Calendars.ReadWrite: Add an event to the user's calendar (POST /me/events).

应用程序Application

  • Calendars.Read:在 bob@contoso.com 组织整理的会议室日历中查找事件 (GET /users/{id | userPrincipalName}/events?$filter=organizer/emailAddress/address eq 'bob@contoso.com')。Calendars.Read: Find events in a conference room's calendar organized by bob@contoso.com (GET /users/{id | userPrincipalName}/events?$filter=organizer/emailAddress/address eq 'bob@contoso.com').
  • Calendars.Read:列出 5 月份用户日历上的所有事件 (GET /users/{id | userPrincipalName}/calendarView?startDateTime=2017-05-01T00:00:00&endDateTime=2017-06-01T00:00:00)Calendars.Read: List all events on a user's calendar for the month of May (GET /users/{id | userPrincipalName}/calendarView?startDateTime=2017-05-01T00:00:00&endDateTime=2017-06-01T00:00:00)
  • Calendars.ReadWrite:将获准休假事件添加到用户日历 (POST /users/{id | userPrincipalName}/events)。Calendars.ReadWrite: Add an event to a user's calendar for approved time off (POST /users/{id | userPrincipalName}/events).
  • Calendars.Send:发送邮件 (POST /users/{id | userPrincipalName}/sendCalendars)。Calendars.Send: Send a message (POST /users/{id | userPrincipalName}/sendCalendars).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

频道权限Channel permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Channel.ReadBasic.AllChannel.ReadBasic.All 读取频道名称和说明。Read the names and descriptions of channels. 代表已登录用户读取频道名称和频道说明。Read channel names and channel descriptions, on behalf of the signed-in user. No No
Channel.CreateChannel.Create 创建频道。Create channels. 代表已登录用户在任何团队中创建频道。Create channels in any team, on behalf of the signed-in user. Yes No
Channel.Delete.AllChannel.Delete.All 删除频道。Delete channels. 代表已登录用户删除任何团队中的频道。Delete channels in any team, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Channel.ReadBasic.AllChannel.ReadBasic.All 读取所有频道的名称和说明。Read the names and descriptions of all channels. 在没有登录用户的情况下读取所有频道名称和说明。Read all channel names and channel descriptions, without a signed-in user. Yes No
Channel.CreateChannel.Create 创建频道。Create channels. 在没有登录用户的情况下在任何团队中创建频道。Create channels in any team, without a signed-in user. Yes No
Channel.Delete.AllChannel.Delete.All 删除频道。Delete channels. 在没有登录用户的情况下删除任何团队中的频道。Delete channels in any team, without a signed-in user. Yes No

频道设置权限Channel settings permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelSettings.Read.AllChannelSettings.Read.All 读取频道的名称、说明和设置。Read the names, descriptions, and settings of channels. 代表已登录用户读取所有频道名称、频道说明和频道设置。Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user. Yes No
ChannelSettings.ReadWrite.AllChannelSettings.ReadWrite.All 读取和写入频道的名称、说明和设置。Read and write the names, descriptions, and settings of channels. 代表已登录用户读取和写入所有频道的名称、说明和设置。Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelSettings.Read.AllChannelSettings.Read.All 读取所有频道的名称、说明和设置。Read the names, descriptions, and settings of all channels. 在没有登录用户的情况下读取所有频道名称、频道说明和频道设置。Read all channel names, channel descriptions, and channel settings, without a signed-in user. Yes No
ChannelSettings.ReadWrite.AllChannelSettings.ReadWrite.All 读取和写入所有频道的名称、说明和设置。Read and write the names, descriptions, and settings of all channels. 在没有登录用户的情况下读取和写入所有频道的名称、说明和设置。Read and write the names, descriptions, and settings of all channels, without a signed-in user. Yes No

通话权限Calls permissions

委派权限Delegated permissions

无。None.


应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Calls.Initiate.AllCalls.Initiate.All 从应用发起一对一拨出通话(预览版)Initiate outgoing 1:1 calls from the app (preview) 允许应用在没有登录用户的情况下,向单个用户发起播出通话并将通话转接到组织目录中的用户。Allows the app to place outbound calls to a single user and transfer calls to users in your organization’s directory, without a signed-in user. Yes
Calls.InitiateGroupCall.AllCalls.InitiateGroupCall.All 从应用发起组拨出通话(预览版)Initiate outgoing group calls from the app (preview) 允许应用在没有登录用户的情况下,向多个用户发起播出通话并向组织中的会议添加参与者。Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. Yes
Calls.JoinGroupCall.AllCalls.JoinGroupCall.All 作为应用加入组通话和会议(预览版)Join group calls and meetings as an app (preview) 允许应用在没有登录用户的情况下,加入组织中的组通话和计划会议。Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. 应用将加入到租户的会议中并获得目录用户特权。The app will be joined with the privileges of a directory user to meetings in your tenant. Yes
Calls.JoinGroupCallasGuest.AllCalls.JoinGroupCallasGuest.All 作为来宾加入组通话和会议(预览版)Join group calls and meetings as a guest (preview) 允许应用在没有登录用户的情况下,以匿名方式加入组织中的组通话和计划会议。Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. 应用将作为来宾加入租户的会议。The app will be joined as a guest to meetings in your tenant. Yes
Calls.AccessMedia.All*Calls.AccessMedia.All* 作为应用访问通话中的媒体数据流(预览版)Access media streams in a call as an app (preview) 允许应用在没有登录用户的情况下,直接访问通话中的媒体数据流。Allows the app to get direct access to media streams in a call, without a signed-in user. Yes

*重要说明: 不得使用云通信 API 进行记录,否则保留来自应用程序访问的通话或会议的媒体内容,或派生自该媒体内容的数据。*Important: You may NOT use the Cloud Communications APIs to record or otherwise persist media content from calls or meetings that your application accesses, or data derived from that media content. 请确保你遵守有关通信的数据保护和机密性方面的法律和法规。Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. 有关详细信息,请参阅使用条款并咨询法律顾问。Please see the Terms of Use and consult with your legal counsel for more information.


用法示例Example usage

应用程序Application

  • Calls.Initiate.All:从应用程序向组织中的某个用户发起对等通话 (POST /beta/communications/calls)。Calls.Initiate.All: Make a peer-to-peer call from the application to a user in the organization (POST /beta/communications/calls).
  • Calls.InitiateGroupCall.All:从应用程序向组织中的一组用户发起组通话 (POST /beta/communications/calls)。Calls.InitiateGroupCall.All: Make a group call from the application to a group of users in the organization (POST /beta/communications/calls).
  • Calls.JoinGroupCall.All:从应用程序加入组通话或联机会议 (POST /beta/communications/calls)。Calls.JoinGroupCall.All: Join a group call or online meeting from the application (POST /beta/communications/calls).
  • Calls.JoinGroupCallasGuest.All:从应用程序加入组通话或联机会议,但应用程序在会议中仅具有来宾特权 (POST /beta/communications/calls)。Calls.JoinGroupCallasGuest.All: Join a group call or online meeting from the application, but the application only has guest privileges in the meeting (POST /beta/communications/calls).
  • Calls.AccessMedia.All:创建或加入某个通话,且应用将能够直接访问该通话中的参与者媒体数据流 (POST /beta/communications/calls)。Calls.AccessMedia.All: Create or join a call and the app gets direct access to participant media streams in the call (POST /beta/communications/calls).

注意: 有关请求示例,请参阅创建通话Note: For request examples, see Create call.

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

通话记录权限Call records permissions

委派权限Delegated permissions

无。None.


应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
CallRecords.Read.AllCallRecords.Read.All 读取所有通话记录Read all call records 允许应用在没有用户登录的情况下读取所有通话和联机会议的通话记录。Allows the app to read call records for all calls and online meetings without a signed-in user. Yes
CallRecords.Read.PstnCallsCallRecords.Read.PstnCalls 读取 PSTN 并直接路由通话日志数据(预览) Read PSTN and direct routing call log data (preview) 在没有已登录用户的情况下,允许应用读取所有 PSTN 和直接路由通话日志数据。Allows the app to read all PSTN and direct routing call log data without a signed-in user. Yes

备注Remarks

CallRecords.Read.All 权限为组织内每次通话和联机会议(包括与外部电话号码的通话)授权 callRecords 的特权访问。The CallRecords.Read.All permission grants an application privileged access to callRecords for every call and online meeting within your organization, including calls to and from external phone numbers. 这包括与参与呼叫的人员有关的潜在敏感详细信息,以及与这些通话和会议相关的、可用于网络疑难解答的技术信息(IP地址、设备详细信息和其他网络信息)。This includes potentially sensitive details about who participated in the call, as well as technical information pertaining to these calls and meetings that can be used for network troubleshooting, such as IP addresses, device details, and other network information.

_CallRecords.Read.PstnCalls_权限授予应用访问 PSTN (通话套餐) 以及 直接路由通话日志。The CallRecords.Read.PstnCalls permission grants an application access to PSTN (calling plans) and direct routing call logs. 这包括与用户相关的潜在敏感信息以及与外部电话号码的通话。This includes potentially sensitive information about users as well as calls to and from external phone numbers.

重要说明: 应谨慎为应用程序授予这些权限。Important: Discretion should be used when granting these permissions to applications. 通话记录可提供业务运营的见解,因此可能成为恶意参与者的目标。Call records can provide insights into the operation of your business, and so can be a target for malicious actors. 仅为你信任的应用程序授予这些权限,以满足你的数据保护要求。Only grant these permissions to applications you trust to meet your data protection requirements.

重要说明: 请确保你遵守有关通信的数据保护和机密性方面的法律和法规。Important: Make sure that you are compliant with the laws and regulations in your area regarding data protection and confidentiality of communications. 有关详细信息,请参阅使用条款并咨询法律顾问。Please see the Terms of Use and consult with your legal counsel for more information.


用法示例Example usage

应用程序Application

  • CallRecords.Read.All:检索通话记录 (GET /v1.0/communications/callRecords/{id})。CallRecords.Read.All: Retrieve a call record (GET /v1.0/communications/callRecords/{id}).
  • CallRecords.Read.All:订阅新的通话记录 (POST /v1.0/subscriptions)。CallRecords.Read.All: Subscribe to new call records (POST /v1.0/subscriptions).
  • CallRecords.Read.PstnCalls:检索指定时间范围 (GET /v1.0/communications/callRecords/microsoft.graph.callRecords.getDirectRoutingCalls(fromDateTime={start date and time),toDateTime={end date and time))) 内的直接路由通话。CallRecords.Read.PstnCalls: Retrieve direct routing call records within the specified time range (GET /v1.0/communications/callRecords/microsoft.graph.callRecords.getDirectRoutingCalls(fromDateTime={start date and time),toDateTime={end date and time)))

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

频道权限Channel permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Channel.ReadBasic.AllChannel.ReadBasic.All 读取频道名称和说明。Read the names and descriptions of channels. 代表已登录用户读取频道名称和频道说明。Read channel names and channel descriptions, on behalf of the signed-in user. No No
Channel.CreateChannel.Create 创建频道。Create channels. 代表已登录用户在任何团队中创建频道。Create channels in any team, on behalf of the signed-in user. Yes No
Channel.Delete.AllChannel.Delete.All 删除频道。Delete channels. 代表已登录用户删除任何团队中的频道。Delete channels in any team, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Channel.ReadBasic.AllChannel.ReadBasic.All 读取所有频道的名称和说明。Read the names and descriptions of all channels. 在没有登录用户的情况下读取所有频道名称和说明。Read all channel names and channel descriptions, without a signed-in user. Yes No
Channel.CreateChannel.Create 创建频道。Create channels. 在没有登录用户的情况下在任何团队中创建频道。Create channels in any team, without a signed-in user. Yes No
Channel.Delete.AllChannel.Delete.All 删除频道。Delete channels. 在没有登录用户的情况下删除任何团队中的频道。Delete channels in any team, without a signed-in user. Yes No

频道成员权限Channel member permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelMember.Read.AllChannelMember.Read.All 读取频道的成员。Read the members of channels. 代表已登录的用户读取频道的成员。Read the members of channels, on behalf of the signed-in user. Yes No
ChannelMember.ReadWrite.AllChannelMember.ReadWrite.All 从频道中添加和删除成员。Add and remove members from channels. 代表已登录用户从频道中添加和删除成员。Add and remove members from channels, on behalf of the signed-in user. 还允许更改成员的角色,例如从所有者到非所有者。Also allows changing a member's role, for example from owner to non-owner. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelMember.Read.AllChannelMember.Read.All 读取所有频道的成员。Read the members of all channels. 在没有用户登录的情况下读取所有频道的成员。Read the members of all channels, without a signed-in user. Yes No
ChannelMember.ReadWrite.AllChannelMember.ReadWrite.All 从所有频道中添加和删除成员。Add and remove members from all channels. 在没有用户登录的情况下从所有频道中添加和删除成员。Add and remove members from all channels, without a signed-in user. 还允许更改成员的角色,例如从所有者到非所有者。Also allows changing a member's role, for example from owner to non-owner. Yes No

频道消息权限Channel message permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelMessage.Delete(个人预览版)ChannelMessage.Delete (private preview) 删除用户的频道消息Delete user's channel messages 允许应用代表已登录的用户在 Microsoft Teams 中删除频道消息。Allows an app to delete channel messages in Microsoft Teams, on behalf of the signed-in user. Yes No
ChannelMessage.Edit (个人预览版)ChannelMessage.Edit (private preview) 编辑用户的频道消息Edit user's channel messages 允许应用代表已登录的用户在 Microsoft Teams 中编辑频道消息。Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user. Yes No
ChannelMessage.Read.AllChannelMessage.Read.All 读取用户频道消息Read user channel messages 允许应用代表已登录的用户在 Microsoft Teams 中读取频道消息。Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user. Yes No
ChannelMessage.SendChannelMessage.Send 发送频道消息Send channel messages 允许应用代表已登录的用户在 Microsoft Teams 中发送频道消息。Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelMessage.Read.AllChannelMessage.Read.All 读取所有频道消息Read all channel messages  允许应用在没有登录的用户的情况下读取 Microsoft Teams 中的频道消息。Allows the app to read all channel messages in Microsoft Teams, without a signed-in user. Yes No
ChannelMessage.UpdatePolicyViolation.AllChannelMessage.UpdatePolicyViolation.All 标记违反策略的频道消息Flag channel messages for violating policy 允许应用更新 Microsoft Teams 频道消息,方法是通过修补数据丢失保护 (DLP) 策略违反属性集来处理 DLP 处理的输出。Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Yes No

注意: 另请参阅 Group.Read.AllNote: See also Group.Read.All.

频道设置权限Channel settings permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelSettings.Read.AllChannelSettings.Read.All 读取频道的名称、说明和设置。Read the names, descriptions, and settings of channels. 代表已登录用户读取所有频道名称、频道说明和频道设置。Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user. Yes No
ChannelSettings.ReadWrite.AllChannelSettings.ReadWrite.All 读取和写入频道的名称、说明和设置。Read and write the names, descriptions, and settings of channels. 代表已登录用户读取和写入所有频道的名称、说明和设置。Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelSettings.Read.AllChannelSettings.Read.All 读取所有频道的名称、说明和设置。Read the names, descriptions, and settings of all channels. 在没有登录用户的情况下读取所有频道名称、频道说明和频道设置。Read all channel names, channel descriptions, and channel settings, without a signed-in user. Yes No
ChannelSettings.ReadWrite.AllChannelSettings.ReadWrite.All 读取和写入所有频道的名称、说明和设置。Read and write the names, descriptions, and settings of all channels. 在没有登录用户的情况下读取和写入所有频道的名称、说明和设置。Read and write the names, descriptions, and settings of all channels, without a signed-in user. Yes No

聊天权限Chats permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Chat.ReadChat.Read 读取聊天消息Read your chat messages  允许应用代表你读取 Microsoft Teams 中的一对一或群组聊天消息。Allows an app to read your 1:1 or group chat messages in Microsoft Teams, on your behalf. No No
Chat.ReadBasicChat.ReadBasic 读取用户聊天线程的名称和成员Read names and members of user chat threads 允许应用代表已登录用户读取一对一以及群组聊天线程的成员和说明。Allows an app to read the members and descriptions of 1:1 and group chats threads, on behalf of the signed-in user. No No
Chat.ReadWriteChat.ReadWrite 读取聊天消息并发送新消息Read your chat messages and send new ones  允许应用代表你在 Microsoft Teams 中读取并发送一对一或群组聊天消息。Allows an app to read and send your 1:1 or group chat messages in Microsoft Teams, on your behalf. No No
Chat.Send(个人预览版)Chat.Send (private preview) 发送用户聊天消息Send user chat messages 允许应用代表已登录用户在 Microsoft Teams 中发送一对一以及群组聊天消息。Allows an app to send 1:1 and group chat messages in Microsoft Teams, on behalf of the signed-in user. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Chat.Read.AllChat.Read.All 读取所有聊天消息Read all chat messages  允许应用在没有登录的用户的情况下读取 Microsoft Teams 中的一对一或群组聊天消息。Allows the app to read all 1:1 or group chat messages in Microsoft Teams, without a signed-in user. Yes No
Chat.ReadBasic.AllChat.ReadBasic.All 读取用户聊天线程的名称和成员Read names and members of user chat threads 读取所有聊天线程的名称和成员。Read names and members of all chat threads. No No
Chat.UpdatePolicyViolation.AllChat.UpdatePolicyViolation.All 标记违反策略的聊天消息Flag chat messages for violating policy 允许应用更新 Microsoft Teams 一对一聊天或群组聊天消息,方法是通过修补数据丢失保护 (DLP) 策略违反属性集来处理 DLP 处理的输出。Allows the app to update Microsoft Teams 1:1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Yes No
Chat.Send.All (个人预览版)Chat.Send.All (private preview) 发送用户聊天消息Send user chat messages 允许应用在没有已登录用户的情况下在 Microsoft Teams 中发送一对一以及群组聊天消息。Allows an app to send 1:1 and group chat messages in Microsoft Teams without a signed-in user. No No

注意: 对于频道中的消息,请参阅 ChannelMessage 权限Note: For messages in a channel, see ChannelMessage permissions.

ChatMessage 权限(个人预览版ChatMessage permissions (private preview)

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChatMessage.Send(个人预览版)ChatMessage.Send (private preview) 发送用户聊天消息Send user chat messages 允许应用代表已登录用户在 Microsoft Teams 中发送一对一以及群组聊天消息。Allows an app to send 1:1 and group chat messages in Microsoft Teams, on behalf of the signed-in user. No No

云打印权限Cloud printing permissions

应用权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Printer.ReadWrite.AllPrinter.ReadWrite.All 读取和更新打印机Read and update printers 允许应用在没有登录用户的情况下读取和更新打印机。Allows the application to read and update printers without a signed-in user. 不允许创建(正在注册)或删除(正在注销)打印机。Does not allow creating (registering) or deleting (unregistering) printers. Yes
PrintJob.Read.AllPrintJob.Read.All 读取打印作业Read print jobs 允许应用在没有登录用户的情况下读取打印作业的元数据和文档内容。Allows the application to read the metadata and document content of print jobs without a signed-in user. Yes
PrintJob.ReadBasic.AllPrintJob.ReadBasic.All 读取打印作业的基本信息Read basic information for print jobs 允许应用在没有登录用户的情况下读取打印作业的元数据。Allows the application to read the metadata of print jobs without a signed-in user. 不允许访问打印作业文档内容。Does not allow access to print job document content. Yes
PrintJob.ReadWrite.AllPrintJob.ReadWrite.All 读取和写入打印作业Read and write print jobs 允许应用在没有登录用户的情况下读取和更新打印作业的元数据和文档内容。Allows the application to read and update the metadata and document content of print jobs without a signed-in user. Yes
PrintJob.ReadWriteBasic.AllPrintJob.ReadWriteBasic.All 读取和写入打印作业的基本信息Read and write basic information for print jobs 允许应用在没有登录用户的情况下读取和更新打印作业的元数据。Allows the application to read and update the metadata of print jobs without a signed-in user. 不允许访问打印作业文档内容。Does not allow access to print job document content. Yes

联系人权限Contacts permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Contacts.ReadContacts.Read 读取用户联系人Read user contacts  允许应用读取用户联系人。Allows the app to read user contacts. No Yes
Contacts.Read.SharedContacts.Read.Shared 读取用户联系人和共享联系人Read user and shared contacts 允许应用读取用户有权访问的联系人,包括用户个人联系人和共享联系人。Allows the app to read contacts that the user has permissions to access, including the user's own and shared contacts.  No No
Contacts.ReadWriteContacts.ReadWrite 具有对用户联系人的完整访问权限Have full access to user contacts 允许应用创建、读取、更新和删除用户联系人。Allows the app to create, read, update, and delete user contacts. No Yes
Contacts.ReadWrite.SharedContacts.ReadWrite.Shared 读取和写入用户联系人和共享联系人Read and write user and shared contacts 允许应用创建、读取、更新和删除用户有权访问的联系人,包括用户个人联系人和共享联系人。Allows the app to create, read, update and delete contacts that the user has permissions to, including the user's own and shared contacts. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Contacts.ReadContacts.Read 读取所有邮箱中的联系人Read contacts in all mailboxes  允许应用在没有已登录用户的情况下读取所有邮箱中的所有联系人。Allows the app to read all contacts in all mailboxes without a signed-in user.  Yes
Contacts.ReadWriteContacts.ReadWrite 读取和写入所有邮箱中的联系人Read and write contacts in all mailboxes 允许应用在没有登录用户的情况下创建、读取、更新和删除所有邮箱中的全部联系人。Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. Yes

重要说明 管理员可以配置应用程序访问策略,以限制应用程序访问_特定_邮箱,而不是组织中的所有邮箱,即使该应用程序已被授予 Contacts.Read 或 Contacts.ReadWrite 的应用程序权限。Important Administrators can configure application access policy to limit app access to specific mailboxes and not all the mailboxes in the organization, even if the app has been granted the application permissions of Contacts.Read or Contacts.ReadWrite.

