Microsoft Graph 权限引用Microsoft Graph permissions reference

若要使你的应用可访问 Microsoft Graph 中的数据,用户或管理员必须通过同意过程向其授予正确的权限。For your app to access data in Microsoft Graph, the user or administrator must grant it the correct permissions via a consent process. 本主题列出了与每个主要 Microsoft Graph API 集关联的权限。This topic lists the permissions associated with each major set of Microsoft Graph APIs. 它还提供有关如何使用权限的指导。It also provides guidance about how to use the permissions.

若要详细了解权限的工作原理,请参阅身份验证和授权基础知识,并观看以下视频。To learn more about how permissions work, see Authentication and authorization basics, and watch the following video.

Microsoft Graph 权限名称Microsoft Graph permission names

Microsoft Graph 权限名称遵循简单模式:resource.operation.constraint。例如,User.Read 授予读取已登录用户的配置文件的权限,User.ReadWrite 授予读取和修改已登录用户的配置文件的权限,而 Mail.Send 则授予代表已登录用户发送邮件的权限。Microsoft Graph permission names follow a simple pattern: resource.operation.constraint. For example, User.Read grants permission to read the profile of the signed-in user, User.ReadWrite grants permission to read and modify the profile of the signed-in user, and Mail.Send grants permission to send mail on behalf of the signed-in user.

名称的 constraint 元素决定了你的应用程序在目录中具有的潜在访问范围。Microsoft Graph 当前支持以下约束:The constraint element of the name determines the potential extent of access your app will have within the directory. Currently Microsoft Graph supports the following constraints:

  • All 授予应用对目录中指定类型的所有资源执行操作的权限。例如,User.Read.All 可能授予应用读取目录中所有用户的配置文件的特权。All grants permission for the app to perform the operations on all of the resources of the specified type in a directory. For example, User.Read.All potentially grants the app privileges to read the profiles of all of the users in a directory.
  • Shared 授予该应用对其他用户与已登录用户共享的资源执行操作的权限。此约束主要用于 Outlook 资源,如邮件、日历和联系人。例如,Mail.Read.Shared 授予在已登录用户的邮箱中以及组织中的其他用户与已登录用户共享的邮箱中读取邮件的权限。Shared grants permission for the app to perform the operations on resources that other users have shared with the signed-in user. This constraint is mainly used with Outlook resources like mail, calendars, and contacts. For example, Mail.Read.Shared, grants privileges to read mail in the mailbox of the signed-in user as well as mail in mailboxes that other users in the organization have shared with the signed-in user.
  • AppFolder 授予应用在 OneDrive 专用文件夹中读取和写入文件的权限。此约束仅在文件权限上公开,并且仅适用于 Microsoft 帐户。AppFolder grants permission for the app to read and write files in a dedicated folder in OneDrive. This constraint is only exposed on Files permissions and is only valid for Microsoft accounts.
  • 如果未指定任何约束,则应用程序仅限于对已登录用户拥有的资源执行操作。例如,User.Read 仅授予读取已登录用户的配置文件的特权,Mail.Read 仅授予读取已登录用户邮箱中的邮件的权限。If no constraint is specified the app is limited to performing the operations on the resources owned by the signed-in user. For example, User.Read grants privileges to read the profile of the signed-in user only, and Mail.Read grants permission to read only mail in the mailbox of the signed-in user.

注意:在委托场景中,授予应用的有效权限可能受到组织中已登录用户的特权的限制。Note: In delegated scenarios, the effective permissions granted to your app may be constrained by the privileges of the signed-in user in the organization.

Microsoft 帐户和工作或学校帐户Microsoft accounts and work or school accounts

并非所有权限都适用于 Microsoft 帐户和工作或学校帐户。Not all permissions are valid for both Microsoft accounts and work or school accounts. 你可以检查每个权限组的支持的 Microsoft 帐户列,以确定特定权限是否对 Microsoft 帐户和/或工作或学校帐户有效。You can check the Microsoft Account Supported column for each permission group to determine whether a specific permission is valid for Microsoft accounts, work or school accounts, or both.

组织中来宾用户的用户和组搜索限制User and group search limitations for guest users in organizations

用户和组搜索功能允许应用通过对 /users/groups 资源集(例如 https://graph.microsoft.com/v1.0/users)执行查询来搜索组织目录中的任何用户或组。User and group search capabilities allow the app to search for any user or group in an organization's directory by performing queries against the /users or /groups resource set (for example, https://graph.microsoft.com/v1.0/users). 管理员和用户都可以使用此功能;但来宾用户不可以。Both administrators and users have this capability; however, guest users do not.

如果登录用户是来宾用户,应用程序可以读取特定用户或组的配置文件(例如,https://graph.microsoft.com/v1.0/users/241f22af-f634-44c0-9a15-c8cd2cea5531),具体视应用程序获得的授权而定;不过,不能对可能返回多个资源的 /users/groups 资源集执行查询。If the signed-in user is a guest user, depending on the permissions an app has been granted, it can read the profile of a specific user or group (for example, https://graph.microsoft.com/v1.0/users/241f22af-f634-44c0-9a15-c8cd2cea5531); however, it cannot perform queries against the /users or /groups resource set that potentially return more than a single resource.

借助授予的适当权限,应用程序可以读取用户或组的配置文件,具体是通过导航属性中的链接获取;例如,/users/{id}/directReports/groups/{id}/membersWith the appropriate permissions, the app can read the profiles of users or groups that it obtains by following links in navigation properties; for example, /users/{id}/directReports or /groups/{id}/members.


访问评审权限Access reviews permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
AccessReview.Read.AllAccessReview.Read.All 读取所有访问评审Read all access reviews 允许应用代表已登录的用户读取访问评审。Allows the app to read access reviews on behalf of the signed-in user. Yes No
AccessReview.ReadWrite.AllAccessReview.ReadWrite.All 管理所有访问评审Manage all access reviews 允许应用代表已登录的用户读取和写入访问评审。Allows the app to read and write access reviews on behalf of the signed-in user. Yes No
AccessReview.ReadWrite.MembershipAccessReview.ReadWrite.Membership 管理组和应用成员身份的访问评审Manage access reviews for group and app memberships 允许应用代表已登录的用户读取和写入组和应用的访问评审。Allows the app to read and write access reviews on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
AccessReview.Read.AllAccessReview.Read.All 读取所有访问评审Read all access reviews 允许应用在没有登录的用户的情况下读取访问评审。Allows the app to read access reviews without a signed-in user. Yes
AccessReview.ReadWrite.MembershipAccessReview.ReadWrite.Membership 管理组和应用成员身份的访问评审Manage access reviews for group and app memberships 允许应用在没有已登录用户的情况下管理组和应用的访问评审。Allows the app to manage access reviews of groups and apps without a signed-in user. Yes

注解Remarks

AccessReview.Read.AllAccessReview.ReadWrite.AllAccessReview.ReadWrite.Membership 仅对于工作或学校帐户有效。AccessReview.Read.All and AccessReview.ReadWrite.All are valid only for work or school accounts.

对于通过委派权限读取组或应用的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或用户管理员。For an app with delegated permissions to read access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. 对于通过委派权限读取组或应用的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员或用户管理员。For an app with delegated permissions to write access reviews of a group or app, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator.

对于通过委派权限读取 Azure AD 角色的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或特权角色管理员。For an app with delegated permissions to read access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or Privileged Role Administrator. 对于通过委派权限写入 Azure AD 角色的访问评审的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员或特权角色管理员。For an app with delegated permissions to write access reviews of an Azure AD role, the signed-in user must be a member of one of the following administrator roles: Global Administrator or Privileged Role Administrator.

若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.


分析资源权限Analytics resource permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Analytics.ReadAnalytics.Read 读取所有用户活动统计信息。Read all user activities statistics. 允许应用在没有登录用户的情况下读取用户活动统计信息。Allows the app to read user activities statistics without a signed-in user. Yes

应用程序权限Application permissions

无。None.

用法示例Example usage

委派Delegated

应用程序Application

无。None.