用法示例Example usage

委派Delegated

  • Contacts.Read:从登录用户的一个顶层联系人文件夹读取联系人 (GET /me/contactfolders/{Id}/contacts/{id})。Contacts.Read: Read a contact from one of the top-level contact folders of the signed-in user (GET /me/contactfolders/{Id}/contacts/{id}).
  • Contacts.ReadWrite:更新登录用户的一个联系人的联系人照片 (PUT /me/contactfolders/{contactFolderId}/contacts/{id}/photo/$value)。Contacts.ReadWrite: Update the contact photo of one of the signed-in user's contacts (PUT /me/contactfolders/{contactFolderId}/contacts/{id}/photo/$value).
  • Contacts.ReadWrite:将联系人添加到登录用户的根文件夹 (POST /me/contacts)。Contacts.ReadWrite: Add contacts to the root folder of the signed-in user (POST /me/contacts).

应用程序Application

  • Contacts.Read:从组织中任意用户的一个顶层联系人文件夹读取联系人 (GET /users/{id | userPrincipalName}/contactfolders/{Id}/contacts/{id})。Contacts.Read: Read contacts from one of the top-level contact folders of any user in the organization (GET /users/{id | userPrincipalName}/contactfolders/{Id}/contacts/{id}).
  • Contacts.ReadWrite:更新组织中任意用户的所有联系人的照片 (PUT /user/{id | userPrincipalName}/contactfolders/{contactFolderId}/contacts/{id}/photo/$value)。Contacts.ReadWrite: Update the photo for any contact of any user in an organization (PUT /user/{id | userPrincipalName}/contactfolders/{contactFolderId}/contacts/{id}/photo/$value).
  • Contacts.ReadWrite:将联系人添加到组织中任意用户的根文件夹 (POST /users/{id | userPrincipalName}/contacts)。Contacts.ReadWrite: Add contacts to the root folder of any user in the organization (POST /users/{id | userPrincipalName}/contacts).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

设备权限Device permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Device.ReadDevice.Read 读取用户设备Read user devices 允许应用代表已登录用户读取用户的设备列表。Allows the app to read a user's list of devices on behalf of the signed-in user. No Yes
Device.CommandDevice.Command 与用户设备通信Communicate with user devices 允许应用启动其他应用,或代表已登录用户在用户设备上与其他应用进行通信。Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user. No Yes

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Device.ReadWrite.AllDevice.ReadWrite.All 读取和写入设备Read and write devices 支持应用程序读取和写入所有设备属性,而无需有登录用户。不得创建设备、删除设备或更新设备备用安全标识符。Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion, or update of device alternative security identifiers. Yes

用法示例Example usage

应用程序Application

  • Device.ReadWrite.All:读取组织中的所有已注册设备 (GET /devices)。Device.ReadWrite.All: Read all registered devices in the organization (GET /devices).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


目录权限Directory permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Directory.Read.AllDirectory.Read.All 读取目录数据Read directory data 允许应用程序读取组织目录中的数据,如用户、组和应用程序。Allows the app to read data in your organization's directory, such as users, groups and apps. 注意:如果应用程序已在自己组织的租户中注册,用户可能会同意应用程序要求必须有此权限。Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. Yes No
Directory.ReadWrite.AllDirectory.ReadWrite.All 读取和写入目录数据Read and write directory data 允许应用读取和写入组织目录中的数据,如用户和组。它不允许应用删除用户或组,或重置用户密码。Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. Yes No
Directory.AccessAsUser.AllDirectory.AccessAsUser.All 以登录用户身份访问目录Access directory as the signed-in user 允许应用以登录用户身份访问目录中的信息。Allows the app to have the same access to information in the directory as the signed-in user. Yes No
PrivilegedAccess.ReadWrite.AzureADPrivilegedAccess.ReadWrite.AzureAD 为目录读取和写入 Privileged Identity Management 数据Read and write Privileged Identity Management data for Directory 允许应用读取和写入 Azure AD 的 Privileged Identity Management API。Allows the app to have read and write access to Privileged Identity Management APIs for Azure AD. Yes No
PrivilegedAccess.ReadWrite.AzureResourcesPrivilegedAccess.ReadWrite.AzureResources 为 Azure 资源读取和写入 Privileged Identity Management 数据Read and write Privileged Identity Management data for Azure Resources 允许应用读取和写入 Azure 资源的 Privileged Identity Management API。Allows the app to have read and write access to Privileged Identity Management APIs for Azure resources. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Directory.Read.AllDirectory.Read.All 读取目录数据Read directory data 允许应用在没有登录用户的情况下读取组织目录中的数据(如用户、组和应用)。Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. Yes
Directory.ReadWrite.AllDirectory.ReadWrite.All 读取和写入目录数据Read and write directory data 允许应用在没有登录用户的情况下读取和写入组织目录中的数据(如用户和组)。不允许删除用户或组。Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. Yes

注解Remarks

Directory 权限提供访问目录资源(如组织中的 UserGroupDevice)的最高级特权。Directory permissions provide the highest level of privilege for accessing directory resources such as User, Group, and Device in an organization.

它们还专门控制对其他目录资源的访问,如组织联系人架构扩展 APIPrivileged Identity Management (PIM) API,以及 v1.0 和 beta API 参考文档中 Azure Active Directory 节点下列出的许多资源和 API。They also exclusively control access to other directory resources like: organizational contacts, schema extension APIs, Privileged Identity Management (PIM) APIs, as well as many of the resources and APIs listed under the Azure Active Directory node in the v1.0 and beta API reference documentation. 其中包括管理单元、目录角色、目录设置、策略等。These include administrative units, directory roles, directory settings, policy, and many more.

Directory.ReadWrite.All 权限可授予以下特权:The Directory.ReadWrite.All permission grants the following privileges:

  • 完全读取所有目录资源(包括声明属性和导航属性)Full read of all directory resources (both declared properties and navigation properties)
  • 创建和更新用户Create and update users
  • 禁用和启用用户(而不是公司管理员)Disable and enable users (but not company administrator)
  • 设置用户可选安全 ID(而不是管理员)Set user alternative security id (but not administrators)
  • 创建和更新组Create and update groups
  • 管理组成员Manage group memberships
  • 更新组所有者Update group owner
  • 管理许可证分配Manage license assignments
  • 在应用程序上定义架构扩展Define schema extensions on applications

注意Note:

  • 无权重置用户密码。No rights to reset user passwords.
  • 如需更新其他用户的 businessPhonesmobilePhoneotherMails 属性,仅允许针对非管理员或分配了以下角色之一的用户执行该操作:目录读取者、来宾邀请者、消息中心读取者和报告读取者。Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. 有关详细信息,请参阅 Azure AD 可用角色中的支持人员(密码)管理员。For more details, see Helpdesk (Password) Administrator in Azure AD available roles. 这适用于获得了 User.ReadWrite.All 或 Directory.ReadWrite.All 委派或应用程序权限的应用。This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
  • 无权删除资源(包括用户或组)。No rights to delete resources (including users or groups).
  • 特别排除创建或更新以上未列出的资源。Specifically excludes create or update for resources not listed above. 这包括:application、oAauth2Permissiongrant、appRoleAssignment、device、servicePrincipal、organization、domains等。This includes: application, oAauth2Permissiongrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.

用法示例Example usage

委派Delegated

  • Directory.Read.All:列出组织中的所有管理单元 (GET /beta/administrativeUnits)Directory.Read.All: List all administrative units in an organization (GET /beta/administrativeUnits)
  • Directory.ReadWrite.All:将成员添加到目录角色 (POST /directoryRoles/{id}/members/$ref)Directory.ReadWrite.All: Add members to a directory role (POST /directoryRoles/{id}/members/$ref)

应用程序Application

  • Directory.Read.All:列出用户的所有成员资格,包括目录角色和管理单元 (GET /beta/users/{id}/memberOf)Directory.Read.All: List all memberships of a user, including directory roles and administrative units (GET /beta/users/{id}/memberOf)
  • Directory.Read.All:列出所有组成员,包括服务主体 (GET /beta/groups/{id}/members)Directory.Read.All: List all group members, including service principals (GET /beta/groups/{id}/members)
  • Directory.ReadWrite.All:向组添加所有者 (POST /groups/{id}/owners/$ref)Directory.ReadWrite.All: Add an owner to a group (POST /groups/{id}/owners/$ref)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


域权限Domain permissions

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Domain.ReadWrite.AllDomain.ReadWrite.All 读取和写入域Read and write domains 允许应用在没有登录的用户的情况下读取和写入域。Allows the app to read and write domains without a signed-in user. Yes

教育版权限Education permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
EduAdministration.ReadEduAdministration.Read 读取教育应用设置Read education app settings 允许应用代表用户读取教育应用设置。Allows the app to read education app settings on behalf of the user. Yes No
EduAdministration.ReadWriteEduAdministration.ReadWrite 管理教育应用设置Manage education app settings 允许应用代表用户管理教育应用设置。Allows the app to manage education app settings on behalf of the user. Yes No
EduAssignments.ReadBasicEduAssignments.ReadBasic 读取不含成绩的用户课堂作业Read users' class assignments without grades 允许应用代表用户读取不含成绩的作业Allows the app to read assignments without grades on behalf of the user Yes No
EduAssignments.ReadWriteBasicEduAssignments.ReadWriteBasic 对不含成绩的用户课堂作业执行读取和写入操作Read and write users' class assignments without grades 允许应用代表用户对不含成绩的作业执行读取和写入操作Allows the app to read and write assignments without grades on behalf of the user Yes No
EduAssignments.ReadEduAssignments.Read 读取用户的课堂作业及其成绩视图Read users' view of class assignments and their grades 允许应用代表用户读取作业及其成绩Allows the app to read assignments and their grades on behalf of the user Yes No
EduAssignments.ReadWriteEduAssignments.ReadWrite 对用户的课堂作业及其成绩视图执行读取和写入操作Read and write users' view of class assignments and their grades 允许应用代表用户对作业及其成绩执行读取和写入操作Allows the app to read and write assignments and their grades on behalf of the user Yes No
EduRoster.ReadBasicEduRoster.ReadBasic 读取用户的名单视图的有限子集Read a limited subset of users' view of the roster 允许应用读取组织名单中学校和班级结构属性的有限子集以及代表用户读取的有关用户属性的有限子集。Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization's roster and a limited subset of properties about users to be read on behalf of the user. 其中包括姓名、状态、教育角色、电子邮件地址和照片。Includes name, status, education role, email address and photo. Yes No
EduRoster.ReadEduRoster.Read 读取用户名单的视图Read users' view of the roster 允许应用读取组织名单中的学校和班级结构以及代表用户读取的有关用户的教育专属信息。Allows the app to read the structure of schools and classes in an organization's roster and education-specific information about users to be read on behalf of the user. Yes
EduRoster.ReadWriteEduRoster.ReadWrite 读取并写入用户名单的视图Read and write users' view of the roster 允许应用读取和写入组织名单中的学校和班级结构以及代表用户读取和写入的有关用户的教育专属信息。Allows the app to read and write the structure of schools and classes in an organization's roster and education-specific information about users to be read and written on behalf of the user. Yes

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
EduAdministration.Read.AllEduAdministration.Read.All 读取教育应用设置Read Education app settings 代表用户读取所有 Microsoft 教育应用的状态和设置Read the state and settings of all Microsoft education apps on behalf of the user Yes
EduAdministration.ReadWrite.AllEduAdministration.ReadWrite.All 管理教育应用设置Manage education app settings 代表用户管理所有 Microsoft 教育应用的状态和设置Manage the state and settings of all Microsoft education apps on behalf of the user yes
EduAssignments.ReadBasic.AllEduAssignments.ReadBasic.All 读取不含成绩的课堂作业Read class assignments without grades 允许应用为所有用户读取不含成绩的作业Allows the app to read assignments without grades for all users Yes
EduAssignments.ReadWriteBasic.AllEduAssignments.ReadWriteBasic.All 对不含成绩的课堂作业执行读取和写入操作Read and write class assignments without grades 允许应用为所有用户对不含成绩的的作业执行读取和写入操作Allows the app to read and write assignments without grades for all users Yes
EduAssignments.Read.AllEduAssignments.Read.All 读取含成绩的课堂作业Read class assignments with grades 允许应用为所有用户读取作业及其成绩Allows the app to read assignments and their grades for all users Yes
EduAssignments.ReadWrite.AllEduAssignments.ReadWrite.All 对含成绩的课堂作业执行读取和写入操作Read and write class assignments with grades 允许应用为所有用户对作业及其成绩执行读取和写入操作Allows the app to read and write assignments and their grades for all users Yes
EduRoster.ReadBasic.AllEduRoster.ReadBasic.All 读取组织名单的有限子集。Read a limited subset of the organization's roster. 允许应用读取组织名单中的学校和班级结构数据以及所有用户的教育专属信息的有限子集。Allows the app to read a limited subset of both the structure of schools and classes in an organization's roster and education-specific information about all users. Yes
EduRoster.Read.AllEduRoster.Read.All 读取组织名单。Read the organization's roster. 允许应用读取组织名单中的学校和班级结构数据以及所有用户的教育专属信息。Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about all users to be read. Yes
EduRoster.ReadWrite.AllEduRoster.ReadWrite.All 对组织名单执行读取和写入操作。Read and write the organization's roster. 允许应用对组织名单中的学校和班级结构数据以及所有用户的教育专属信息执行读取和写入操作。Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written. Yes

用法示例Example usage

委派Delegated

  • EduAssignments.Read:获取登录学生的作业信息 (GET /education/classes/{id}/assignments/{id})EduAssignments.Read: Get the signed-in student's assignment information (GET /education/classes/{id}/assignments/{id})
  • EduAssignments.ReadWriteBasic:提交登录学生的作业 (GET /education/classes/{id}/assignments/{id}submit)EduAssignments.ReadWriteBasic: Submit signed-in student assignment (GET /education/classes/{id}/assignments/{id}submit)
  • EduRoster.ReadBasic:登录用户听讲或教授的课程 (GET /education/classes/{id}/members)EduRoster.ReadBasic: Classes a signed-in user attends or teaches (GET /education/classes/{id}/members)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


权利管理权限Entitlement management permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
EntitlementManagement.ReadWrite.AllEntitlementManagement.ReadWrite.All 读取和写入权利管理资源Read and write entitlement management resources 允许应用代表已登录用户请求读取和管理访问包和相关权利管理资源的访问权限。Allows the app to request access to read and manage access packages and related entitlement management resources on behalf of the signed-in user. Yes
EntitlementManagement.Read.AllEntitlementManagement.Read.All 读取权利管理资源Read entitlement management resources 允许应用代表已登录的用户请求读取访问包及相关权利管理资源的访问权限。Allows the app to request access to read access packages and related entitlement management resources on behalf of the signed-in user. Yes

文件权限Files permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Files.ReadFiles.Read 读取用户文件Read user files 允许应用读取登录用户的文件。Allows the app to read the signed-in user's files. No Yes
Files.Read.AllFiles.Read.All 读取用户可以访问的所有文件Read all files that user can access 允许应用读取登录用户可以访问的所有文件。Allows the app to read all files the signed-in user can access. No Yes
Files.ReadWriteFiles.ReadWrite 具有对用户文件的完全访问权限Have full access to user files 允许应用读取、创建、更新和删除登录用户的文件。Allows the app to read, create, update, and delete the signed-in user's files. No Yes
Files.ReadWrite.AllFiles.ReadWrite.All 具备对用户可以访问的所有文件的完全访问权限Have full access to all files user can access 允许应用读取、创建、更新和删除登录用户可以访问的所有文件。Allows the app to read, create, update, and delete all files the signed-in user can access. No Yes
Files.ReadWrite.AppFolderFiles.ReadWrite.AppFolder 具有对应用程序文件夹的完全访问权限(预览)Have full access to the application's folder (preview) (预览)允许应用读取、创建、更新和删除应用程序文件夹中的文件。(Preview) Allows the app to read, create, update, and delete files in the application's folder. No No
Files.Read.SelectedFiles.Read.Selected 读取用户选择的文件Read files that the user selects Microsoft Graph 提供一定程度的支持(见“注解”)Limited support in Microsoft Graph; see Remarks
(预览)允许应用读取用户选择的文件。在用户选择文件后,应用有几个小时的访问权限。(Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file.
No No
Files.ReadWrite.SelectedFiles.ReadWrite.Selected 读取和写入用户选择的文件Read and write files that the user selects Microsoft Graph 提供一定程度的支持(见“注解”)Limited support in Microsoft Graph; see Remarks
(预览)允许应用读取和写入用户选择的文件。在用户选择文件后,应用有几个小时的访问权限。(Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file.
No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Files.Read.AllFiles.Read.All 读取所有网站集中的文件Read files in all site collections 允许应用在没有登录用户的情况下读取所有网站集中的全部文件。Allows the app to read all files in all site collections without a signed in user. Yes
Files.ReadWrite.AllFiles.ReadWrite.All 读取和写入所有网站集中的文件Read and write files in all site collections 允许应用在没有登录用户的情况下读取、创建、更新和删除所有网站集中的全部文件。Allows the app to read, create, update, and delete all files in all site collections without a signed in user. Yes

注解Remarks

注意:对于个人帐户,Files.Read 和 Files.ReadWrite 还会授予与登录用户共享的文件的访问权限。Note: For personal accounts, Files.Read and Files.ReadWrite also grant access to files shared with the signed-in user.

Files.Read.Selected 和 Files.ReadWrite.Selected 委派权限仅在工作或学校帐户上有效,并仅在处理 Office 365 文件处理程序 (v1.0) 时才公开。它们不应该用来直接调用 Microsoft Graph API。The Files.Read.Selected and Files.ReadWrite.Selected delegated permissions are only valid on work or school accounts and are only exposed for working with Office 365 file handlers (v1.0). They should not be used for directly calling Microsoft Graph APIs.

Files.ReadWrite.AppFolder 委派权限仅适于个人帐户,并仅用于访问带有 OneDrive 获取特殊文件夹 Microsoft Graph API 的应用程序根特殊文件夹The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the App Root special folder with the OneDrive Get special folder Microsoft Graph API.