管理单元权限Administrative Units permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
AdministrativeUnit.Read.AllAdministrativeUnit.Read.All 读取管理单元Read administrative units 允许应用代表已登录的用户读取管理单元和管理单元成员身份。Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user. Yes No
AdministrativeUnit.ReadWrite.AllAdministrativeUnit.ReadWrite.All 读取和写入管理单元Read and write administrative units 允许应用代表已登录的用户创建、读取、更新和删除管理单元并管理管理单元成员身份。Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
AdministrativeUnit.Read.AllAdministrativeUnit.Read.All 读取所有管理单元Read all administrative units 允许应用在没有登录用户的情况下读取管理单元和管理单元成员身份。Allows the app to read administrative units and administrative unit membership without a signed-in user. Yes
AdministrativeUnit.ReadWrite.AllAdministrativeUnit.ReadWrite.All 读取和写入所有管理单元Read and write all administrative units 允许应用在没有登录用户的情况下创建、读取、更新和删除管理单元并管理管理单元成员身份。Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. Yes

说明Remarks

使用 AdministrativeUnit.Read.All 权限,应用程序可以读取包括成员在内的管理单元信息。With the AdministrativeUnit.Read.All permission an application can read administrative unit information including members.

使用 AdministrativeUnit.ReadWrite.All 权限,应用程序可以创建、读取、更新和删除包括成员在内的管理单元信息。With the AdministrativeUnit.ReadWrite.All permission an application can create, read, update, and delete administrative unit information including members.

AdministrativeUnit.Read.AllAdministrativeUnit.ReadWrite.All 仅对工作或学校帐户有效。ProgramControl.Read.All and ProgramControl.ReadWrite.All are valid only for work or school accounts.

用法示例Example usage

  • AdministrativeUnit.Read.All:读取管理单元 (GET /beta/administrativeUnits)AdministrativeUnit.Read.All: Read administrative units (GET /beta/administrativeUnits)
  • AdministrativeUnit.Read.All:读取管理单元成员列表 (GET /beta/administrativeUnits/<id>/members)AdministrativeUnit.Read.All: Read members list of an administrative unit (GET /beta/administrativeUnits/<id>/members)
  • AdministrativeUnit.ReadWrite.All:创建管理单元 (POST /beta/administrativeUnits)AdministrativeUnit.ReadWrite.All: Create an administrative unit (POST /beta/administrativeUnits)
  • AdministrativeUnit.ReadWrite.All:更新管理单元 (PATCH /beta/administrativeUnits/<id>)AdministrativeUnit.ReadWrite.All: Update an administrative unit (PATCH /beta/administrativeUnits/<id>)
  • AdministrativeUnit.ReadWrite.All:将成员添加到管理单元 (POST /beta/administrativeUnits/<id>/members)AdministrativeUnit.ReadWrite.All: Add members to an administrative unit (POST /beta/administrativeUnits/<id>/members)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


AppCatalog 资源权限AppCatalog resource permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
AppCatalog.ReadWrite.AllAppCatalog.ReadWrite.All 读取和写入所有应用目录Read and write to all app catalogs 允许应用在应用目录中创建、读取、更新和删除应用。Allows the app to create, read, update, and delete apps in the app catalogs. Yes

应用程序权限Application permissions

无。None.

注解Remarks

当前的唯一目录是 Microsoft Teams 中的应用程序列表。Currently the only catalog is the list of applications in Microsoft Teams.

用法示例Example usage

委派Delegated

应用程序Application

无。None.


应用程序资源权限Application resource permissions

委派权限Delegated permissions

无。None.

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Application.ReadWrite.AllApplication.ReadWrite.All 读取和写入所有应用Read and write all apps 允许调用应用在没有登录用户的情况下创建和管理(读取、更新、更新应用程序密码和删除)应用程序和服务主体。Allows the calling app to create, and manage (read, update, update application secrets and delete) applications and service principals without a signed-in user. 不允许管理对用户或组的同意授权或应用程序分配。Does not allow management of consent grants or application assignments to users or groups. Yes
Application.ReadWrite.OwnedByApplication.ReadWrite.OwnedBy 管理此应用创建或拥有的应用Manage apps that this app creates or owns 允许调用应用在没有登录用户的情况下创建其他应用程序和服务主体,以及完全管理这些应用程序和服务主体(读取、更新、更新应用程序密码和删除)。Allows the calling app to create other applications and service principals, and fully manage those applications and service principals (read, update, update application secrets and delete), without a signed-in user. 它无法更新任何不是其所有者的应用程序。It cannot update any applications that it is not an owner of. 不允许管理对用户或组的同意授权或应用程序分配。Does not allow management of consent grants or application assignments to users or groups. Yes

备注Remarks

Application.ReadWrite.OwnedBy 权限允许与 Application.ReadWrite.All 相同的操作,只不过前者只允许对调用应用充当所有者的应用程序和服务主体执行这些操作。The Application.ReadWrite.OwnedBy permission allows the same operations as Application.ReadWrite.All except that the former allows these operations only on applications and service principals that the calling app is an owner of. 所有权由目标 applicationservice principal 资源上的 owners 导航属性指示。Ownership is indicated by the owners navigation property on the target application or service principal resource.

注意:使用 Application.Read Write.Owned by 权限调用 GET /applications 以列出应用程序将失败,并显示 403。NOTE: Using the Application.ReadWrite.OwnedBy permission to call GET /applications to list applications will fail with a 403. 请改为使用 GET servicePrincipals/{id}/ownedObjects 列出调用应用程序充当所有者的应用程序。Instead use GET servicePrincipals/{id}/ownedObjects to list the applications owned by the calling application.

用法示例Example usage

委派Delegated

无。None.

应用程序Application

  • Application.ReadWrite.All:列出所有应用程序 (GET /beta/applications)Application.ReadWrite.All: List all applications (GET /beta/applications)
  • Application.ReadWrite.All:删除服务主体 (DELETE /beta/servicePrincipals/{id})Application.ReadWrite.All: Delete a service principal (DELETE /beta/servicePrincipals/{id})
  • Application.ReadWrite.OwnedBy:创建应用程序 (POST /beta/applications)Application.ReadWrite.OwnedBy: Create an application (POST /beta/applications)
  • Application.ReadWrite.OwnedBy:列出调用应用程序拥有的所有应用程序 (GET /beta/servicePrincipals/{id}/ownedObjects)Application.ReadWrite.OwnedBy: List all applications owned by the the calling application (GET /beta/servicePrincipals/{id}/ownedObjects)
  • Application.ReadWrite.OwnedBy:向拥有的应用程序添加另一个所有者 (POST /applications/{id}/owners/$ref)。Application.ReadWrite.OwnedBy: Add another owner to an owned application (POST /applications/{id}/owners/$ref).

注意:这可能需要其他权限。NOTE: This may require additional permissions.


预订权限Bookings permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Bookings.Read.AllBookings.Read.All 允许应用代表登录用户读取预订约会、业务、客户、服务和员工。Allows an app to read Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. 适用于只读应用程序。Intended for read-only applications. 典型目标用户是某预订业务的客户。Typical target user is the customer of a booking business. No No
Bookings.ReadWrite.AppointmentsBookings.ReadWrite.Appointments 允许应用代表登录用户读取和写入预订约会和客户,此外,还允许读取业务、服务和员工。Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff on behalf of the signed-in user. 适用于需要操作约会和客户的安排日程的应用程序。Intended for scheduling applications which need to manipulate appointments and customers. 无法更改有关预订业务的基本信息及其服务和员工成员。Cannot change fundamental information about the booking business, nor its services and staff members. 典型目标用户是某预订业务的客户。Typical target user is the customer of a booking business. No No
Bookings.ReadWrite.AllBookings.ReadWrite.All 允许应用代表登录用户读取和编写预订约会、业务、客户、服务和员工。Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. 不允许创建、删除或发布预订业务。Does not allow create, delete, or publish of Bookings businesses. 适用于操纵现有业务、其服务和员工成员的管理应用程序。Intended for management applications that manipulate existing businesses, their services and staff members. 无法创建、删除或更改预订业务的发布状态。Cannot create, delete, or change the publishing status of a booking business. 典型目标用户是组织的支持人员。Typical target user is the support staff of an organization. No No
Bookings.ManageBookings.Manage 允许应用代表登录用户读取、编写和管理预订约会、业务、客户、服务和员工。Allows an app to read, write, and manage Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. 允许应用具有完全访问权限。Allows the app to have full access.
适用于完全管理体验。Intended for a full management experience. 典型目标用户是组织的管理员。Typical target user is the administrator of an organization.
No No

应用程序权限Application permissions

无。None.