用法示例Example usage

委派Delegated

  • Files.Read:读取登录用户的 OneDrive 中存储的文件 (GET /me/drive/root/children)Files.Read: Read files stored in the signed-in user's OneDrive (GET /me/drive/root/children)
  • Files.Read.All:列出与登录用户共享的文件 (GET /me/drive/root/sharedWithMe)Files.Read.All: Read files shared with the signed-in user (GET /me/drive/root/sharedWithMe)
  • Files.ReadWrite:在登录用户的 OneDrive 中写入文件 (PUT /me/drive/root/children/filename.txt/content)Files.ReadWrite: Write a file in the signed-in user's OneDrive (PUT /me/drive/root/children/filename.txt/content)
  • Files.ReadWrite.All:写入与用户共享的文件 (PUT /users/rgregg@contoso.com/drive/root/children/file.txt/content)Files.ReadWrite.All: Write a file shared with the user (PUT /users/rgregg@contoso.com/drive/root/children/file.txt/content)
  • Files.ReadWrite.AppFolder:在 OneDrive 中将文件写入应用程序的文件夹 (PUT /me/drive/special/approot/children/file.txt/content)Files.ReadWrite.AppFolder: Write files into the app's folder in OneDrive (PUT /me/drive/special/approot/children/file.txt/content)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


财务权限Financials permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Financials.ReadWrite.AllFinancials.ReadWrite.All 读取和写入财务数据Read and write financials data 允许应用代表登录用户读取和写入财务数据Allows the app to read and write financials data on behalf of the signed-in user No

组权限Group permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Group.Read.AllGroup.Read.All 读取所有组Read all groups 允许应用代表登录用户列出组,并读取其属性以及所有组成员身份。此外,还允许应用读取登录用户可以访问的所有组的日历、 对话、 文件和其他组内容。Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. Yes No
Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups 允许应用代表登录用户创建组并读取所有组属性和成员身份。Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. 此外,还允许应用读取和写入登录用户可以访问的所有组的日历、对话、文件和其他组内容。Also allows the app to read and write calendar, conversations, files, and other group content for all groups the signed-in user can access. 此外,还允许组所有者管理他们的组并允许组成员更新组内容。Additionally allows group owners to manage their groups and allows group members to update group content. Yes No
GroupMember.Read.AllGroupMember.Read.All 读取组成员身份Read group memberships 允许应用列出组、读取基本组属性以及读取登录的用户有权访问的所有组的成员身份。Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. Yes No
GroupMember.ReadWrite.AllGroupMember.ReadWrite.All 读取和写入组成员身份Read and write group memberships 允许应用列出组、读取基本属性、读取和更新登录的用户有权访问的组的成员身份。Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. 无法更新组属性和所有者,并且无法删除组。Group properties and owners cannot be updated and groups cannot be deleted. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Group.Read.AllGroup.Read.All 读取所有组Read all groups 允许应用在没有登录用户的情况下读取所有组的成员身份。Allows the app to read memberships for all groups without a signed-in user. 此外,还允许应用读取所有组的日历、对话、文件和其他组内容。Also allows the app to read calendar, conversations, files, and other group content for all groups.

注意: 并非所有组 API 都支持使用仅限应用权限进行访问。Note: Not all group APIs support access using app-only permissions. 有关示例,请参阅已知问题See known issues for examples.
Yes
Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups 允许应用创建组、读取和更新组成员以及删除组。Allows the app to create groups, read and update group memberships, and delete groups. 此外,还允许应用读取和写入所有组的日历、对话、文件和其他组内容。Also allows the app to read and write calendar, conversations, files, and other group content for all groups. 应用可以在没有登录用户的情况下执行所有这些操作。All of these operations can be performed by the app without a signed-in user.

注意: 并非所有组 API 都支持使用仅限应用权限进行访问。Note: Not all group APIs support access using app-only permissions. 有关示例,请参阅已知问题See known issues for examples.
Yes
Group.SelectedGroup.Selected 访问选定的组Access selected groups 注意:此权限在 Azure 门户中公开,适用于不可用作常规用途的功能。请不要使用此权限,因为它可能会发生更改。Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change. Yes
GroupMember.Read.AllGroupMember.Read.All 读取组成员身份Read group memberships 允许应用在没有已登录用户的情况下读取所有组的成员身份和基本组属性。Allows the app to read memberships and basic group properties for all groups without a signed-in user. Yes
GroupMember.ReadWrite.AllGroupMember.ReadWrite.All 读取和写入组成员身份Read and write group memberships 允许应用在没有已登录用户的情况下列出组、读取基本属性、读取和更新应用有权访问的组的成员身份。Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. 无法更新组属性和所有者,并且无法删除组。Group properties and owners cannot be updated and groups cannot be deleted. Yes
Group.CreateGroup.Create 创建组Create groups 允许呼叫应用在没有已登录用户的情况下创建组。Allows the calling app to create groups without a signed-in user. 不允许读取、更新或删除任何组。Does not allow read, update, or deletion of any groups. Yes

注解Remarks

Microsoft 个人帐户不支持组功能。Group functionality is not supported on personal Microsoft accounts.

Microsoft 365 组的组权限授予应用访问组内容的访问权限;例如,对话、文件、注释等。For Microsoft 365 groups, Group permissions grant the app access to the contents of the group; for example, conversations, files, notes, and so on.

应用程序权限对受支持的 API 有一些限制。有关详细信息,请参阅已知问题For application permissions, there are some limitations for the APIs that are supported. For more information, see known issues.

在某些情况下,应用可能需要目录权限才能读取 membermemberOf 等组属性。例如,如果组将一个或多个 servicePrincipals 作为成员,则应用将需要有效权限才能通过授予的其中一个_目录*_ 权限读取服务主体,否则 Microsoft Graph 将返回错误。(如果是委派权限,已登录用户还需要组织的足够的权限才能读取服务主体。)相同的指导适用于 memberOf 属性,该属性可以返回 administrativeUnitsIn some cases, an app may need Directory permissions to read some group properties like member and memberOf. For example, if a group has a one or more servicePrincipals as members, the app will need effective permissions to read service principals through being granted one of the Directory.* permissions, otherwise Microsoft Graph will return an error. (In the case of delegated permissions, the signed-in user will also need sufficient privileges in the organization to read service principals.) The same guidance applies for the memberOf property, which can return administrativeUnits.

要设置 Microsoft 365 组的 preferredDataLocation 属性,应用需要 Directory.ReadWrite.All 权限。To set a Microsoft 365 group's preferredDataLocation attribute, an app needs Directory.ReadWrite.All permission. 多地理位置环境中的用户创建 Microsoft 365 组时,该组的 preferredDataLocation 值将自动设置为该用户所使用的值。When users in a multi-geo environment create a Microsoft 365 group, the preferredDataLocation value for the group is automatically set to that of the user. 有关组的首选数据位置的详细信息,请参阅使用特定 PDL 创建 Microsoft 365 组For more information about groups' preferred data location, see Create a Microsoft 365 group with a specific PDL.

组权限用于控制对 Microsoft Teams 资源和 API 的访问权限。不支持 Microsoft 个人帐户。Group permissions are used to control access to Microsoft Teams resources and APIs. Personal Microsoft accounts are not supported.

组权限也用于控制对 Microsoft Planner 资源和 API 的访问权限。Microsoft Planner API 仅支持委派权限,不支持应用程序权限。不支持 Microsoft 个人帐户。Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are not supported.

用法示例Example usage

DelegatedDelegated

  • Group.Read.All:读取登录用户所属的全部 Microsoft 365 组 (GET /me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified'))。Group.Read.All: Read all Microsoft 365 groups that the signed-in user is a member of (GET /me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified')).
  • Group.Read.All:读取诸如对话之类的所有 Microsoft 365 组内容 (GET /groups/{id}/conversations)。Group.Read.All: Read all Microsoft 365 group content like conversations (GET /groups/{id}/conversations).
  • Group.ReadWrite.All:更新组属性,如照片 (PUT /groups/{id}/photo/$value)。Group.ReadWrite.All: Update group properties, like photo (PUT /groups/{id}/photo/$value).
  • GroupMember.ReadWrite.All:更新组成员 (POST /groups/{id}/members/$ref)。GroupMember.ReadWrite.All: Update group members (POST /groups/{id}/members/$ref).

注意: 这还要求 User.ReadBasic.All 读取要作为成员添加的用户。Note:: This also requires User.ReadBasic.All to read the user to add as a member.

应用程序Application

  • Group.Read.All:查找名称以“Sales”开头的所有组 (GET /groups?$filter=startswith(displayName,'Sales'))。Group.Read.All: Find all groups with name that starts with 'Sales' (GET /groups?$filter=startswith(displayName,'Sales')).
  • Group.ReadWrite.All:守护程序服务在 Microsoft 365 组日历上新建事件 (POST /groups/{id}/events)。Group.ReadWrite.All: Daemon service creates new events on a Microsoft 365 group's calendar (POST /groups/{id}/events).
  • Group.Create:创建新组 (POST /groups)。Group.Create: Creates a new group (POST /groups).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


标识提供程序权限Identity provider permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
IdentityProvider.Read.AllIdentityProvider.Read.All 读取标识提供程序信息Read identity provider information 支持应用程序代表登录用户读取在 Azure AD 或 Azure AD B2C 租户中配置的标识提供程序。Allows the app to read identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. Yes No
IdentityProvider.ReadWrite.AllIdentityProvider.ReadWrite.All 读取和写入标识提供程序信息Read and write identity provider information 支持应用程序代表登录用户读取或写入在 Azure AD 或 Azure AD B2C 租户中配置的标识提供程序。Allows the app to read or write identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. Yes No

注解Remarks

IdentityProvider.Read.AllIdentityProvider.ReadWrite.All 仅对工作或学校帐户有效。IdentityProvider.Read.All and IdentityProvider.ReadWrite.All are valid only for work or school accounts. 登录用户必须分配有全局管理员角色,应用程序才能通过委派权限读取或写入标识提供程序。For an app to read or write identity providers with delegated permissions, the signed-in user must be assigned the Global Administrator role. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

示例用法Example usage

委派Delegated

以下用法对两种委派权限均有效:The following usages are valid for both delegated permissions:

  • IdentityProvider.Read.All:读取在租户中配置的所有标识提供程序 (GET /beta/identityProviders)IdentityProvider.Read.All: Read all identity providers configured in the tenant (GET /beta/identityProviders)
  • IdentityProvider.Read.All:读取现有标识提供程序 (GET /beta/identityProviders/{id})IdentityProvider.Read.All: Read an existing identity provider (GET /beta/identityProviders/{id})
  • IdentityProvider.ReadWrite.All:创建标识提供程序 (POST /beta/identityProviders)IdentityProvider.ReadWrite.All Create an identity provider (POST /beta/identityProviders)
  • IdentityProvider.ReadWrite.All:更新现有标识提供程序 (PATCH /beta/identityProviders/{id})IdentityProvider.ReadWrite.All Update an existing identity provider (PATCH /beta/identityProviders/{id})
  • IdentityProvider.ReadWrite.All:删除现有标识提供程序 (DELETE /beta/identityProviders/{id})IdentityProvider.ReadWrite.All Delete an existing identity provider (DELETE /beta/identityProviders/{id})

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


标识风险事件权限Identity risk event permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
IdentityRiskEvent.Read.AllIdentityRiskEvent.Read.All 读取标识风险事件信息Read identity risk event information 允许应用代表登录用户为组织中所有用户读取标识风险事件信息。Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
IdentityRiskEvent.Read.AllIdentityRiskEvent.Read.All 读取标识风险事件信息Read identity risk event information 允许应用无需具有已登录用户即可为组织中所有用户读取标识风险事件信息。Allows the app to read identity risk event information for all users in your organization without a signed-in user. Yes

注解Remarks

IdentityRiskEvent.Read.All 仅适用于工作或学校帐户。对于通过委派权限读取标识风险信息的应用,登录用户必须是以下管理员角色之一的成员:全局管理员、安全管理员或安全读者。有关管理员角色的详细信息,请参阅在 Azure Active Directory 中分配管理员角色IdentityRiskEvent.Read.All is valid only for work or school accounts. For an app with delegated permissions to read identity risk information, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, or Security Reader. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

用法示例Example usage

委派和应用程序Delegated and Application

以下用法对委派权限和应用程序权限均有效:The following usages are valid for both delegated and application permissions:

  • 读取为租户中的所有用户所生成的全部风险事件 (GET /beta/identityRiskEvents)Read all risk events generated for all users in the tenant (GET /beta/identityRiskEvents)
  • 读取由 Dorknet 僵尸网络所生成的恶意软件风险事件 (GET /beta/malwareRiskEvents?$filter=malwareName eq 'Dorkbot')Read malware risk events generated by the Dorknet botnet (GET /beta/malwareRiskEvents?$filter=malwareName eq 'Dorkbot')
  • 阅读最新的 50 个风险事件 (GET /beta/identityRiskEvents?$orderBy=riskEventDateTime desc&top=50)Read most recent 50 risk events (GET /beta/identityRiskEvents?$orderBy=riskEventDateTime desc&top=50)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


标识风险用户权限Identity risky user permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
IdentityRiskyUser.Read.AllIdentityRiskyUser.Read.All 读取标识用户风险信息Read identity user risk information 允许应用代表登录用户读取组织中所有用户的标识用户风险信息。Allows the app to read identity user risk information for all users in your organization on behalf of the signed-in user. Yes No
IdentityRiskyUser.ReadWrite.AllIdentityRiskyUser.ReadWrite.All 读取和更新标识用户风险信息Read and update identity user risk information 允许应用代表登录用户读取和更新组织中所有用户的标识用户风险信息。Allows the app to read and update identity user risk information for all users in your organization on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
IdentityRiskyUser.Read.AllIdentityRiskyUser.Read.All 读取标识用户风险信息Read identity user risk information 允许应用在没有登录用户的情况下读取组织中所有用户的标识用户风险信息。Allows the app to read identity user risk information for all users in your organization without a signed-in user. Yes
IdentityRiskyUser.ReadWrite.AllIdentityRiskyUser.ReadWrite.All 读取和更新标识用户风险信息Read and update identity user risk information 允许应用在没有登录用户的情况下读取和更新组织中所有用户的标识用户风险信息。Allows the app to read and update identity user risk information for all users in your organization without a signed-in user. Yes

说明Remarks

IdentityRiskyUser.Read.AllIdentityRiskyUser.ReadWrite.ALL 仅适用于工作或学校帐户。IdentityRiskyUser.Read.All and IdentityRiskyUser.ReadWrite.ALL is valid only for work or school accounts. 对于通过委派权限读取标识用户风险信息的应用,登录用户必须是以下管理员角色之一的成员:全局管理员、安全管理员或安全读者。For an app with delegated permissions to read identity user risk information, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, or Security Reader. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

用法示例Example usage

委派和应用程序Delegated and Application

以下用法对委派权限和应用程序权限均有效:The following usages are valid for both delegated and application permissions:

  • 读取租户中的所有风险用户和属性 (GET /beta/riskyUsers)Read all risky users and properties in the tenant (GET /beta/riskyUsers)
  • 读取所有聚合风险级别为中等的风险用户 (GET /beta/riskyUsers?$filter=risk/riskLevelAggregated eq microsoft.graph.riskLevel'medium')Read all risky users whose aggregate risk level is Medium (GET /beta/riskyUsers?$filter=risk/riskLevelAggregated eq microsoft.graph.riskLevel'medium')
  • 阅读特定用户的风险信息 (GET /beta/riskyUsers/$filter=id eq ‘{userObjectId}’)Read the risk information for a specific user (GET /beta/riskyUsers/$filter=id eq ‘{userObjectId}’)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


信息保护策略权限Information protection policy permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
InformationProtectionPolicy.ReadInformationProtectionPolicy.Read 读取用户敏感度标签和标签策略Read user sensitivity labels and label policies 允许应用代表已登录用户读取信息保护敏感度标签,以及标签策略设置。Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
InformationProtectionPolicy.Read.AllInformationProtectionPolicy.Read.All 读取组织的所有已发布标签和标签策略Read all published labels and label policies for an organization 无需已登录用户,允许应用读取整个组织或特定用户发布的敏感度标签和标签策略设置。Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user. Yes

Intune 设备管理权限Intune device management permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
DeviceManagementApps.Read.AllDeviceManagementApps.Read.All 读取 Microsoft Intune 应用Read Microsoft Intune apps 允许应用读取由 Microsoft Intune 管理的应用、应用配置和应用保护策略的属性、组分配情况和状态。Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementApps.ReadWrite.AllDeviceManagementApps.ReadWrite.All 读取和写入 Microsoft Intune 应用Read and write Microsoft Intune apps 允许应用读取和写入由 Microsoft Intune 管理的应用、应用配置和应用保护策略的属性、组分配情况和状态。Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementConfiguration.Read.AllDeviceManagementConfiguration.Read.All 读取 Microsoft Intune 设备配置和策略Read Microsoft Intune device configuration and policies 允许应用读取 Microsoft Intune 管理的设备配置的属性和设备符合性策略以及它们对组的分配情况。Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementConfiguration.ReadWrite.AllDeviceManagementConfiguration.ReadWrite.All 读取和写入 Microsoft Intune 设备配置和策略Read and write Microsoft Intune device configuration and policies 允许应用读取和写入 Microsoft Intune 管理的设备配置的属性和设备符合性策略以及它们对组的分配情况。Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementManagedDevices.PrivilegedOperations.AllDeviceManagementManagedDevices.PrivilegedOperations.All 在 Microsoft Intune 设备上执行影响用户的远程操作Perform user-impacting remote actions on Microsoft Intune devices 允许应用执行高影响级别远程操作,如在由 Microsoft Intune 管理的设备上擦除设备或重置密码。Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.Read.AllDeviceManagementManagedDevices.Read.All 读取 Microsoft Intune 设备Read Microsoft Intune devices 允许应用读取由 Microsoft Intune 管理的设备的属性。Allows the app to read the properties of devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.ReadWrite.AllDeviceManagementManagedDevices.ReadWrite.All 读取和写入 Microsoft Intune 设备Read and write Microsoft Intune devices 允许应用读取和写入由 Microsoft Intune 管理的设备的属性。不允许执行具有高影响级别的操作,例如针对设备所有者的远程擦除和密码重置。Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. Yes No
DeviceManagementRBAC.Read.AllDeviceManagementRBAC.Read.All 读取 Microsoft Intune RBAC 设置Read Microsoft Intune RBAC settings 允许应用读取与基于 Microsoft Intune 角色的访问控制 (RBAC) 设置相关的属性。Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementRBAC.ReadWrite.AllDeviceManagementRBAC.ReadWrite.All 读取和写入 Microsoft Intune RBAC 设置Read and write Microsoft Intune RBAC settings 允许应用读取和写入与基于 Microsoft Intune 角色的访问控制 (RBAC) 设置相关的属性。Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementServiceConfig.Read.AllDeviceManagementServiceConfig.Read.All 读取 Microsoft Intune 配置Read Microsoft Intune configuration 允许应用读取 Intune 服务属性,其中包括设备注册和第三方服务连接配置。Allows the app to read Intune service properties including device enrollment and third party service connection configuration. Yes No
DeviceManagementServiceConfig.ReadWrite.AllDeviceManagementServiceConfig.ReadWrite.All 读取和写入 Microsoft Intune 配置Read and write Microsoft Intune configuration 允许应用读取和写入 Microsoft Intune 服务属性,其中包括设备注册和第三方服务连接配置。Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
DeviceManagementApps.Read.AllDeviceManagementApps.Read.All 读取 Microsoft Intune 应用Read Microsoft Intune apps 允许应用读取由 Microsoft Intune 管理的应用、应用配置和应用保护策略的属性、组分配情况和状态。Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementApps.ReadWrite.AllDeviceManagementApps.ReadWrite.All 读取和写入 Microsoft Intune 应用Read and write Microsoft Intune apps 允许应用读取和写入由 Microsoft Intune 管理的应用、应用配置和应用保护策略的属性、组分配情况和状态。Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementConfiguration.Read.AllDeviceManagementConfiguration.Read.All 读取 Microsoft Intune 设备配置和策略Read Microsoft Intune device configuration and policies 允许应用读取 Microsoft Intune 管理的设备配置的属性和设备符合性策略以及它们对组的分配情况。Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementConfiguration.ReadWrite.AllDeviceManagementConfiguration.ReadWrite.All 读取和写入 Microsoft Intune 设备配置和策略Read and write Microsoft Intune device configuration and policies 允许应用读取和写入 Microsoft Intune 管理的设备配置的属性和设备符合性策略以及它们对组的分配情况。Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementManagedDevices.PrivilegedOperations.AllDeviceManagementManagedDevices.PrivilegedOperations.All 在 Microsoft Intune 设备上执行影响用户的远程操作Perform user-impacting remote actions on Microsoft Intune devices 允许应用执行高影响级别远程操作,如在由 Microsoft Intune 管理的设备上擦除设备或重置密码。Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.Read.AllDeviceManagementManagedDevices.Read.All 读取 Microsoft Intune 设备Read Microsoft Intune devices 允许应用读取由 Microsoft Intune 管理的设备的属性。Allows the app to read the properties of devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.ReadWrite.AllDeviceManagementManagedDevices.ReadWrite.All 读取和写入 Microsoft Intune 设备Read and write Microsoft Intune devices 允许应用读取和写入由 Microsoft Intune 管理的设备的属性。不允许执行具有高影响级别的操作,例如针对设备所有者的远程擦除和密码重置。Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. Yes No
DeviceManagementRBAC.Read.AllDeviceManagementRBAC.Read.All 读取 Microsoft Intune RBAC 设置Read Microsoft Intune RBAC settings 允许应用读取与基于 Microsoft Intune 角色的访问控制 (RBAC) 设置相关的属性。Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementRBAC.ReadWrite.AllDeviceManagementRBAC.ReadWrite.All 读取和写入 Microsoft Intune RBAC 设置Read and write Microsoft Intune RBAC settings 允许应用读取和写入与基于 Microsoft Intune 角色的访问控制 (RBAC) 设置相关的属性。Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementServiceConfig.Read.AllDeviceManagementServiceConfig.Read.All 读取 Microsoft Intune 配置Read Microsoft Intune configuration 允许应用读取 Intune 服务属性,其中包括设备注册和第三方服务连接配置。Allows the app to read Intune service properties including device enrollment and third party service connection configuration. Yes No
DeviceManagementServiceConfig.ReadWrite.AllDeviceManagementServiceConfig.ReadWrite.All 读取和写入 Microsoft Intune 配置Read and write Microsoft Intune configuration 允许应用读取和写入 Microsoft Intune 服务属性,其中包括设备注册和第三方服务连接配置。Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. Yes No

说明Remarks

注意: 使用 Microsoft Graph API 配置 Intune 控件和策略仍需要客户正确许可 Intune 服务。Note: Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

这些权限仅对工作或学校帐户有效。These permissions are only valid for work or school accounts.