用法示例Example usage

委派Delegated

  • Bookings.Read.All:获取为租户创建的预订业务集合的 ID 和名称 (GET /bookingBusinesses)。Bookings.Read.All: Get the ID and names of the collection of Bookings businesses that has been created for a tenant (GET /bookingBusinesses).
  • Bookings.ReadWrite.Appointments:为预订业务中的服务创建约会 (POST /bookingBusinesses/{id}/appointments)。Bookings.ReadWrite.Appointments: Create an appointment for a service at a Bookings business (POST /bookingBusinesses/{id}/appointments).
  • Bookings.ReadWrite.All:为指定的预订业务创建新服务 (POST /bookingBusinesses/{id}/services)。Bookings.ReadWrite.All: Create a new service for the specified Bookings business (POST /bookingBusinesses/{id}/services).
  • Bookings.Manage:使此业务的日程安排页对外部客户可用 (POST /bookingBusinesses/{id}/publish)。Bookings.Manage: Make the scheduling page of this business available to external customers (POST /bookingBusinesses/{id}/publish).

日历权限Calendars permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Calendars.ReadCalendars.Read 读取用户日历Read user calendars 允许应用读取用户日历中的事件。Allows the app to read events in user calendars. No Yes
Calendars.Read.SharedCalendars.Read.Shared 读取用户日历和共享日历Read user and shared calendars  允许应用读取用户可以访问的所有日历(包括委派日历和共享日历)中的事件。Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.  No No
Calendars.ReadWriteCalendars.ReadWrite 具有对用户日历的完整访问权限Have full access to user calendars 允许应用创建、读取、更新和删除用户日历中的事件。Allows the app to create, read, update, and delete events in user calendars. No Yes
Calendars.ReadWrite.SharedCalendars.ReadWrite.Shared 读取和写入用户日历和共享日历Read and write user and shared calendars  允许应用创建、读取、更新和删除用户有权访问的所有日历中的事件。这包括委派日历和共享日历。Allows the app to create, read, update and delete events in all calendars the user has permissions to access. This includes delegate and shared calendars. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Calendars.ReadCalendars.Read 读取所有邮箱中的日历Read calendars in all mailboxes 允许应用在没有登录用户的情况下读取所有日历的事件。Allows the app to read events of all calendars without a signed-in user. Yes
Calendars.ReadWriteCalendars.ReadWrite 读取和写入所有邮箱中的日历Read and write calendars in all mailboxes 允许应用在没有登录用户的情况下创建、读取、更新和删除所有日历的事件。Allows the app to create, read, update, and delete events of all calendars without a signed-in user. Yes

重要说明 管理员可以配置应用程序访问策略,以限制应用程序访问_特定_邮箱,而不是组织中的所有邮箱,即使该应用程序已被授予 Calendars.Read 或Calendars.ReadWrite 的应用程序权限。Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Calendars.Read or Calendars.ReadWrite.

用法示例Example usage

委派Delegated

  • Calendars.Read:获取从 2017 年 4 月 23 日到 2017 年 4 月 29 日用户日历中的事件 (GET /me/calendarView?startDateTime=2017-04-23T00:00:00&endDateTime=2017-04-29T00:00:00)。Calendars.Read: Get events on the user's calendar between April 23, 2017 and April 29, 2017 (GET /me/calendarView?startDateTime=2017-04-23T00:00:00&endDateTime=2017-04-29T00:00:00).
  • Calendars.Read.Shared:查找所有与会者都均有空参加的会议时间 (POST /users/{id|userPrincipalName}/findMeetingTimes)。Calendars.Read.Shared: Find meeting times where all attendees are available (POST /users/{id|userPrincipalName}/findMeetingTimes).
  • Calendars.ReadWrite:将事件添加到用户日历 (POST /me/events)。Calendars.ReadWrite: Add an event to the user's calendar (POST /me/events).