用法示例Example usage

委派Delegated

  • DeviceManagementServiceConfiguration.Read.All:检查 Intune 订阅的当前状态 (GET /deviceManagement/subscriptionState)。DeviceManagementServiceConfiguration.Read.All: Check the current state of the Intune subscription (GET /deviceManagement/subscriptionState).
  • DeviceManagementServiceConfiguration.ReadWrite.All:新建条款和条件 (POST /deviceManagement/termsAndConditions)。DeviceManagementServiceConfiguration.ReadWrite.All: Create new Terms and Conditions (POST /deviceManagement/termsAndConditions).
  • DeviceManagementConfiguration.Read.All:查找设备配置状态 (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses)。DeviceManagementConfiguration.Read.All: Find the status of a device configuration (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses).
  • DeviceManagementConfiguration.ReadWrite.All:向组分配设备符合性策略 (POST deviceCompliancePolicies/{id}/assign)。DeviceManagementConfiguration.ReadWrite.All: Assign a device compliance policy to a group (POST deviceCompliancePolicies/{id}/assign).
  • DeviceManagementApps.Read.All:查找发布到 Intune 的所有 Windows 应用商店应用 (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp'))。DeviceManagementApps.Read.All: Find all the Windows Store apps published to Intune (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp')).
  • DeviceManagementApps.ReadWrite.All:发布新应用程序 (POST /deviceAppManagement/mobileApps)。DeviceManagementApps.ReadWrite.All: Publish a new application (POST /deviceAppManagement/mobileApps).
  • DeviceManagementRBAC.Read.All:按名称查找角色分配 (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment')。DeviceManagementRBAC.Read.All: Find a role assignment by name (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment').
  • DeviceManagementRBAC.ReadWrite.All:新建自定义角色 (POST /deviceManagement/roleDefinitions)。DeviceManagementRBAC.ReadWrite.All: Create a new custom role (POST /deviceManagement/roleDefinitions).
  • DeviceManagementManagedDevices.Read.All:按名称查找受管理设备 (GET /managedDevices/?$filter=deviceName eq 'My Device')。DeviceManagementManagedDevices.Read.All: Find a managed device by name (GET /managedDevices/?$filter=deviceName eq 'My Device').
  • DeviceManagementManagedDevices.ReadWrite.All:删除受管理设备 (DELETE /managedDevices/{id})。DeviceManagementManagedDevices.ReadWrite.All: Remove a managed device (DELETE /managedDevices/{id}).
  • DeviceManagementManagedDevices.PrivilegedOperations.All:重置用户的受管理设备上的密码 (POST /managedDevices/{id}/resetPasscode)。DeviceManagementManagedDevices.PrivilegedOperations.All: Reset the passcode on a user's managed device (POST /managedDevices/{id}/resetPasscode).

应用程序Application

  • DeviceManagementServiceConfiguration.Read.All:检查 Intune 订阅的当前状态 (GET /deviceManagement/subscriptionState)。DeviceManagementServiceConfiguration.Read.All: Check the current state of the Intune subscription (GET /deviceManagement/subscriptionState).
  • DeviceManagementServiceConfiguration.ReadWrite.All:新建条款和条件 (POST /deviceManagement/termsAndConditions)。DeviceManagementServiceConfiguration.ReadWrite.All: Create new Terms and Conditions (POST /deviceManagement/termsAndConditions).
  • DeviceManagementConfiguration.Read.All:查找设备配置状态 (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses)。DeviceManagementConfiguration.Read.All: Find the status of a device configuration (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses).
  • DeviceManagementConfiguration.ReadWrite.All:向组分配设备符合性策略 (POST deviceCompliancePolicies/{id}/assign)。DeviceManagementConfiguration.ReadWrite.All: Assign a device compliance policy to a group (POST deviceCompliancePolicies/{id}/assign).
  • DeviceManagementApps.Read.All:查找发布到 Intune 的所有 Windows 应用商店应用 (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp'))。DeviceManagementApps.Read.All: Find all the Windows Store apps published to Intune (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp')).
  • DeviceManagementApps.ReadWrite.All:发布新应用程序 (POST /deviceAppManagement/mobileApps)。DeviceManagementApps.ReadWrite.All: Publish a new application (POST /deviceAppManagement/mobileApps).
  • DeviceManagementRBAC.Read.All:按名称查找角色分配 (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment')。DeviceManagementRBAC.Read.All: Find a role assignment by name (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment').
  • DeviceManagementRBAC.ReadWrite.All:新建自定义角色 (POST /deviceManagement/roleDefinitions)。DeviceManagementRBAC.ReadWrite.All: Create a new custom role (POST /deviceManagement/roleDefinitions).
  • DeviceManagementManagedDevices.Read.All:按名称查找受管理设备 (GET /managedDevices/?$filter=deviceName eq 'My Device')。DeviceManagementManagedDevices.Read.All: Find a managed device by name (GET /managedDevices/?$filter=deviceName eq 'My Device').
  • DeviceManagementManagedDevices.ReadWrite.All:删除受管理设备 (DELETE /managedDevices/{id})。DeviceManagementManagedDevices.ReadWrite.All: Remove a managed device (DELETE /managedDevices/{id}).
  • DeviceManagementManagedDevices.PrivilegedOperations.All:重置用户的受管理设备上的密码 (POST /managedDevices/{id}/resetPasscode)。DeviceManagementManagedDevices.PrivilegedOperations.All: Reset the passcode on a user's managed device (POST /managedDevices/{id}/resetPasscode).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


邮件权限Mail permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Mail.ReadMail.Read 读取用户邮件Read user mail  允许应用读取用户邮箱中的电子邮件。Allows the app to read email in user mailboxes.  No 必需Yes
Mail.ReadBasicMail.ReadBasic 读取用户基本邮件Read user basic mail 允许应用读取已登录用户的邮箱,但不读取 bodybodyPreviewuniqueBodyattachmentsextensions 和任何扩展属性。Allows the app to read email in the signed-in user's mailbox, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties. 不包含邮件搜索权限。Does not include permissions to search messages. No No
Mail.ReadWriteMail.ReadWrite 对用户邮件的读写权限Read and write access to user mail  允许应用创建、读取、更新和删除用户邮箱中的电子邮件。不包括发送电子邮件的权限。Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. No Yes
Mail.Read.SharedMail.Read.Shared 读取用户邮件和共享邮件Read user and shared mail 允许应用读取用户可以访问的邮件,包括用户个人邮件和共享邮件。Allows the app to read mail that the user can access, including the user's own and shared mail.  No No
Mail.ReadWrite.SharedMail.ReadWrite.Shared 读取和写入用户邮件和共享邮件Read and write user and shared mail  允许应用创建、读取、更新和删除用户有权访问的邮件,包括用户个人邮件和共享邮件。不包括邮件发送权限。Allows the app to create, read, update, and delete mail that the user has permission to access, including the user's own and shared mail. Does not include permission to send mail. No No
Mail.SendMail.Send 以用户身份发送邮件Send mail as a user  允许应用以组织用户身份发送邮件。Allows the app to send mail as users in the organization.  No Yes
Mail.Send.SharedMail.Send.Shared 代表他人发送邮件Send mail on behalf of others  允许应用以登录用户身份发送邮件,包括代表他人发送邮件。Allows the app to send mail as the signed-in user, including sending on-behalf of others.  No No
MailboxSettings.ReadMailboxSettings.Read 读取用户的邮箱设置Read user mailbox settings  允许应用读取用户的邮箱设置。不包括邮件发送权限。Allows the app to the read user's mailbox settings. Does not include permission to send mail. No Yes
MailboxSettings.ReadWriteMailboxSettings.ReadWrite 读取和写入用户邮箱设置Read and write user mailbox settings  允许应用创建、读取、更新和删除用户邮箱设置。Allows the app to create, read, update, and delete user's mailbox settings. 不包含直接发送邮件的权限,但允许应用创建能够转发或重定向邮件的规则。Does not include permission to directly send mail, but allows the app to create rules that can forward or redirect messages. No Yes

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Mail.ReadMail.Read 读取所有邮箱中的邮件Read mail in all mailboxes 允许应用在没有登录用户的情况下读取所有邮箱中的邮件。Allows the app to read mail in all mailboxes without a signed-in user. Yes
Mail.ReadBasic.AllMail.ReadBasic.All 读取所有用户基本邮件Read all users basic mail 让应用能够读取所有用户的邮箱,但不读取 Body、BodyPreview、UniqueBody、Attachments, ExtendedProperties 和 Extensions。Allows the app to read all users mailboxes except Body, BodyPreview, UniqueBody, Attachments, ExtendedProperties, and Extensions. 不包含邮件搜索权限。Does not include permissions to search messages. Yes
Mail.ReadWriteMail.ReadWrite 读取和写入所有邮箱中的邮件Read and write mail in all mailboxes 允许应用在没有登录用户的情况下创建、读取、更新和删除所有邮箱中的邮件。不包括发送电子邮件的权限。Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. Yes
Mail.SendMail.Send 以任意用户身份发送邮件Send mail as any user 允许应用在没有登录用户的情况下以任意用户身份发送邮件。Allows the app to send mail as any user without a signed-in user. Yes
MailboxSettings.ReadMailboxSettings.Read 读取用户的所有邮箱设置Read all user mailbox settings 允许应用在没有已登录用户的情况下读取用户邮箱设置。不包括邮件发送权限。Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. No
MailboxSettings.ReadWriteMailboxSettings.ReadWrite 读取和写入所有用户邮箱设置Read and write all user mailbox settings 允许应用在没有登录用户的情况下创建、读取、更新和删除用户邮箱设置。不包括邮件发送权限。Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail. Yes

重要说明 管理员可以配置应用程序访问策略,以限制应用程序访问_特定_邮箱,而不是组织中的所有邮箱,即使该应用程序已被授予 Mail.Read、Mail.ReadWrite、Mail.Send、MailboxSettings.Read 或 MailboxSettings.ReadWrite 的应用程序权限。Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.

说明Remarks

Mail.Read.SharedMail.ReadWrite.SharedMail.Send.Shared 仅适用于工作或学校帐户。所有其他权限对于 Microsoft 帐户和工作或学校帐户均有效。Mail.Read.Shared, Mail.ReadWrite.Shared, and Mail.Send.Shared are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.

通过 Mail.SendMail.Send.Shared 权限,应用可以发送邮件并将副本保存到用户的“已发送邮件”文件夹中,即使应用不使用相应的 Mail.ReadWrite 或 _Mail.ReadWrite.Shared _ 权限也是如此。With the Mail.Send or Mail.Send.Shared permission, an app can send mail and save a copy to the user's Sent Items folder, even if the app does not use a corresponding Mail.ReadWrite or Mail.ReadWrite.Shared permission.

用法示例Example usage

委派Delegated

  • Mail.Read:列出用户收件箱中的邮件,按 receivedDateTime 排序 (GET /me/mailfolders/inbox/messages?$orderby=receivedDateTime DESC)。Mail.Read: List messages in the user's inbox, sorted by receivedDateTime (GET /me/mailfolders/inbox/messages?$orderby=receivedDateTime DESC).
  • Mail.Read.Shared:在已与登录用户共享其收件箱的用户收件箱中查找带有附件的所有邮件 (GET /users{id | userPrincipalName}/mailfolders/inbox/messages?$filter=hasAttachments eq true)。Mail.Read.Shared: Find all messages with attachments in a user's inbox that has shared their inbox with the signed-in user (GET /users{id | userPrincipalName}/mailfolders/inbox/messages?$filter=hasAttachments eq true).
  • Mail.ReadWrite:将邮件标记为已读 (PATCH /me/messages/{id})。Mail.ReadWrite: Mark a message read (PATCH /me/messages/{id}).
  • Mail.Send:发送邮件 (POST /me/sendmail)。Mail.Send: Send a message (POST /me/sendmail).
  • MailboxSettings.ReadWrite:更新用户的自动答复 (PATCH /me/mailboxSettings)。MailboxSettings.ReadWrite: Update the user's automatic reply (PATCH /me/mailboxSettings).

应用程序Application

  • Mail.Read:从 bob@contoso.com 查找邮件 (GET /users/{id | userPrincipalName}/messages?$filter=from/emailAddress/address eq 'bob@contoso.com')。Mail.Read: Find messages from bob@contoso.com (GET /users/{id | userPrincipalName}/messages?$filter=from/emailAddress/address eq 'bob@contoso.com').
  • Mail.ReadWrite:在名为“Expense Reports”的收件箱中新建文件夹 (POST /users/{id | userPrincipalName}/mailfolders)。Mail.ReadWrite: Create a new folder in the Inbox named Expense Reports (POST /users/{id | userPrincipalName}/mailfolders).
  • Mail.Send:发送邮件 (POST /users/{id | userPrincipalName}/sendmail)。Mail.Send: Send a message (POST /users/{id | userPrincipalName}/sendmail).
  • MailboxSettings.Read:获取用户邮箱的默认时区 (GET /users/{id | userPrincipalName}/mailboxSettings/timeZone)MailboxSettings.Read: Get the default timezone for the user's mailbox (GET /users/{id | userPrincipalName}/mailboxSettings/timeZone)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


成员权限Member permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Member.Read.HiddenMember.Read.Hidden 读取隐藏成员资格Read hidden memberships 对于已登录用户具有访问权限的隐藏组和管理单元,允许应用代表已登录用户读取隐藏组和管理单元的成员资格。Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Member.Read.HiddenMember.Read.Hidden 读取所有隐藏成员Read all hidden memberships 允许应用在没有登录用户的情况下读取隐藏的组和管理单元中的成员。Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. Yes

注释Remarks

Member.Read.Hidden 仅对工作或学校帐户有效。Member.Read.Hidden is valid only on work or school accounts.

可以隐藏某些 Microsoft 365 组中的成员资格。Membership in some Microsoft 365 groups can be hidden. 这意味着只有该组的成员可以查看其成员。This means that only the members of the group can view its members. 此功能可用于帮助遵守要求组织对外部用户(例如,表示某个班级内注册的学生的 Microsoft 365 组)隐藏组成员身份的规定。This feature can be used to help comply with regulations that require an organization to hide group membership from outsiders (for example, a Microsoft 365 group that represents students enrolled in a class).

用法示例Example usage

委派Delegated

  • Member.Read.Hidden:代表登录用户读取隐藏了成员资格的管理单元成员 (GET /administrativeUnits/{id}/members)。Member.Read.Hidden: Read the members of an administrative unit with hidden membership on behalf of the signed-in user (GET /administrativeUnits/{id}/members).
  • Member.Read.Hidden:代表登录用户读取隐藏了成员资格的组成员 (GET /groups/{id}/members)。Member.Read.Hidden: Read the members of a group with hidden membership on behalf of the signed-in user (GET /groups/{id}/members).

应用程序Application

  • Member.Read.Hidden:读取隐藏了成员资格的管理单元成员 (GET /administrativeUnits/{id}/members)。Member.Read.Hidden: Read the members of an administrative unit with hidden membership (GET /administrativeUnits/{id}/members).
  • Member.Read.Hidden:读取隐藏了成员资格的组成员 (GET /groups/{id}/members)。Member.Read.Hidden: Read the members of a group with hidden membership (GET /groups/{id}/members).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

注释权限Notes permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Notes.ReadNotes.Read 读取用户 OneNote 笔记本Read user OneNote notebooks 允许应用代表已登录用户读取 OneNote 笔记本和分区标题并创建新的页面、笔记本和分区。Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. No Yes
Notes.CreateNotes.Create 创建用户 OneNote 笔记本Create user OneNote notebooks 允许应用代表已登录用户读取 OneNote 笔记本和分区标题并创建新的页面、笔记本和分区。Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. No Yes
Notes.ReadWriteNotes.ReadWrite 读取和写入用户 OneNote 笔记本Read and write user OneNote notebooks 允许应用代表已登录用户读取、共享和修改 OneNote 笔记本。Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user. No Yes
Notes.Read.AllNotes.Read.All 读取用户可以访问的所有 OneNote 笔记本Read all OneNote notebooks that user can access 允许应用读取登录用户在组织中有权访问的 OneNote 笔记本。Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. No No
Notes.ReadWrite.AllNotes.ReadWrite.All 读取和写入用户可以访问的所有 OneNote 笔记本。Read and write all OneNote notebooks that user can access 允许应用读取、共享和修改已登录用户在组织中有权访问的 OneNote 笔记本。Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. No No
Notes.ReadWrite.CreatedByAppNotes.ReadWrite.CreatedByApp 有限的笔记本访问权限(不推荐使用)Limited notebook access (deprecated) 不推荐使用Deprecated
请勿使用。此权限不授予任何特权。Do not use. No privileges are granted by this permission.
No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Notes.Read.AllNotes.Read.All 读取所有 OneNote 笔记本Read all OneNote notebooks 允许应用无需具有已登录用户即可读取组织中的所有 OneNote 笔记本。Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. Yes
Notes.ReadWrite.AllNotes.ReadWrite.All 读取和写入所有 OneNote 笔记本Read and write all OneNote notebooks 允许应用无需具有已登录用户即可读取、共享和修改组织中的所有 OneNote 笔记本。Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user. Yes

说明Remarks

Notes.Read.AllNotes.ReadWrite.All 仅适用于工作或学校帐户。所有其他权限对于 Microsoft 帐户和工作或学校帐户均有效。Notes.Read.All and Notes.ReadWrite.All are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.

通过 Notes.Create 权限,应用可以查看已登录用户的 OneNote 笔记本层次结构,并创建 OneNote 内容(笔记本、分区组、分区、页面等)。With the Notes.Create permission, an app can view the OneNote notebook hierarchy of the signed-in user and create OneNote content (notebooks, section groups, sections, pages, etc.).

Notes.ReadWriteNotes.ReadWrite.All 还允许应用修改针对已登录用户可以访问的 OneNote 内容的权限。Notes.ReadWrite and Notes.ReadWrite.All also allow the app to modify the permissions on the OneNote content that can be accessed by the signed-in user.

对于工作或学校帐户,Notes.Read.AllNotes.ReadWrite.All 允许该应用访问已登录用户有权限在组织内访问的其他用户的 OneNote 内容。For work or school accounts, Notes.Read.All and Notes.ReadWrite.All allow the app to access other users' OneNote content that the signed-in user has permission to within the organization.

用法示例Example usage

委派Delegated

  • Notes.Create:为登录用户新建笔记本 (POST /me/onenote/notebooks)。Notes.Create: Create a new notebooks for the signed-in user (POST /me/onenote/notebooks).
  • Notes.Read:读取登录用户的笔记本 (GET /me/onenote/notebooks)。Notes.Read: Read the notebooks for the signed-in user (GET /me/onenote/notebooks).
  • Notes.Read.All:获取登录用户有权在组织内访问的所有笔记本 (GET /me/onenote/notebooks?includesharednotebooks=true)。Notes.Read.All: Get all notebooks that the signed-in user has access to within the organization (GET /me/onenote/notebooks?includesharednotebooks=true).
  • Notes.ReadWrite:更新登录用户的页面 (PATCH /me/onenote/pages/{id}/$value)。Notes.ReadWrite: Update the page of the signed-in user (PATCH /me/onenote/pages/{id}/$value).
  • Notes.ReadWrite.All:在登录用户有权在组织内访问的其他用户笔记本中创建页面 (POST /users/{id}/onenote/pages)。Notes.ReadWrite.All: Create a page in another user's notebook that the signed-in user has access to within the organization (POST /users/{id}/onenote/pages).

应用程序Application

  • Notes.Read.All:读取组中的所有用户笔记本 (GET /groups/{id}/onenote/notebooks)。Notes.Read.All: Read all users notebooks in a group (GET /groups/{id}/onenote/notebooks).
  • Notes.ReadWrite.All:更新组织中任意用户的笔记本中的页面 (PATCH /users/{id}/onenote/pages/{id}/$value)。Notes.ReadWrite.All: Update the page in a notebook for any user in the organization (PATCH /users/{id}/onenote/pages/{id}/$value).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

通知权限Notifications permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Notifications.ReadWrite.CreatedByAppNotifications.ReadWrite.CreatedByApp 提供和管理此应用的通知。Deliver and manage notifications for this app. 允许应用代表登录用户提供其通知。Allow the app to deliver its notifications on behalf of signed-in users. 此外,还允许应用读取、更新和删除此应用的用户通知项目。Also allows the app to read, update, and delete the user’s notification items for this app. No

注解Remarks

Notifications.ReadWrite.CreatedByApp 对 Microsoft 帐户和工作或学校帐户均有效。Notifications.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts. 与此权限相关联的 CreatedByApp 约束指示服务将基于通话应用的标识(Microsoft 帐户应用 ID 或针对跨平台应用程序标识配置的一组应用 ID)对结果应用隐式筛选。The CreatedByApp constraint associated with this permission indicates that the service will apply implicit filtering to results based on the identity of the calling app, either the Microsoft account app ID or a set of app IDs configured for a cross-platform application identity.

用法示例Example usage

委派Delegated

  • Notifications.ReadWrite.CreatedByApp:发布以用户为中心的通知,然后可能会将该通知传递至用户运行在不同端点上的多个应用程序客户端。Notifications.ReadWrite.CreatedByApp: Publish a user-centric notification, which might then be delivered to the user’s multiple application clients running on different endpoints. (POST /me/notifications/)。(POST /me/notifications/).

联机会议权限Online meetings permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
OnlineMeetings.ReadOnlineMeetings.Read 读取联机会议。Read Online Meeting. 允许应用代表已登录的用户读取联机会议的详细信息。Allows an app to read online meeting details on behalf of the signed-in user. No No
OnlineMeetings.ReadWriteOnlineMeetings.ReadWrite 读取和创建联机会议。Read and Create Online Meetings. 允许应用代表已登录的用户创建和读取联机会议。Allows an app to create, read online meetings on behalf of the signed-in user. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
OnlineMeetings.Read.AllOnlineMeetings.Read.All 从应用阅读联机会议详细信息Read Online Meeting details from the app 允许应用在没有登录用户的情况下读取组织中的 VTC 相关联机会议详细信息。Allows the app to read VTC associated online meeting details in your organization without a signed-in user. Yes
OnlineMeetings.ReadWrite.AllOnlineMeetings.ReadWrite.All 从应用阅读联机会议详细信息Read Online Meeting details from the app 使应用在无登录用户的情况下创建,阅读在线会议。Allows an app to create, read online meetings without a signed-in user. Yes

用法示例Example usage

委派Delegated

  • OnlineMeetings.Read:检索联机会议的属性和关系 (GET /beta/communications/onlinemeetings/{default id})。OnlineMeetings.Read: Retrieve the properties and relationships of an online meeting (GET /beta/communications/onlinemeetings/{default id}).
  • OnlineMeetings.ReadWrite:创建联机会议 (POST /beta/communications/onlinemeetings)。OnlineMeetings.ReadWrite: Create an online meeting (POST /beta/communications/onlinemeetings).

应用程序Application

  • OnlineMeetings.Read.All:检索联机会议的属性和关系 (GET /beta/communications/onlinemeetings/?$filter=VideoTeleconferenceId%20eq%20'{id}')。OnlineMeetings.Read.All: Retrieve the properties and relationships of an online meeting (GET /beta/communications/onlinemeetings/?$filter=VideoTeleconferenceId%20eq%20'{id}').

注意:创建联机会议时会代表用户创建一个会议,但不会在该用户的日历上显示该会议。Note: Creating an online meeting creates a meeting on behalf of a user, but does not show it on the user's Calendar.

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


本地发布配置文件权限On-premises publishing profiles permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
OnPremisesPublishingProfiles.ReadWrite.AllOnPremisesPublishingProfiles.ReadWrite.All 访问本地发布配置文件Access On-Premises Publishing Profiles 允许应用通过代表已登录用户创建、查看、更新和删除本地发布的资源、本地代理和代理组来管理混合标识服务配置。Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
OnPremisesPublishingProfiles.ReadWrite.AllOnPremisesPublishingProfiles.ReadWrite.All 访问本地发布配置文件Access On-Premises Publishing Profiles 允许应用通过代表已登录用户创建、查看、更新和删除本地发布的资源、本地代理和代理组来管理混合标识服务配置。Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. No No

OpenID 权限OpenID permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
emailemail 查看用户的电子邮件地址View users' email address 允许应用读取用户的主电子邮件地址。Allows the app to read your users' primary email address. No No
offline_accessoffline_access 随时访问用户数据Access user's data anytime 允许应用读取和更新用户数据,即使用户当前没有在使用此应用,也不例外。Allows the app to read and update user data, even when they are not currently using the app. No No
openidopenid 让用户登录Sign users in 允许用户以其工作或学校帐户登录应用,并允许应用查看用户的基本个人资料信息。Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. No No
个人资料profile 查看用户的基本个人资料View users' basic profile 允许应用查看用户的基本个人资料(名称、图片、用户名称)。Allows the app to see your users' basic profile (name, picture, user name). No No

应用程序权限Application permissions

无。None.

注解Remarks

可以使用这些权限指定要在 Azure AD 授权和令牌请求中返回的项目。Azure AD v1.0 和 v2.0 终结点以不同的方式支持它们。You can use these permissions to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.

使用 Azure AD (v1.0) 终结点时,仅使用 openid 权限。在授权请求的 scope 参数中指定它,以在使用 OpenID Connect 协议让用户登录应用时返回 ID 令牌。有关详细信息,请参阅使用 OpenID Connect 和 Azure Active Directory 来授权访问 Web 应用程序。若要成功返回 ID 令牌,还必须确保在注册应用时已配置 User.Read 权限。With the Azure AD (v1.0) endpoint, only the openid permission is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.

使用 Azure AD v2.0 终结点时,在 scope 参数中指定 offline_access 权限,以在使用 OAuth 2.0 或 OpenID Connect 协议时显式请求获取刷新令牌。使用 OpenID Connect 时,指定 openid 权限来请求获取 ID 令牌。还可指定 email 权限和/或 profile 权限,以在 ID 令牌中返回其他声明。使用 v2.0 终结点时,无需指定 User.Read 来返回 ID 令牌。有关详细信息,请参阅 OpenID Connect 作用域With the Azure AD v2.0 endpoint, you specify the offline_access permission in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid permission to request an ID token. You can also specify the email permission, profile permission, or both to return additional claims in the ID token. You do not need to specify User.Read to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.

重要说明:目前,Microsoft 身份验证库 (MSAL) 默认在授权和令牌请求中指定 offline_accessopenidprofileemail。也就是说,在默认情况下,如果显式指定这些权限,Azure AD 可能会返回错误。Important The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these permissions explicitly, Azure AD may return an error.


组织权限Organization permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Organization.Read.AllOrganization.Read.All 读取组织信息Read organization information 允许应用代表已登录用户读取组织和相关资源。Allows the app to read the organization and related resources, on behalf of the signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes No
Organization.ReadWrite.AllOrganization.ReadWrite.All 读取和写入组织信息Read and write organization information 允许应用代表已登录用户读取和写入组织和相关资源。Allows the app to read and write the organization and related resources, on behalf of the signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Organization.Read.AllOrganization.Read.All 读取组织信息Read organization information 允许应用在没有已登录用户的情况下读取组织和相关资源。Allows the app to read the organization and related resources, without a signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes
Organization.ReadWrite.AllOrganization.ReadWrite.All 读取和写入组织信息Read and write organization information 允许应用在没有已登录用户的情况下读取和写入组织和相关资源。Allows the app to read and write the organization and related resources, without a signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes

用法示例Example usage

DelegatedDelegated

  • Organization.Read.All:获取组织信息 (GET /organization)。Organization.Read.All: Get organization information (GET /organization).
  • Organization.Read.All:获取组织订阅的 SKU (GET /subscribedSkus)。Organization.Read.All: Get the SKUs that the organization has subscribed to (GET /subscribedSkus).

应用程序Application

  • Organization.ReadWrite.All:更新组织信息(例如 technicalNotificationMails)(PATCH /organization/{id})。Organization.ReadWrite.All: Update organization information (such as technicalNotificationMails) (PATCH /organization/{id}).

组织联系人权限Organizational contact permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
OrgContact.Read.AllOrgContact.Read.All 读取组织联系人Read organizational contacts 允许应用代表已登录用户读取所有组织联系人。Allows the app to read all organizational contacts on behalf of the signed-in user. 这些联系人由组织管理,不同于用户的个人联系人。These contacts are managed by the organization and are different from a user's personal contacts. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
OrgContact.Read.AllOrgContact.Read.All 读取组织联系人Read organizational contacts 允许应用在没有已登录用户的情况下读取所有组织联系人。Allows the app to read all organizational contacts without a signed-in user. 这些联系人由组织管理,不同于用户的个人联系人。These contacts are managed by the organization and are different from a user's personal contacts. Yes

用法示例Example usage

DelegatedDelegated

  • OrgContact.Read.All:获取所有组织联系人 (GET /contacts)。OrgContact.Read.All: Get all organizational contacts (GET /contacts).

People 权限People permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
People.ReadPeople.Read 读取用户的相关人员列表Read users' relevant people lists 允许应用读取登录用户相关人员的得分列表。该列表可包括当地联系人、社交网络或你所在组织目录中的联系人以及来自最近通信(例如电子邮件和 Skype)的人员。Allows the app to read a scored list of people relevant to the signed-in user. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). No Yes
People.Read.AllPeople.Read.All 读取所有用户的相关人员列表Read all users' relevant people lists 允许应用读取登录用户或登录用户组织中的其他用户的相关人员得分列表。该列表可包括当地联系人、社交网络或你所在组织目录中的联系人以及来自最近通信(例如电子邮件和 Skype)的人员。此外,还允许应用搜索登录用户组织的整个目录。Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). Also allows the app to search the entire directory of the signed-in user's organization.  Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
People.Read.AllPeople.Read.All 读取所有用户的相关人员列表Read all users' relevant people lists 允许应用读取登录用户或登录用户组织中的其他用户的相关人员得分列表。Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization.

该列表可包括当地联系人、社交网络或你所在组织目录中的联系人以及来自最近通信(例如电子邮件和 Skype)的人员。The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). 此外,还允许应用搜索登录用户组织的整个目录。Also allows the app to search the entire directory of the signed-in user's organization. 
Yes

备注Remarks

People.Read.All 权限仅适用于工作和学校帐户。The People.Read.All permission is only valid for work and school accounts.

用法示例Example usage

委派Delegated

  • People.Read:读取相关人员列表 (GET /me/people)People.Read: Read a list of relevant people (GET /me/people)
  • People.Read.All:读取同一组织中与其他用户相关的人员列表 (GET /users('{id})/people)People.Read.All: Read a list of relevant people to another user in the same organization (GET /users('{id})/people)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


位置权限Places permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Place.Read.AllPlace.Read.All 读取所有公司位置Read all company places 允许应用读取在 Exchange Online 中为租户设置的公司位置(会议室和房间列表)。Allows the app to read company places (conference rooms and room lists) set up in Exchange Online for the tenant. Yes No
Place.ReadWrite.AllPlace.ReadWrite.All 读取并写入所有公司位置Read and write all company places 允许应用读取和写入在 Exchange Online 中为租户设置的公司位置(会议室和房间列表)。Allows the app to read and write company places (conference rooms and room lists) set up in Exchange Online for the tenant. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Place.Read.AllPlace.Read.All 读取所有公司位置Read all company places 允许应用读取日历事件和其他应用程序的公司位置(会议室和房间列表)。Allows the app to read company places (conference rooms and room lists) for calendar events and other applications. Yes

策略权限Policy permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Policy.Read.AllPolicy.Read.All 阅读你组织的策略Read your organization's policies 允许应用代表已登录用户阅读你组织的策略。Allows the app to read your organization's policies on behalf of the signed-in user. Yes No
Policy.ReadWrite.ApplicationConfigurationPolicy.ReadWrite.ApplicationConfiguration 读取和写入组织的应用程序配置策略Read and write your organization's application configuration policies 允许应用代表已登录用户读取和写入组织的配置策略。Allows the app to read and write your organization's application configuration policies on behalf of the signed-in user. Yes No
Policy.ReadWrite.AuthenticationFlowsPolicy.ReadWrite.AuthenticationFlows 读取和写入你组织的身份验证流策略Read and write your organization's authentication flow policies 允许应用代表已登录用户读取和写入身份验证流策略。Allows the app to read and write the authentication flow policies, on behalf of the signed-in user. Yes No
Policy.ReadWrite.ConditionalAccessPolicy.ReadWrite.ConditionalAccess 读取和写入你组织的条件访问策略Read and write your organization's conditional access policies 允许应用代表已登录用户读取和写入你组织的条件访问策略。Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user. Yes No
Policy.ReadWrite.FeatureRolloutPolicy.ReadWrite.FeatureRollout 读取和写入你组织的功能推出策略Read and write your organization's feature rollout policies 允许应用代表已登录用户读取和写入你组织的功能推出策略。Allows the app to read and write your organization's feature rollout policies on behalf of the signed-in user. 包括分配用户和组来推出特定功能以及删除此类用户和组的能力。Includes abilities to assign and remove users and groups to rollout of a specific feature. Yes No
Policy.ReadWrite.TrustFrameworkPolicy.ReadWrite.TrustFramework 读取和写入你组织的信任框架策略Read and write your organization's trust framework policies 允许应用代表已登录用户读取和写入你组织的信任框架策略。Allows the app to read and write your organization's trust framework policies on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Policy.Read.AllPolicy.Read.All 阅读你组织的策略Read your organization's policies 允许应用无需登录的用户即可读取你所在组织的所有策略。Allows the app to read all your organization's policies without a signed in user. Yes
Policy.Read.ApplicationConfigurationPolicy.Read.ApplicationConfiguration 读取组织的应用程序配置策略Read your organization's application configuration policies 允许应用在没有已登录用户的情况下读取组织的所有应用程序配置策略。Allows the app to read all your organization's application configuration policies without a signed in user. Yes
Policy.ReadWrite.AuthenticationFlowsPolicy.ReadWrite.AuthenticationFlows 读取和写入你组织的身份验证流策略Read and write your organization's authentication flow policies 允许应用在没有已登录用户的情况下读取和写入所有租户身份验证流策略。Allows the app to read and write the authentication flow policies for the tenant, without a signed in user. Yes
Policy.ReadWrite.FeatureRolloutPolicy.ReadWrite.FeatureRollout 读取和写入功能推出策略Read and write feature rollout policies 允许用户无需登录的用户即可读取和写入功能推出策略。Allows the app to read and write feature rollout policies without a signed-in user. 包括分配用户和组来推出特定功能以及删除此类用户和组的能力。Includes abilities to assign and remove users and groups to rollout of a specific feature. Yes
Policy.ReadWrite.TrustFrameworkPolicy.ReadWrite.TrustFramework 读取和写入你组织的信任框架策略Read and write your organization's trust framework policies 允许应用无需登录的用户即可读取和写入你所在组织的信任框架策略。Allows the app to read and write your organization's trust framework policies without a signed in user. Yes

用法示例Example usage

以下用法对委派权限和应用程序权限均有效:The following usages are valid for both delegated and application permissions:

  • _Policy.Read.All_读取你所在组织的策略 (GET /policies)Policy.Read.All: Read your organization's policies (GET /policies)
  • _Policy.Read.All_读取你所在组织的信任框架策略 (GET /beta/trustFramework/policies)Policy.Read.All: Read your organization's trust framework policies (GET /beta/trustFramework/policies)
  • _Policy.Read.All_读取你所在组织的功能推出策略 (GET /beta/directory/featureRolloutPolicies)Policy.Read.All: Read your organization's feature rollout policies (GET /beta/directory/featureRolloutPolicies)
  • _Policy.ReadWrite.ApplicationConfiguration:读取和写入组织的应用程序配置策略 (POST /beta/policies/tokenLifetimePolicies)_Policy.ReadWrite.ApplicationConfiguration: Read and write your organization's application configuration policies (POST /beta/policies/tokenLifetimePolicies)
  • Policy.ReadWrite.AuthenticationFlows:读取和写入你组织的身份验证流策略 (PATCH /beta/policies/authenticationFlowsPolicy)Policy.ReadWrite.AuthenticationFlows: Read and write your organization's authentication flows policy (PATCH /beta/policies/authenticationFlowsPolicy)
  • Policy.ReadWrite.ConditionalAccess:读取和写入你组织的条件访问策略 (POST /beta/identity/conditionalAccess/policies)Policy.ReadWrite.ConditionalAccess: Read and write your organization's conditional access policies (POST /beta/identity/conditionalAccess/policies)
  • Policy.ReadWrite.FeatureRollout:读取和写入你组织的功能推出策略 (POST /beta/directory/featureRolloutPolicies)Policy.ReadWrite.FeatureRollout: Read and write your organization's feature rollout policies (POST /beta/directory/featureRolloutPolicies)
  • Policy.ReadWrite.TrustFramework:读取和写入你组织的信任框架策略 (POST /beta/trustFramework/policies)Policy.ReadWrite.TrustFramework: Read and write your organization's trust framework policies (POST /beta/trustFramework/policies)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


状态权限Presence permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Presence.ReadPresence.Read 读取用户的状态信息Read user's presence information 允许应用代表已登录的用户读取状态信息。Allows the app to read presence information on behalf of the signed-in user. 状态信息包括活动、可用性、状态备注、日历外出邮件、时区和位置。Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. No
Presence.Read.AllPresence.Read.All 读取组织中所有用户的状态信息Read presence information of all users in your organization 允许应用代表已登录的用户读取目录中所有用户的状态信息。Allows the app to read presence information of all users in the directory on behalf of the signed-in user. 状态信息包括活动、可用性、状态备注、日历外出邮件、时区和位置。Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. No

用法示例Example usage

  • Presence.Read:如果你已登录,则检索你自己的状态信息 (GET /me/presence)Presence.Read: If you're signed in, retrieve your own presence information (GET /me/presence)
  • Presence.Read.All:检索其他用户的状态信息 (GET /users/{id}/presence)Presence.Read.All: Retrieve the presence information of another user (GET /users/{id}/presence)
  • Presence.Read.All:检索多个用户的状态信息 (POST /communications/getPresencesByUserId)Presence.Read.All: Retrieve the presence information of multiple users (POST /communications/getPresencesByUserId)

程序和程序控制权限Programs and program controls permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ProgramControl.Read.AllProgramControl.Read.All 读取所有程序Read all programs 允许应用代表已登录的用户读取程序。Allows the app to read programs on behalf of the signed-in user. Yes No
ProgramControl.ReadWrite.AllProgramControl.ReadWrite.All 管理所有程序Manage all programs 允许应用代表已登录的用户读取和写入程序。Allows the app to read and write programs on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
ProgramControl.Read.AllProgramControl.Read.All 读取所有程序Read all programs 允许应用在没有登录的用户的情况下读取程序。Allows the app to read programs without a signed-in user. Yes
ProgramControl.ReadWrite.AllProgramControl.ReadWrite.All 管理所有程序Manage all programs 允许应用在没有登录的用户的情况下读取和写入程序。Allows the app to read and write programs without a signed-in user. Yes

说明Remarks

ProgramControl.Read.AllProgramControl.ReadWrite.All 仅对工作或学校帐户有效。ProgramControl.Read.All and ProgramControl.ReadWrite.All are valid only for work or school accounts.

对于通过委派权限读取程序和程序控件的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或用户管理员。For an app with delegated permissions to read programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. 对于通过委派权限写入程序和程序控件的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或用户管理员。For an app with delegated permissions to write programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.