应用程序Application

  • Calendars.Read:在 bob@contoso.com 组织整理的会议室日历中查找事件 (GET /users/{id | userPrincipalName}/events?$filter=organizer/emailAddress/address eq 'bob@contoso.com')。Calendars.Read: Find events in a conference room's calendar organized by bob@contoso.com (GET /users/{id | userPrincipalName}/events?$filter=organizer/emailAddress/address eq 'bob@contoso.com').
  • Calendars.Read:列出 5 月份用户日历上的所有事件 (GET /users/{id | userPrincipalName}/calendarView?startDateTime=2017-05-01T00:00:00&endDateTime=2017-06-01T00:00:00)Calendars.Read: List all events on a user's calendar for the month of May (GET /users/{id | userPrincipalName}/calendarView?startDateTime=2017-05-01T00:00:00&endDateTime=2017-06-01T00:00:00)
  • Calendars.ReadWrite:将获准休假事件添加到用户日历 (POST /users/{id | userPrincipalName}/events)。Calendars.ReadWrite: Add an event to a user's calendar for approved time off (POST /users/{id | userPrincipalName}/events).
  • Calendars.Send:发送邮件 (POST /users/{id | userPrincipalName}/sendCalendars)。Calendars.Send: Send a message (POST /users/{id | userPrincipalName}/sendCalendars).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

通话权限Calls permissions

委派权限Delegated permissions

无。None.


应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Calls.Initiate.AllCalls.Initiate.All 从应用发起一对一拨出通话(预览版)Initiate outgoing 1:1 calls from the app (preview) 允许应用在没有登录用户的情况下,向单个用户发起播出通话并将通话转接到组织目录中的用户。Allows the app to place outbound calls to a single user and transfer calls to users in your organization’s directory, without a signed-in user. Yes
Calls.InitiateGroupCall.AllCalls.InitiateGroupCall.All 从应用发起组拨出通话(预览版)Initiate outgoing group calls from the app (preview) 允许应用在没有登录用户的情况下,向多个用户发起播出通话并向组织中的会议添加参与者。Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. Yes
Calls.JoinGroupCall.AllCalls.JoinGroupCall.All 作为应用加入组通话和会议(预览版)Join Group Calls and Meetings as an app (preview) 允许应用在没有登录用户的情况下,加入组织中的组通话和计划会议。Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. 应用将加入到租户的会议中并获得目录用户特权。The app will be joined with the privileges of a directory user to meetings in your tenant. Yes
Calls.JoinGroupCallasGuest.AllCalls.JoinGroupCallasGuest.All 作为来宾加入组通话和会议(预览版)Join Group Calls and Meetings as a guest (preview) 允许应用在没有登录用户的情况下,以匿名方式加入组织中的组通话和计划会议。Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. 应用将作为来宾加入租户的会议。The app will be joined as a guest to meetings in your tenant. Yes
Calls.AccessMedia.All*Calls.AccessMedia.All* 作为应用访问通话中的媒体数据流(预览版)Access media streams in a call as an app (preview) 允许应用在没有登录用户的情况下,直接访问通话中的媒体数据流。Allows the app to get direct access to media streams in a call, without a signed-in user. Yes

*重要提示: 请勿使用 Microsoft.Graph.Calls.Media API 来记录或以其他方式保留机器人访问的通话或会议中的媒体内容。*Important: You may not use the Microsoft.Graph.Calls.Media API to record or otherwise persist media content from calls or meetings that your bot accesses.


用法示例Example usage

应用程序Application

  • Calls.Initiate.All:从应用程序向组织中的某个用户发起对等通话 (POST /beta/app/calls)。Calls.Initiate.All: Make a peer-to-peer call from the application to a user in the organization (POST /beta/app/calls).
  • Calls.InitiateGroupCall.All:从