报告权限Reports permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Reports.Read.AllReports.Read.All 读取所有使用情况报告Read all usage reports 允许应用代表已登录用户读取所有服务使用情况报告。Allows an app to read all service usage reports on behalf of the signed-in user. 提供使用情况报告的服务包括 Microsoft 365 和 Azure Active Directory。Services that provide usage reports include Microsoft 365 and Azure Active Directory. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Reports.Read.AllReports.Read.All 读取所有使用情况报告Read all usage reports 允许应用在没有登录用户的情况下读取所有服务使用情况报告。Allows an app to read all service usage reports without a signed-in user. 提供使用情况报告的服务包括 Microsoft 365 和 Azure Active Directory。Services that provide usage reports include Microsoft 365 and Azure Active Directory. Yes

注解Remarks

  • 这些报告权限仅对工作或学校帐户有效。Reports permissions are only valid for work or school accounts.
  • 若要获得委派权限以允许应用代表用户读取服务使用情况报告,租户管理员必须事先为用户分配 Azure AD 受限管理员角色。For delegated permissions to allow apps to read service usage reports on behalf of a user, the tenant administrator must have assigned the user an Azure AD limited administrator role. 有关更多详细信息,请参阅授权 API 读取 Microsoft 365 使用情况报告For more details, see Authorization for APIs to read Microsoft 365 usage reports.

用法示例Example usage

应用程序Application

  • Reports.Read.All:读取电子邮件应用程序在 7 天内的使用情况详情报告 (GET /reports/EmailAppUsage(view='Detail',period='D7')/content)。Reports.Read.All: Read usage detail report of email apps with period of 7 days (GET /reports/EmailAppUsage(view='Detail',period='D7')/content).
  • Reports.Read.All:读取电子邮件在日期“2017-01-01”的的活动详情报告 (GET /reports/EmailActivity(view='Detail',data='2017-01-01')/content)。Reports.Read.All: Read activity detail report of email with date of '2017-01-01' (GET /reports/EmailActivity(view='Detail',data='2017-01-01')/content).
  • Reports.Read.All:读取 Microsoft 365 激活详情报告 (GET /reports/Office365Activations(view='Detail')/content)。Reports.Read.All: Read Microsoft 365 activations detail report (GET /reports/Office365Activations(view='Detail')/content).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


角色管理权限Role management permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
RoleManagement.Read.DirectoryRoleManagement.Read.Directory 读取目录 RBAC 设置Read directory RBAC settings 允许应用代表已登录的用户读取公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. 这包括读取目录角色模板、目录角色和成员身份。This includes reading directory role templates, directory roles and memberships. Yes No
RoleManagement.ReadWrite.DirectoryRoleManagement.ReadWrite.Directory 读取和写入目录 RBAC 设置Read and write directory RBAC settings 允许应用代表已登录的用户读取和管理公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. 这包括实例化目录角色和管理目录角色成员身份,以及读取目录角色模板、目录角色和成员身份。This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
RoleManagement.Read.DirectoryRoleManagement.Read.Directory 读取所有目录 RBAC 设置Read all directory RBAC settings 允许应用在没有已登录用户的情况下读取公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. 这包括读取目录角色模板、目录角色和成员身份。This includes reading directory role templates, directory roles and memberships. Yes
RoleManagement.ReadWrite.DirectoryRoleManagement.ReadWrite.Directory 读取和写入所有目录 RBAC 设置Read and write all directory RBAC settings 允许应用在没有已登录用户的情况下读取并管理公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. 这包括实例化目录角色和管理目录角色成员身份,以及读取目录角色模板、目录角色和成员身份。This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. Yes

说明Remarks

使用 RoleManagement.Read.Directory 权限,应用程序可以读取 directoryRoles 和 directoryRoleTemplates。With the RoleManagement.Read.Directory permission an application can read directoryRoles and directoryRoleTemplates. 这包括读取目录角色的成员身份信息。This includes reading membership information for directory roles.

使用 RoleManagement.ReadWrite.Directory 权限,应用程序可以读取和写入 directoryRoles(directoryRoleTemplates 是只读资源)。With the RoleManagement.ReadWrite.Directory permission an application can read and write directoryRoles (directoryRoleTemplates are readonly resources). 这包括向目录角色添加成员和从目录角色中删除成员。This includes adding and removing members to and from directory roles.

角色管理权限仅对工作或学校帐户有效。Role management permissions are only valid for work or school accounts.

用法示例Example usage

  • RoleManagement.Read.Directory:读取可用角色模板列表 (GET /directoryRoleTemplates)RoleManagement.Read.Directory: Read the list of available role templates (GET /directoryRoleTemplates)
  • RoleManagement.Read.Directory:读取你的目录中已激活角色的列表 (GET /directoryRoles)RoleManagement.Read.Directory: Read the list of activated roles in your directory (GET /directoryRoles)
  • RoleManagement.Read.Directory:读取某一角色的成员列表 (GET /directoryRoles/<id>/members)RoleManagement.Read.Directory: Read the list of members for a role (GET /directoryRoles/<id>/members)
  • RoleManagement.Read.Directory:读取某一角色的管理单元范围的成员列表 (GET /directoryRoles/<id>/scopedMembers)RoleManagement.Read.Directory: Read the list of administrative unit-scoped members for a role (GET /directoryRoles/<id>/scopedMembers)
  • RoleManagement.ReadWrite.Directory:激活来自角色模板的目录角色 (POST /directoryRoles)RoleManagement.ReadWrite.Directory: Activate a directory role from a role template (POST /directoryRoles)
  • RoleManagement.ReadWrite.Directory:将成员添加到目录角色 (POST /directoryRoles/<id>/members)RoleManagement.ReadWrite.Directory: Add a member to a directory role (POST /directoryRoles/<id>/members)
  • RoleManagement.ReadWrite.Directory:将管理单元范围的成员添加到目录角色 (POST /directoryRoles/<id>/scopedMembers)RoleManagement.ReadWrite.Directory: Add an administrative unit-scoped member to a directory role (POST /directoryRoles/<id>/scopedMembers)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


计划管理权限(个人预览版Schedule management permissions (private preview)

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Schedule.ReadWrite.All(个人预览版)Schedule.ReadWrite.All (private preview) 读写班次服务 (Teams) 数据Read and Write Shifts service (Teams) data 允许应用在用户未登录的情况下读写班次应用程序中的计划、计划组、班次和关联的实体。Allows an app to read and write schedule, schedule groups, shifts, and associated entities in shifts applications without a signed-in user. Yes No
Schedule.Read.All(个人预览版)Schedule.Read.All (private preview) 读取班次服务 (Teams) 数据Read Shifts service (Teams) data 允许应用在用户未登录的情况下读取班次应用程序中的计划、计划组、班次和关联的实体。Allows the app to read schedule, schedule groups, shifts, and associated entities in shifts applications without a signed-in user. Yes No

搜索权限Search permissions

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ExternalItem.ReadWrite.AllExternalItem.ReadWrite.All 读取和写入外部数据Read and Write external data 允许应用将外部数据写入到索引 API。Allows an app to write external data into the indexing API. Yes No

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ExternalItem.Read.AllExternalItem.Read.All 读取外部数据Read external data 允许应用读取通过 Microsoft 搜索索引 API 引入的外部数据Allows an app to read external data ingested via the Microsoft Search indexing API Yes No

注解Remarks

搜索权限仅对工作或学校帐户有效。Search permissions are only valid for work or school accounts.

此搜索权限仅适用于通过索引 API 引入的数据。This search permission is only applicable to ingested data from the indexing API.

通过搜索访问数据需要相应的权限。Access to data via search requires the corresponding permission. 示例:Files.Read.All 用于通过搜索访问文件。Ex : Files.Read.All to access files via search.

用法示例Example usage

应用程序Application

  • ExternalItem.Read.All_:通过搜索 API (POST /search/query) 访问外部数据。ExternalItem.Read.All_: Access external data from the search API (POST /search/query).

安全权限Security permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
SecurityEvents.Read.AllSecurityEvents.Read.All 读取组织的安全事件Read your organization’s security events 允许应用代表已登录用户读取组织的安全事件。Allows the app to read your organization’s security events on behalf of the signed-in user. Yes No
SecurityEvents.ReadWrite.AllSecurityEvents.ReadWrite.All 读取和更新组织的安全事件。Read and update your organization’s security events 允许应用代表已登录用户读取组织的安全事件。Allows the app to read your organization’s security events on behalf of the signed-in user. 还允许应用代表已登录用户更新安全事件中的可编辑属性。Also allows the app to update editable properties in security events on behalf of the signed-in user. Yes No
SecurityActions.Read.AllSecurityActions.Read.All 读取组织的安全措施Read your organization's security actions 允许应用代表登录的用户读取组织的安全措施。Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No
SecurityActions.ReadWrite.AllSecurityActions.ReadWrite.All 读取和更新组织的安全措施Read and update your organization's security actions 允许应用代表登录的用户读取组织的安全措施。Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No
ThreatIndicators.ReadWrite.OwnedByThreatIndicators.ReadWrite.OwnedBy 管理此应用创建或拥有的威胁指标Manage threat indicators this app creates or owns 允许应用代表已登录的用户创建威胁指标和完全管理这些威胁指标(阅读、更新和删除)。Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete) on behalf of the signed-in user. Yes No
ThreatIndicators.Read.AllThreatIndicators.Read.All 读取组织的威胁指示器Read your organization's threat indicators 允许应用代表登录的用户读取组织的安全措施。Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
SecurityEvents.Read.AllSecurityEvents.Read.All 读取组织的安全事件Read your organization’s security events 允许应用读取组织的安全事件。Allows the app to read your organization’s security events. Yes
SecurityEvents.ReadWrite.AllSecurityEvents.ReadWrite.All 读取和更新组织的安全事件。Read and update your organization’s security events 允许应用读取组织的安全事件。Allows the app to read your organization’s security events. 还允许应用更新安全事件中的可编辑属性。Also allows the app to update editable properties in security events. Yes
SecurityActions.Read.AllSecurityActions.Read.All 读取组织的安全事件Read your organization’s security events 允许应用读取组织的安全措施。Allows the app to read your organization’s security actions. Yes
SecurityActions.ReadWrite.AllSecurityActions.ReadWrite.All 创建和读取组织的安全措施Create and read your organization's security actions 允许应用读取或创建安全措施,无需已登录用户。Allows the app to read or create security actions, without a signed-in user. Yes
ThreatIndicators.ReadWrite.OwnedByThreatIndicators.ReadWrite.OwnedBy 管理此应用创建或拥有的威胁指标Manage threat indicators this app creates or owns 允许应用创建威胁指标,并完全管理这些威胁指标(阅读、更新和删除),无需已登录用户。Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. 它无法删除其不拥有的任何威胁指标。It cannot update any threat indicators it does not own. Yes
ThreatIndicators.Read.AllThreatIndicators.Read.All 管理此应用创建或拥有的威胁指标Manage threat indicators this app creates or owns 允许应用在没有登录用户的情况下读取组织的所有指示器。Allows the app to read all the indicators for your organization, without a signed-in user. Yes

说明Remarks

安全权限仅对工作或学校帐户有效。Security permissions are valid only on work or school accounts.

用法示例Example usage

委派和应用程序Delegated and Application

  • SecurityEvents.Read.All:从对租户可用的所有许可安全提供程序中读取所有安全警报的列表 (GET /beta/security/alerts)SecurityEvents.Read.All: Read the list of all security alerts from all licensed security providers available to your tenant (GET /beta/security/alerts)
  • SecurityEvents.ReadWrite.All:更新或读取对租户可用的所有许可安全提供程序中的安全警报 (PATCH /beta/security/alerts/{id})SecurityEvents.ReadWrite.All: Update or read security alerts from all licensed security providers available to your tenant (PATCH /beta/security/alerts/{id})

站点权限Sites permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Sites.Read.AllSites.Read.All 读取所有网站集中的项目Read items in all site collections 允许应用代表登录用户读取文档,并列出所有网站集中的项目。Allows the app to read documents and list items in all site collections on behalf of the signed-in user. No No
Sites.ReadWrite.AllSites.ReadWrite.All 读取和写入所有网站集中的项目Read and write items in all site collections 允许应用代表登录用户编辑或删除所有网站集中的文档和列表项。Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. No No
Sites.Manage.AllSites.Manage.All 创建、编辑和删除所有网站集中的项目和列表Create, edit, and delete items and lists in all site collections 允许应用代表登录用户管理和创建所有网站集中的列表、文档和列表项。Allows the app to manage and create lists, documents, and list items in all site collections on behalf of the signed-in user. No No
Sites.FullControl.AllSites.FullControl.All 具有对所有网站集的完全控制权限Have full control of all site collections 允许应用代表登录用户具有对所有网站集中的 SharePoint 网站的完全控制权限。Allows the app to have full control to SharePoint sites in all site collections on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Sites.Read.AllSites.Read.All 读取所有网站集中的项目Read items in all site collections 允许应用在没有登录用户的情况下读取所有网站集中的文档和列表项。Allows the app to read documents and list items in all site collections without a signed in user. Yes
Sites.ReadWrite.AllSites.ReadWrite.All 读取和写入所有网站集中的项目Read and write items in all site collections 允许应用在没有登录用户的情况下创建、读取、更新和删除所有网站集中的文档和列表项。Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. Yes
Sites.Manage.AllSites.Manage.All 创建、编辑和删除所有网站集中的项目和列表Create, edit, and delete items and lists in all site collections 允许应用在没有登录用户的情况下管理和创建所有网站集中的列表、文档和列表项。Allows the app to manage and create lists, documents, and list items in all site collections without a signed-in user. Yes
Sites.FullControl.AllSites.FullControl.All 完全控制所有网站集Have full control of all site collections 允许应用在没有登录用户的情况下具有对所有网站集中的 SharePoint 网站的完全控制权限。Allows the app to have full control to SharePoint sites in all site collections without a signed-in user. Yes

注解Remarks

站点权限仅对工作或学校帐户有效。Sites permissions are valid only on work or school accounts.

用法示例Example usage

委派Delegated

  • Sites.Read.All:读取 SharePoint 根网站上的列表 (GET /v1.0/sites/root/lists)Sites.Read.All: Read the lists on the SharePoint root site (GET /v1.0/sites/root/lists)
  • Sites.ReadWrite.All:在 SharePoint 列表中新建列表项 (POST /v1.0/sites/root/lists/123/items)Sites.ReadWrite.All: Create new list items in a SharePoint list (POST /v1.0/sites/root/lists/123/items)
  • Sites.Manage.All:将新列表添加到 SharePoint 网站 (POST /v1.0/sites/root/lists)Sites.Manage.All: Add a new list to a SharePoint site (POST /v1.0/sites/root/lists)
  • Sites.FullControl.All:对 SharePoint 网站和列表的完全访问权限。Sites.FullControl.All: Complete access to SharePoint sites and lists.

任务权限Tasks permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Tasks.ReadTasks.Read 读取用户任务(预览版)Read user tasks (preview) 允许应用读取用户任务。Allows the app to read user tasks. No Yes
Tasks.Read.SharedTasks.Read.Shared 读取用户任务和共享任务(预览版)Read user and shared tasks (preview) 允许应用读取用户有权访问的任务,包括用户个人任务和共享任务。Allows the app to read tasks a user has permissions to access, including their own and shared tasks. No No
Tasks.ReadWriteTasks.ReadWrite 创建、读取、更新和删除用户任务和容器(预览版)Create, read, update and delete user tasks and containers (preview) 允许应用创建、读取、更新和删除分配给已登录用户或与已登录用户共享的任务和容器(以及其中的任务)。Allows the app to create, read, update and delete tasks and containers (and tasks in them) that are assigned to or shared with the signed-in user. No Yes
Tasks.ReadWrite.SharedTasks.ReadWrite.Shared 读取和写入用户任务和共享任务(预览版)Read and write user and shared tasks (preview) 允许应用创建、读取、更新和删除用户有权访问的任务,包括用户个人任务和共享任务。Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks. No No

应用程序权限Application permissions

无。None.

注解Remarks

_任务_权限用于控制对 Outlook 任务的访问权限。Microsoft Planner 任务的访问权限由_组_权限控制。Tasks permissions are used to control access for Outlook tasks. Access for Microsoft Planner tasks is controlled by Group permissions.

目前仅工作或学校帐户支持_共享_权限。即使具有_共享_权限,如果未授予拥有共享内容的用户在文件夹内修改内容访问用户权限,读取和写入仍会失败。Shared permissions are currently only supported for work or school accounts. Even with Shared permissions, reads and writes may fail if the user who owns the shared content has not granted the accessing user permissions to modify content within the folder.

用法示例Example usage

委派Delegated

  • Tasks.Read:获取用户邮箱中的所有任务 (GET /me/outlook/tasks)。Tasks.Read: Get all tasks in a user's mailbox (GET /me/outlook/tasks).
  • Tasks.Read.Shared:在文件夹中访问组织中其他用户与你共享的任务 (Get /users{id|userPrincipalName}/outlook/taskfolders/{id}/tasks)。Tasks.Read.Shared: Access tasks in a folder shared to you by another user in your organization (Get /users{id|userPrincipalName}/outlook/taskfolders/{id}/tasks).
  • Tasks.ReadWrite:将事件添加到用户的默认任务文件夹 (POST /me/outlook/tasks)。Tasks.ReadWrite: Add an event to the user's default task folder (POST /me/outlook/tasks).
  • Tasks.Read:获取用户邮箱中的所有未完成任务 (GET /users/{id | userPrincipalName}/outlook/tasks?$filter=status ne 'completed')。Tasks.Read: Get all uncompleted tasks in a user's mailbox (GET /users/{id | userPrincipalName}/outlook/tasks?$filter=status ne 'completed').
  • Tasks.ReadWrite:更新用户邮箱中的任务 (PATCH /users/{id | userPrincipalName}/outlook/tasks/id)。Tasks.ReadWrite: Update a task in a user's mailbox (PATCH /users/{id | userPrincipalName}/outlook/tasks/id).
  • Tasks.ReadWrite.Shared:代表其他用户完成任务 (POST /users/{id | userPrincipalName}/outlook/tasks/id/complete)。Tasks.ReadWrite.Shared: Complete a task on behalf of another user (POST /users/{id | userPrincipalName}/outlook/tasks/id/complete).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


Teams 权限Teams permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Teams.ReadBasic.AllTeams.ReadBasic.All 读取团队的名称和说明Read the names and descriptions of teams 代表已登录用户读取团队的名称和说明。Read the names and descriptions of teams, on behalf of the signed-in user. No No
Teams.Create(个人预览版)Teams.Create (private preview) 创建团队Create teams 代表已登录用户创建团队。Create teams, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Teams.ReadBasic.AllTeams.ReadBasic.All 获取所有团队列表Get a list of all teams 在没有用户登录的情况下获取所有团队列表。Get a list of all teams, without a signed-in user. Yes No
Teams.Create(个人预览版)Teams.Create (private preview) 创建团队Create teams 在没有用户登录的情况下创建团队。Create teams, without a signed-in user. Yes No

团队设置权限Team settings permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsSettings.Read.AllTeamsSettings.Read.All 读取团队设置Read teams' settings 代表已登录用户读取此团队的设置。Read this team's settings, on behalf of the signed-in user. Yes No
TeamsSettings.ReadWrite.AllTeamsSettings.ReadWrite.All 读取和更改团队的设置Read and change teams' settings 代表已登录用户读取和更改所有团队的设置。Read and change all teams' settings, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsSettings.Read.AllTeamsSettings.Read.All 读取所有团队设置Read all teams' settings 在没有登录用户的情况下读取此团队的设置。Read this team's settings, without a signed-in user. Yes No
TeamsSettings.ReadWrite.AllTeamsSettings.ReadWrite.All 读取和更改所有团队的设置。Read and change all teams' settings. 在没有登录用户的情况下读取和更改所有团队的设置。Read and change all teams' settings, without a signed-in user. Yes No

Teams 活动权限(个人预览版Teams activity permissions (private preview)

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsActivity.Read(个人预览版)TeamsActivity.Read (private preview) 读取用户的团队合作活动源Read user's teamwork activity feed 允许应用读取登录用户的团队合作活动源。Allows the app to read the signed-in user's teamwork activity feed. No No
TeamsActivity.Send(个人预览版)TeamsActivity.Send (private preview) 以用户身份发送团队合作活动Send a teamwork activity as the user 允许用户代表登录用户在用户的团队合作活动源中创建新活动,并将新活动发送给其他用户的活动源。Allows the app to create new activities in the user's teamwork activity feed, and send new activities to other users' activity feed, on behalf of the signed-in user. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsActivity.Read.All(个人预览版)TeamsActivity.Read.All (private preview) 读取所有用户的团队合作活动源Read all users' teamwork activity feed 允许应用在没有登录用户的情况下读取所有用户的团队合作活动源。Allows the app to read all users' teamwork activity feed, without a signed-in user. Yes No
TeamsActivity.Send(个人预览版)TeamsActivity.Send (private preview) 向任何用户发送团队合作活动。Send a teamwork activity to any user 允许应用在没有登录用户的情况下将新活动发送给任何用户的团队合作活动源。Allows the app to send new activities to any users' teamwork activity feed, without a signed-in user. Yes No

Teams 应用权限 (不推荐使用)Teams app permissions (deprecated)

备注

这些权限已弃用。These permissions are deprecated. 改为使用等效的 TeamsAppInstallation.*.All 权限。Use the equivalent TeamsAppInstallation.*.All permissions instead.

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsApp.Read.All (Deprecated)TeamsApp.Read.All (Deprecated) 读取所有安装的 Teams 应用Read all installed Teams apps 允许应用读取为已登录用户安装的 Teams 应用以及该用户所属的所有团队中的相关应用。Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsApp.ReadWrite.All (Deprecated)TeamsApp.ReadWrite.All (Deprecated) 管理所有 Teams 应用Manage all Teams apps 允许应用代表已登录的用户以及该用户所属团队来阅读、安装、升级和卸载 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. 不允许读取或写入特定于应用程序的设置。Does not give the ability to read or write application-specific settings. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsApp.Read.All (Deprecated)TeamsApp.Read.All (Deprecated) 读取所有用户已安装的 Teams 应用Read all users' installed Teams apps 允许应用读取为任何用户(无需是登录的用户)安装的 Teams 应用。Allows the app to read the Teams apps that are installed for any user, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsApp.ReadWrite.All (Deprecated)TeamsApp.ReadWrite.All (Deprecated) 管理所有用户的 Teams 应用Manage all users' Teams apps 允许应用为任何用户(无需是登录的用户)读取、安装、升级和卸载 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. 不允许读取或写入特定于应用程序的设置。Does not give the ability to read or write application-specific settings. Yes No

Teams 应用安装权限Teams app installation permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsAppInstallation.ReadForUserTeamsAppInstallation.ReadForUser 读取用户已安装的 Teams 应用Read user's installed Teams apps 允许应用读取为已登录用户安装的 Teams 应用。Allows the app to read the Teams apps that are installed for the signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. No No
TeamsAppInstallation.ReadWriteForUserTeamsAppInstallation.ReadWriteForUser 管理用户安装的 Teams 应用Manage user's installed Teams apps 允许应用为已登录用户读取、安装、升级和卸载已安装安装的 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteSelfForUser (个人预览版)TeamsAppInstallation.ReadWriteSelfForUser (private preview) 允许应用在 Teams 中管理其自身Allow the app to manage itself in teams 允许 Teams 应用为已登录用户可以访问的团队读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. No No
TeamsAppInstallation.ReadForTeamTeamsAppInstallation.ReadForTeam 读取团队中已安装的 Teams 应用Read installed Teams apps in teams 允许应用读取安装在已登录用户可访问的团队中的 Teams 应用。Allows the app to read the Teams apps that are installed in teams the signed-in user can access. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteForTeamTeamsAppInstallation.ReadWriteForTeam 管理团队中已安装的 Teams 应用Manage installed Teams apps in teams 允许应用在已登录用户可以访问的团队中读取、安装、更新和卸载 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteSelfForTeam (个人预览版)TeamsAppInstallation.ReadWriteSelfForTeam (private preview) 允许应用在 Teams 中管理其自身Allow the app to manage itself in teams 允许 Teams 应用为已登录用户可以访问的团队读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. Yes No

应用权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
TeamsAppInstallation.ReadForUser.AllTeamsAppInstallation.ReadForUser.All 读取为所有用户安装的 Teams 应用Read installed Teams apps for all users 允许应用读取为任何用户(无需是登录的用户)安装的 Teams 应用。Allows the app to read the Teams apps that are installed for any user, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForUser.AllTeamsAppInstallation.ReadWriteForUser.All 管理所有用户的 Teams 应用Manage Teams apps for all users 允许应用为任何用户(无需是登录的用户)读取、安装、升级和卸载 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForUser.All(个人预览版)TeamsAppInstallation.ReadWriteSelfForUser.All (private preview) 允许应用为所有用户管理其自身Allow the app to manage itself for all users 允许 Teams 应用在没有登录用户的情况下为任何用户读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. Yes
TeamsAppInstallation.ReadForTeam.AllTeamsAppInstallation.ReadForTeam.All 读取为所有团队安装的 Teams 应用Read installed Teams apps for all teams 允许应用在没有登录用户的情况下读取安装在任何团队中的 Teams 应用。Allows the app to read the Teams apps that are installed in any team, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForTeam.AllTeamsAppInstallation.ReadWriteForTeam.All 管理所有团队的 Teams 应用Manage Teams apps for all teams 允许应用在没有登录用户的情况下读取、安装、更新和卸载任何团队中的 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForTeam.All(个人预览版)TeamsAppInstallation.ReadWriteSelfForTeam.All (private preview) 允许 Teams 应用为所有团队管理其自身Allow the Teams app to manage itself for all teams 允许 Teams 应用在没有登陆用户的情况下在任何团队中读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. Yes

团队成员权限Team member permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamMember.Read.AllTeamMember.Read.All 读取团队的成员。Read the members of teams. 代表已登录的用户读取团队的成员。Read the members of teams, on behalf of the signed-in user. Yes No
TeamMember.ReadWrite.AllTeamMember.ReadWrite.All 从团队中添加和删除成员。Add and remove members from teams. 代表已登录用户从团队中添加和删除成员。Add and remove members from teams, on behalf of the signed-in user. 还允许更改成员的角色,例如从所有者到非所有者。Also allows changing a member's role, for example from owner to non-owner. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamMember.Read.AllTeamMember.Read.All 读取所有团队的成员。Read the members of all teams. 在没有用户登录的情况下读取所有团队的成员。Read the members of all teams, without a signed-in user. Yes No
TeamMember.ReadWrite.AllTeamMember.ReadWrite.All 从所有团队中添加和删除成员。Add and remove members from all teams. 在没有用户登录的情况下从所有团队中添加和删除成员。Add and remove members from all teams, without a signed-in user. 还允许更改团队成员的角色,例如从所有者到非所有者。Also allows changing a team member's role, for example from owner to non-owner. Yes No
权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamSettings.Read.GroupTeamSettings.Read.Group 读取此团队设置。Read this team's settings. 在没有登录用户的情况下读取此团队的设置。Read this team's settings, without a signed-in user. No No
ChannelSettings.Read.GroupChannelSettings.Read.Group 读取此团队频道的名称、说明和设置。Read the names, descriptions, and settings of this team’s channels. 在没有登录用户的情况下读取此组的频道名称、频道说明和频道设置。Read this group's channel names, channel descriptions, and channel settings, without a signed-in user. No No
ChannelSettings.Edit.GroupChannelSettings.Edit.Group 编辑此团队频道的名称、说明和设置。Edit the names, descriptions, and settings of this team’s channels. 在没有登录用户的情况下编辑此组的频道名称、频道说明和频道设置。Edit this group's channel names, channel descriptions, and channel settings, without a signed-in user. No No
Channel.Create.GroupChannel.Create.Group 在这个团队中创建频道。Create channels in this team. 在没有登录用户的情况下在此团队中创建频道。Create channels in this group, without a signed-in user. No No
Channel.Delete.GroupChannel.Delete.Group 删除此团队的频道。Delete this team's channels. 在没有登录用户的情况下删除此团队的频道。Delete this group's channels, without a signed-in user. No No
ChannelMessage.Read.GroupChannelMessage.Read.Group 读取团队频道消息。Read the team’s channel messages. 允许应用在没有登录的用户的情况下读取此组的频道消息。Allows an app to read this group's channel's messages, without a signed-in user. No No
TeamsApp.Read.GroupTeamsApp.Read.Group 查看此团队中已安装的应用。See which apps are installed in this team. 在没有登录的用户的情况下,查看此组中安装的应用。See which apps are installed in this group, without a signed-in user. No No
TeamsTab.Read.GroupTeamsTab.Read.Group 读取此团队的选项卡。Read this team's tabs. 在没有登录用户的情况下读取此团队的选项卡。Read this group's tabs, without a signed-in user. No No
TeamsTab.Create.GroupTeamsTab.Create.Group 在此团队中创建选项卡。Create tabs in this team. 在没有登录用户的情况下在此团队中创建选项卡。Create tabs in this group, without a signed-in user. No No
TeamsTab.Edit.GroupTeamsTab.Edit.Group 编辑此团队的选项卡。Edit this team's tabs. 在没有已登录用户的情况下编辑此团队的选项卡。Edit this group's tabs, without a signed-in user. No No
TeamsTab.Delete.GroupTeamsTab.Delete.Group 删除此团队的选项卡。Delete this team's tabs. 在没有已登录用户的情况下删除此团队的选项卡。Delete this group's tabs, without a signed-in user. No No
Member.Read.GroupMember.Read.Group 读取此团队的成员。Read this team's members. 在没有已登录用户的情况下读取此团队的成员。Read this group's members, without a signed-in user. No No
Owner.Read.GroupOwner.Read.Group 读取此团队的所有者。Read this team's owners. 在没有已登录用户的情况下读取此团队的所有者。Read this group's owners, without a signed-in user. No No

Teams 设置权限Teams settings permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Team.ReadBasic.AllTeam.ReadBasic.All 读取团队的名称和说明Read the names and descriptions of teams 代表已登录用户读取团队的名称和说明。Read the names and descriptions of teams, on behalf of the signed-in user. Yes No
TeamSettings.Read.AllTeamSettings.Read.All 读取团队设置Read teams' settings 代表已登录用户读取所有团队的设置。Read all teams' settings, on behalf of the signed-in user. Yes No
TeamSettings.ReadWrite.AllTeamSettings.ReadWrite.All 读取和更改团队的设置。Read and change teams' settings. 代表已登录用户读取和更改所有团队的设置。Read and change all teams' settings, on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Team.ReadBasic.AllTeam.ReadBasic.All 获取所有团队列表。Get a list of all teams. 在没有用户登录的情况下获取所有团队列表。Get a list of all teams, without a signed-in user. Yes No
TeamSettings.Read.AllTeamSettings.Read.All 读取所有团队设置Read all teams' settings 在没有登录用户的情况下读取此团队的设置。Read this team's settings, without a signed-in user. Yes No
TeamSettings.ReadWrite.AllTeamSettings.ReadWrite.All 读取和更改所有团队的设置Read and change all teams' settings 在没有登录用户的情况下读取和更改所有团队的设置。Read and change all teams' settings, without a signed-in user. No No

Teams 选项卡权限Teams tab permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsTab.Read.AllTeamsTab.Read.All 读取 Microsoft Teams 中的选项卡。Read tabs in Microsoft Teams. 允许应用读取为已登录用户安装的 Teams 应用以及该用户所属的所有团队中的相关应用。Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsTab.ReadWrite.AllTeamsTab.ReadWrite.All 读取和写入 Microsoft Teams 中的选项卡。Read and write tabs in Microsoft Teams. 允许应用代表已登录的用户以及该用户所属团队来阅读、安装、升级和卸载 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. 不允许读取或写入特定于应用程序的设置。Does not give the ability to read or write application-specific settings. Yes No
TeamsTab.CreateTeamsTab.Create 在Microsoft Teams 中创建选项卡。Create tabs in Microsoft Teams. 允许应用代表已登录的用户在 Microsoft Teams 中的任何团队内创建选项卡。Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. 这不会授予在选项卡创建后读取、修改或删除这些选项卡的权限,也不会授予访问选项卡中的内容的权限。This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsTab.Read.AllTeamsTab.Read.All 读取 Microsoft Teams 中的选项卡。Read tabs in Microsoft Teams. 在没有登录用户的情况下,读取 Microsoft Teams 中任何团队内的选项卡的名称和设置。Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. 这不会授予访问选项卡中的内容的权限。This does not give access to the content inside the tabs. Yes No
TeamsTab.ReadWrite.AllTeamsTab.ReadWrite.All 读取和写入 Microsoft Teams 中的选项卡。Read and write tabs in Microsoft Teams. 在没有登录用户的情况下读取和写入 Microsoft Teams 中任何团队内的选项卡。Read and write tabs in any team in Microsoft Teams, without a signed-in user. 这不会授予访问选项卡中的内容的权限。This does not give access to the content inside the tabs. Yes No
TeamsTab.CreateTeamsTab.Create 在Microsoft Teams 中创建选项卡。Create tabs in Microsoft Teams. 允许用户在没有登录用户的情况下在 Microsoft Teams 中的任何团队内创建选项卡。Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. 这不会授予在选项卡创建后读取、修改或删除这些选项卡的权限,也不会授予访问选项卡中的内容的权限。This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. Yes No

使用条款权限Terms of use permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Agreement.Read.AllAgreement.Read.All 阅读所有使用条款协议Read all terms of use agreements 允许应用代表登录用户阅读使用条款协议。Allows the app to read terms of use agreements on behalf of the signed-in user. Yes No
Agreement.ReadWrite.AllAgreement.ReadWrite.All 阅读和编写所有使用协议条款Read and write all terms of use agreements 允许应用代表登录用户阅读和编写使用条款协议。Allows the app to read and write terms of use agreements on behalf of the signed-in user. Yes No
AgreementAcceptance.ReadAgreementAcceptance.Read 阅读用户使用条款接受状态Read user terms of use acceptance statuses 允许应用代表登录用户阅读使用条款接受状态。Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. Yes No
AgreementAcceptance.Read.AllAgreementAcceptance.Read.All 阅读用户可以访问的使用条款接受状态Read terms of use acceptance statuses that user can access 允许应用代表登录用户阅读使用条款接受状态。Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. Yes No

注解Remarks

上述所有权限仅对工作或学校帐户有效。All the permissions above are valid only for work or school accounts.

若要使应用能够阅读或编写委派权限的所有协议或协议接受情况,登录用户必须分配有全局管理员、条件访问管理员或安全管理员角色。For an app to read or write all agreements or agreement acceptances with delegated permissions, the signed-in user must be assigned the Global Administrator, Conditional Access Administrator or Security Administrator role. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

示例用法Example usage

委派Delegated

以下使用对两种委派权限均有效:The following usages are valid for both delegated permissions:

  • Agreement.Read.All:阅读所有使用条款协议 (GET /beta/agreements)Agreement.Read.All: Read all terms of use agreements (GET /beta/agreements)
  • Agreement.ReadWrite.All:阅读和编写所有使用条款协议 (POST /beta/agreements)Agreement.ReadWrite.All: Read and write all terms of use agreements (POST /beta/agreements)
  • AgreementAcceptance.Read:阅读用户使用条款接受状态 (GET /beta/me/agreementAcceptances)AgreementAcceptance.Read Read user terms of use acceptance statuses (GET /beta/me/agreementAcceptances)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


Teams 应用安装权限 (个人预览版Teams app installation permissions (private preview)

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TeamsAppInstallation.ReadForUser(个人预览版)TeamsAppInstallation.ReadForUser (private preview) 读取用户已安装的 Teams 应用Read user's installed Teams apps 允许应用读取为已登录用户安装的 Teams 应用。Allows the app to read the Teams apps that are installed for the signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteForUser (个人预览版)TeamsAppInstallation.ReadWriteForUser (private preview) 管理用户安装的 Teams 应用Manage user's installed Teams apps 允许应用为已登录用户读取、安装、升级和卸载已安装安装的 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. No No
TeamsAppInstallation.ReadWriteSelfForUser (个人预览版)TeamsAppInstallation.ReadWriteSelfForUser (private preview) 允许应用在 Teams 中管理其自身Allow the app to manage itself in teams 允许 Teams 应用为已登录用户可以访问的团队读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. Yes No
TeamsAppInstallation.ReadForTeam (个人预览版)TeamsAppInstallation.ReadForTeam (private preview) 读取团队中已安装的 Teams 应用Read installed Teams apps in teams 允许应用读取安装在已登录用户可访问的团队中的 Teams 应用。Allows the app to read the Teams apps that are installed in teams the signed-in user can access. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteForTeam(个人预览版)TeamsAppInstallation.ReadWriteForTeam (private preview) 管理团队中已安装的 Teams 应用Manage installed Teams apps in teams 允许应用在已登录用户可以访问的团队中读取、安装、更新和卸载 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes No
TeamsAppInstallation.ReadWriteSelfForTeam (个人预览版)TeamsAppInstallation.ReadWriteSelfForTeam (private preview) 允许应用在 Teams 中管理其自身Allow the app to manage itself in teams 允许 Teams 应用为已登录用户可以访问的团队读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
TeamsAppInstallation.ReadForUser.All(个人预览版)TeamsAppInstallation.ReadForUser.All (private preview) 读取为所有用户安装的 Teams 应用Read installed Teams apps for all users 允许应用读取为任何用户(无需是登录的用户)安装的 Teams 应用。Allows the app to read the Teams apps that are installed for any user, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForUser.All(个人预览版)TeamsAppInstallation.ReadWriteForUser.All (private preview) 管理所有用户的 Teams 应用Manage Teams apps for all users 允许应用为任何用户(无需是登录的用户)读取、安装、升级和卸载 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForUser.All(个人预览版)TeamsAppInstallation.ReadWriteSelfForUser.All (private preview) 允许应用为所有用户管理其自身Allow the app to manage itself for all users 允许 Teams 应用在没有登录用户的情况下为任何用户读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. Yes
TeamsAppInstallation.ReadForTeam.All(个人预览版)TeamsAppInstallation.ReadForTeam.All (private preview) 读取为所有团队安装的 Teams 应用Read installed Teams apps for all teams 允许应用在没有登录用户的情况下读取安装在任何团队中的 Teams 应用。Allows the app to read the Teams apps that are installed in any team, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteForTeam.All(个人预览版)TeamsAppInstallation.ReadWriteForTeam.All (private preview) 管理所有团队的 Teams 应用Manage Teams apps for all teams 允许应用在没有登录用户的情况下读取、安装、更新和卸载任何团队中的 Teams 应用。Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. 不允许读取特定于应用程序的设置。Does not give the ability to read application-specific settings. Yes
TeamsAppInstallation.ReadWriteSelfForTeam.All(个人预览版)TeamsAppInstallation.ReadWriteSelfForTeam.All (private preview) 允许 Teams 应用为所有团队管理其自身Allow the Teams app to manage itself for all teams 允许 Teams 应用在没有登陆用户的情况下在任何团队中读取、安装、更新和卸载其自身。Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. Yes

威胁评估权限Threat assessment permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ThreatAssessment.ReadWrite.AllThreatAssessment.ReadWrite.All 读取和写入威胁评估请求Read and write threat assessment requests 允许应用代表已登录用户读取组织的威胁评估请求。Allows an app to read your organization's threat assessment requests on behalf of the signed-in user. 还允许应用创建新请求来代表已登录用户评估组织收到的威胁。Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
ThreatAssessment.Read.AllThreatAssessment.Read.All 读取威胁评估请求Read threat assessment requests 允许应用在无需用户登录的情况下读取组织的威胁评估请求。Allows an app to read your organization's threat assessment requests, without a signed-in user. Yes

备注Remarks

威胁评估权限仅对工作或学校帐户有效。Threat assessment permissions are valid only on work or school accounts.

用法示例Example usage

委派Delegated

  • ThreatAssessment.ReadWrite.All:读取和写入评估请求 (POST /informationProtection/threatAssessmentRequests)ThreatAssessment.ReadWrite.All: Read and write threat assessment requests (POST /informationProtection/threatAssessmentRequests)

应用程序Application

  • ThreatAssessment.Read.All:读取威胁评估请求 (GET /informationProtection/threatAssessmentRequests)ThreatAssessment.Read.All: Read threat assessment requests (GET /informationProtection/threatAssessmentRequests)

分类权限Taxonomy permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
TermStore.Read.AllTermStore.Read.All 读取术语库数据Read term store data 允许应用读取术语库中的各种术语、集和组Allows app to read various terms, sets, and groups in the term store yes No
TermStore.ReadWrite.AllTermStore.ReadWrite.All 读取和写入所有术语库数据Read and write all term store data 允许应用在术语库中编辑或删除术语、集和组Allows the app to edit or delete terms, sets, and groups in the term store Yes No

注解Remarks

分类权限仅对工作或学校帐户有效。Taxonomy permissions are valid only on work or school accounts.

用法示例Example usage

DelegatedDelegated

  • TermStore.Read.All:读取租户的 termStore(GET /termStoreTermStore.Read.All: Read the termstore for the tenant (GET /termStore)
  • TermStore.ReadWrite.All:在 termStore 中创建新术语(POST /termStore/sets/123/childrenTermStore.ReadWrite.All: Create new terms in the termStore (POST /termStore/sets/123/children)

用户权限User permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
User.ReadUser.Read 登录并读取用户个人资料Sign-in and read user profile 允许用户登录应用,并允许应用读取登录用户的个人资料。它还允许应用读取登录用户的基本公司信息。Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. No Yes
User.ReadWriteUser.ReadWrite 对用户个人资料的读写权限Read and write access to user profile 允许应用读取登录用户的完整个人资料。Allows the app to read the signed-in user's full profile. 此外,它还允许应用代表登录用户来更新其个人资料信息。It also allows the app to update the signed-in user's profile information on their behalf. No Yes
User.ReadBasic.AllUser.ReadBasic.All 读取所有用户的基本个人资料Read all users' basic profiles 允许应用代表登录用户读取组织中其他用户的一套基本个人资料属性。Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. 其中包括显示名称、名字和姓氏、电子邮件地址、开放扩展和照片。This includes display name, first and last name, email address, open extensions and photo. 此外,还允许应用读取已登录用户的完整个人资料。Also allows the app to read the full profile of the signed-in user. No No
User.Read.AllUser.Read.All 读取所有用户的完整个人资料Read all users' full profiles 允许应用代表登录用户读取组织中其他用户的整套个人资料属性、下属和经理。Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Yes No
User.ReadWrite.AllUser.ReadWrite.All 读取和写入所有用户的完整个人资料Read and write all users' full profiles 允许应用代表登录用户读取和写入组织中其他用户的整套个人资料属性、下属和经理。还允许应用代表已登录用户创建和删除用户以及重置用户密码。Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. Yes No
User.Invite.AllUser.Invite.All 将来宾用户邀请到组织Invite guest users to the organization 允许应用代表已登录用户将来宾用户邀请到你的组织。Allows the app to invite guest users to your organization, on behalf of the signed-in user. Yes No
User.Export.AllUser.Export.All 导出用户数据Export users' data 当由公司管理员执行时,允许应用导出组织的用户数据。Allows the app to export an organizational user's data, when performed by a Company Administrator. Yes No
User.ManageIdentities.AllUser.ManageIdentities.All 管理用户标识Manage user identities 允许应用程序读取、更新和删除与登录用户有权访问的用户帐户相关联的标识。Allows an application to read, update and delete identities that are associated with a user's account, that the signed-in user has access to. 这控制了用户可以使用哪些标识进行登录。This controls which identities your users can sign-in with. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
User.Read.AllUser.Read.All 读取所有用户的完整个人资料Read all users' full profiles 允许应用在没有登录用户的情况下读取组织中其他用户的整套个人资料属性、组成员身份、下属和经理。Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Yes
User.ReadWrite.AllUser.ReadWrite.All 读取和写入所有用户的完整个人资料Read and write all users' full profiles 允许应用在没有登录用户的情况下读取和写入组织中其他用户的整套个人资料属性、组成员身份、下属和经理。还允许应用创建和删除非管理用户。不允许重置用户密码。Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords. Yes
User.Invite.AllUser.Invite.All 将来宾用户邀请到组织Invite guest users to the organization 允许应用无需具有已登录用户即可将来宾用户邀请到你的组织。Allows the app to invite guest users to your organization, without a signed-in user. 可访问Yes
User.Export.AllUser.Export.All 导出用户数据Export users' data 允许应用导出组织用户数据,而无需是登录用户。Allows the app to export organizational users' data, without a signed-in user. Yes
User.ManageIdentities.AllUser.ManageIdentities.All 管理所有用户标识Manage all user identities 允许应用程序在没有登录用户的情况下读取、更新和删除与用户帐户相关联的标识。Allows an application to read, update and delete identities that are associated with a user's account, without a signed in user. 这控制了用户可以使用哪些标识进行登录。This controls which identities users can sign-in with. Yes

说明Remarks

通过 User.Read 权限,应用还可以通过 organization 资源读取工作或学校帐户的已登录用户的基本公司信息。以下属性可用:ID、displayName 和 verifiedDomains。With the User.Read permission, an app can also read the basic company information of the signed-in user for a work or school account through the organization resource. The following properties are available: id, displayName, and verifiedDomains.

对于工作或学校帐户,完整个人资料包括 User 资源的所有声明属性。在读取时,默认情况下仅返回有限数量的属性。若要读取不在默认设置中的属性,请使用 $select。默认属性包括:For work or school accounts, the full profile includes all of the declared properties of the User resource. On reads, only a limited number of properties are returned by default. To read properties that are not in the default set, use $select. The default properties are:

  • displayNamedisplayName
  • givenNamegivenName
  • jobTitlejobTitle
  • mailmail
  • mobilePhonemobilePhone
  • officeLocationofficeLocation
  • preferredLanguagepreferredLanguage
  • surnamesurname
  • userPrincipalNameuserPrincipalName

User.ReadWriteUser.Readwrite.All 委派权限允许应用更新工作或学校帐户的以下配置文件属性:User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:

  • aboutMeaboutMe
  • birthdaybirthday
  • hireDatehireDate
  • interestsinterests
  • mobilePhonemobilePhone
  • mySitemySite
  • pastProjectspastProjects
  • photophoto
  • preferredNamepreferredName
  • responsibilitiesresponsibilities
  • schoolsschools
  • skillsskills

通过 User.ReadWrite.All 应用程序权限,应用可更新工作或学校帐户的所有声明属性,但密码除外。With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.

在具有 User.ReadWrite.All 委托或应用程序权限的情况下,如需更新其他用户的 businessPhonesmobilePhoneotherMails,仅允许针对非管理员或分配了以下角色之一的用户执行该操作:目录读取者、来宾邀请者、消息中心读取者和报告读取者。With the User.ReadWrite.All delegated or application permission, updating another user's businessPhones, mobilePhone or otherMails is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. 有关详细信息,请参阅 Azure AD 可用角色中的支持人员(密码)管理员。For more details, see Helpdesk (Password) Administrator in Azure AD available roles.

要读取或写入工作或学校帐户的直接下属 (directReports) 或经理 (manager),应用必须具有 User.Read.All(只读)或 User.ReadWrite.AllTo read or write direct reports (directReports) or the manager (manager) of a work or school account, the app must have either User.Read.All (read only) or User.ReadWrite.All.

User.ReadBasic.All 权限限制应用访问称为基本个人资料的有限属性集。这是因为完整的个人资料可能包含敏感的目录信息。基本个人资料仅包括以下属性:The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:

  • displayNamedisplayName
  • givenNamegivenName
  • mailmail
  • photophoto
  • surnamesurname
  • userPrincipalNameuserPrincipalName

若要读取用户的组成员资格 (memberOf),则应用必须具有 Group.Read.AllGroup.ReadWrite.All。但是,如果用户还具有 directoryRoleadministrativeUnit 中的成员资格,则应用还将需要有效权限来读取这些资源,否则 Microsoft Graph 将返回错误。这意味着应用还需要目录权限,而对于委派权限来说,已登录的用户还需要组织内的足够特权来访问目录角色和管理单元。To read the group memberships of a user (memberOf), the app must have either Group.Read.All or Group.ReadWrite.All. However, if the user also has membership in a directoryRole or an administrativeUnit, the app will need effective permissions to read those resources too, or Microsoft Graph will return an error. This means the app will also need Directory permissions, and, for delegated permissions, the signed-in user will also need sufficient privileges in the organization to access directory roles and administrative units.

使用 User.ManageIdentities.All 委派权限或应用程序权限,可以更新用户标识 (identities)。With the User.ManageIdentities.All delegated or application permission, it is possible to update the identities (identities) of a user. 这包括具有基于电子邮件地址或姓名的登录名的联合标识(亦称为“社交标识”)或本地标识。This includes federated (or social identities) or local identities with email or name-based sign-in names.

用法示例Example usage

委派Delegated

  • User.Read:读取登录用户的完整配置文件 (GET /me)。User.Read: Read the full profile for the signed-in user (GET /me).
  • User.ReadWrite:更新登录用户的照片 (PUT /me/photo/$value)。User.ReadWrite: Update the photo of the signed-in user (PUT /me/photo/$value).
  • User.ReadBasic.All:查找名称以“David”开头的所有用户 (GET /users?$filter=startswith(displayName,'David'))。User.ReadBasic.All: Find all users whose name starts with "David" (GET /users?$filter=startswith(displayName,'David')).
  • User.Read.All:读取用户的经理 (GET /user/{id | userPrincipalName}/manager)。User.Read.All: Read a user's manager (GET /user/{id | userPrincipalName}/manager).

应用程序Application

  • User.Read.All:通过 delta 查询读取所有用户和关系 (GET /beta/users/delta?$select=displayName,givenName,surname)。User.Read.All: Read all users and relationships through delta query (GET /beta/users/delta?$select=displayName,givenName,surname).
  • User.ReadWrite.All:更新组织中任意用户的照片 (PUT /user/{id | userPrincipalName}/photo/$value)。User.ReadWrite.All: Update the photo for any user in the organization (PUT /user/{id | userPrincipalName}/photo/$value).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

用户活动权限User activity permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
UserActivity.ReadWrite.CreatedByAppUserActivity.ReadWrite.CreatedByApp 将应用活动读取和写入到用户的活动源Read and write app activity to users' activity feed 允许应用读取和报告登录用户在应用中的活动。Allows the app to read and report the signed-in user's activity in the app. No Yes

应用程序权限Application permissions

无。None.

说明Remarks

UserActivity.ReadWrite.CreatedByApp 对 Microsoft 帐户和工作或学校帐户均有效。UserActivity.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts.

与此权限相关联的 CreatedByApp 约束指示服务将基于调用应用的标识(MSA 应用 ID 或针对跨平台应用程序标识配置的一组应用 ID)对结果应用隐式筛选。The CreatedByApp constraint associated with this permission indicates the service will apply implicit filtering to results based on the identity of the calling app, either the MSA app id or a set of app ids configured for a cross-platform application identity.

用法示例Example usage

委派Delegated

  • UserActivity.ReadWrite.CreatedByApp:基于最后一天发布的相关联的历史记录项来获取最近特定用户活动的列表。UserActivity.ReadWrite.CreatedByApp: Get a list of recent unique user activities based on associated history items published in the last day. (GET /me/activities/recent)。(GET /me/activities/recent).
  • UserActivity.ReadWrite.CreatedByApp:发布或更新可能由应用程序用户恢复的用户活动。UserActivity.ReadWrite.CreatedByApp: Publish or update a user activity which may be resumed by the user of the application. (PUT /me/activities/%2Farticle%3F12345)。(PUT /me/activities/%2Farticle%3F12345).
  • UserActivity.ReadWrite.CreatedByApp:发布或更新指定用户活动的历史记录项,以表示用户参与的时间段。UserActivity.ReadWrite.CreatedByApp: Publish or update a history item for a specified user activity in order to represent the period of user engagement. (PUT /me/activities/{id}/historyItems/{id})。(PUT /me/activities/{id}/historyItems/{id}).
  • UserActivity.ReadWrite.CreatedByApp:根据用户发起的请求删除用户活动或删除无效数据。UserActivity.ReadWrite.CreatedByApp: Delete a user activity in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id})。(DELETE /me/activities/{id}).
  • UserActivity.ReadWrite.CreatedByApp:根据用户发起的请求删除历史记录项或删除无效数据。UserActivity.ReadWrite.CreatedByApp: Delete a history item in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id}/historyItems/{id})。(DELETE /me/activities/{id}/historyItems/{id}).

用户身份验证方法权限(预览版User authentication method permissions (preview)

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
UserAuthenticationMethod.Read(预览版)UserAuthenticationMethod.Read (preview) 读取自己的身份验证方法Read own authentication methods 允许该应用读取已登录用户的身份验证方法,包括电话号码和 Authenticator 应用设置。Allows the app to read the signed-in user's authentication methods, including phone numbers and Authenticator app settings. 这不允许该应用查看已登录用户的密码之类的机密信息,也无法登录或以其他方式使用已登录用户的身份验证方法。This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods. Yes No
UserAuthenticationMethod.Read.All(预览版)UserAuthenticationMethod.Read.All (preview) 读取用户的身份验证方法Read users' authentication methods 允许此应用读取已登录用户有权访问的组织中所有用户的身份验证方法。Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. 身份验证方法包括用户的电话号码和 Authenticator 应用设置之类的内容。Authentication methods include things like a user’s phone numbers and Authenticator app settings. 这不允许该应用查看密码之类的机密信息,也无法登录或以其他方式使用身份验证方法。This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes No
UserAuthenticationMethod.ReadWrite(预览版)UserAuthenticationMethod.ReadWrite (preview) 管理自己的身份验证方法Manage own authentication methods 允许该应用读取和写入已登录用户的身份验证方法,包括电话号码和 Authenticator 应用设置。Allows the app to read and write the signed-in user's authentication methods, including phone numbers and Authenticator app settings. 这不允许该应用查看已登录用户的密码之类的机密信息,也无法登录或以其他方式使用已登录用户的身份验证方法。This does not allow the app to see secret information like the signed-in user's passwords, or to sign-in or otherwise use the signed-in user's authentication methods. Yes No
UserAuthenticationMethod.ReadWrite.All(预览版)UserAuthenticationMethod.ReadWrite.All (preview) 管理用户的身份验证方法Manage users' authentication methods 允许此应用读取和写入已登录用户有权访问的组织中所有用户的身份验证方法。Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. 身份验证方法包括用户的电话号码和 Authenticator 应用设置之类的内容。Authentication methods include things like a user’s phone numbers and Authenticator app settings. 这不允许该应用查看密码之类的机密信息,也无法登录或以其他方式使用身份验证方法。This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
UserAuthenticationMethod.Read.All(个人预览版)UserAuthenticationMethod.Read.All (private preview) 读取用户的身份验证方法Read users' authentication methods 允许此应用读取组织中所有用户的身份验证方法,无已登录用户。Allows the app to read authentication methods of all users in your organization, without a signed-in user. 身份验证方法包括用户的电话号码和 Authenticator 应用设置之类的内容。Authentication methods include things like a user’s phone numbers and Authenticator app settings. 这不允许该应用查看密码之类的机密信息,也无法登录或以其他方式使用身份验证方法。This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes
UserAuthenticationMethod.ReadWrite.All(个人预览版)UserAuthenticationMethod.ReadWrite.All (private preview) 管理用户的身份验证方法Manage users' authentication methods 允许此应用程序读取和写入组织中所有用户的身份验证方法,无已登录用户。Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. 身份验证方法包括用户的电话号码和 Authenticator 应用设置之类的内容。Authentication methods include things like a user’s phone numbers and Authenticator app settings. 这不允许该应用查看密码之类的机密信息,也无法登录或以其他方式使用身份验证方法。This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. Yes

说明Remarks

用户身份验证方法权限用于管理用户的身份验证方法。User authentication method permissions are used to manage authentication methods on users. 借助这些权限,委派的用户或应用程序可以注册用户的新身份验证方法,读取用户已注册的身份验证方法,更新这些身份验证方法,以及从用户中删除它们。With these permissions, a delegated user or application can register new authentication methods on a user, read the authentication methods the user already has registered, update those authentication methods, and remove them from the user.

借助这些权限,可以读取和管理用户的所有身份验证方法。With these permissions, all authentication methods can be read and managed on a user. 这包括用于以下操作的方法:This includes methods used for:

  • 主要身份验证(密码)Primary authentication (password)
  • 多重身份验证/MFA(电话号码)的第二因素Second factor of multi-factor authentication/MFA (phone numbers)
  • 自助密码重置/SSPR(电子邮件地址)Self-Service Password Reset/SSPR (email address)

权限方案Permission scenarios

本节介绍一些面向组织中 usergroup 资源的常见方案。这些表显示了应用执行方案要求的特定操作所需的权限。请注意,在某些情况下,应用执行特定操作的能力取决于权限是应用程序权限还是委派权限。如果是委派权限,应用的有效权限还将取决于组织内已登录用户的特权。有关详细信息,请参阅委派权限、应用程序权限和有效权限This section shows some common scenarios that target user and group resources in an organization. The tables show the permissions that an app needs to be able to perform specific operations required by the scenario. Note that in some cases the ability of the app to perform specific operations will depend on whether a permission is an application or delegated permission. In the case of delegated permissions, the app's effective permissions will also depend on the privileges of the signed-in user within the organization. For more information, see Delegated permissions, Application permissions, and effective permissions.

关于 User 资源的访问方案Access scenarios on the User resource

涉及用户的应用任务App tasks involving User 必需的权限Required permissions 权限字符串Permission strings
应用想要读取其他用户的基本信息(仅限显示名称和图片),例如展示人员挑选经验App wants to read other users' basic information (only display name and picture), for example to show in a people picking experience User.ReadBasic.AllUser.ReadBasic.All 读取所有用户的基本个人资料Read all user's basic profiles
应用想要读取已登录用户的完整用户个人资料(请参见直接下属和经理等)App wants to read complete user profile for signed in user (see direct reports, and manager, etc.) User.ReadUser.Read 允许登录和读取用户个人资料Enable sign-in and read user profile
应用想要读取所有用户的完整用户个人资料App wants to read complete user profile all users User.Read.AllUser.Read.All 读取所有用户的完整个人资料Read all user's full profiles
应用要读取登录用户的文件、邮件和日历信息App wants to read files, mail and calendar information for the signed in user User.Read, Files.Read, Mail.Read, Calendars.ReadUser.Read, Files.Read, Mail.Read, Calendars.Read 允许登录和读取用户配置文件、读取用户文件、读取用户邮件、读取用户日历Enable sign-in and read user profile, Read users' files, Read user mail, Read user calendars
应用想要读取登录用户(我)的文件,以及其他用户与登录用户(我)共享的文件。App wants to read the signed-in user's (my) files and files that other users have shared with the signed-in user (me). User.Read, Files.Read, Sites.Read.AllUser.Read, Files.Read, Sites.Read.All 允许登录和读取用户个人资料、读取用户文件、读取所有网站集中的项目Enable sign-in and read user profile, Read users' files, Read items in all site collections
应用想要读取和写入登录用户的完整用户个人资料App wants to read and write complete user profile for signed in user User.ReadWriteUser.ReadWrite 对用户个人资料的读写权限Read and write access to user profile
应用想要读取和写入所有用户的完整用户个人资料App wants to read and write complete user profile all users User.ReadWrite.AllUser.ReadWrite.All 读取和写入所有用户的完整个人资料Read and write all user's full profiles
应用要读取和写入登录用户的文件、邮件和日历信息App wants to read and write files, mail and calendar information for the signed in user User.ReadWrite, Files.ReadWrite, Mail.ReadWrite, Calendars.ReadWriteUser.ReadWrite, Files.ReadWrite, Mail.ReadWrite, Calendars.ReadWrite 对用户个人资料的读写权限、对用户个人资料的读写权限、对用户邮件的读写权限、具有访问用户日历的完整权限Read and write access to user profile, Read and write access to user profile, Read and write access to user mail, Have full access to user calendars
应用想要提交数据策略操作请求,以导出用户的个人数据App wants to submit a data policy operation request to export a user's personal data User.Export.AllUser.Export.All 导出用户的个人数据。Export a user'a personal data.

关于组资源的访问方案Access scenarios on the Group resource

涉及组的应用任务App tasks involving Group 必需的权限Required permissions 权限字符串Permission strings
应用想要读取基本组信息(仅限显示名称和图片),例如展示组挑选经验App wants to read basic group info (only display name and picture), for example to show in a group picking experience Group.Read.AllGroup.Read.All 读取所有组Read all groups
应用想要读取所有 Microsoft 365 组中的全部内容(包括文件、对话)。App wants to read all content in all Microsoft 365 groups, including files, conversations. 它还需要显示组成员,同时能够更新组成员(若是所有者)。It also needs to show group memberships, be able to update group memberships, (if owner). Group.Read.AllGroup.Read.All 读取所有网站集中的项、读取所有组Read items in all site collections, Read all groups
应用想要读取并写入所有 Microsoft 365 组中的全部内容(包括文件、对话)。App wants to read and write all content in all Microsoft 365 groups, including files, conversations. 它还需要显示组成员,同时能够更新组成员(若是所有者)。It also needs to show group memberships, be able to update group memberships, (if owner). Group.ReadWrite.All, Sites.ReadWrite.AllGroup.ReadWrite.All, Sites.ReadWrite.All 读取和写入所有组、编辑或删除所有网站集中的项Read and write all groups, Edit or delete items in all site collections
应用想要发现(找到)Microsoft 365 组。App wants to discover (find) a Microsoft 365 group. 它允许用户搜索特定组,然后从枚举列表中选择一个组,从而允许用户加入组。It allows the user to search for a particular group and choose one from the enumerated list to allow the user to join the group. Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups
应用想要通过 AAD Graph 创建一个组App wants to create a group through AAD Graph Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups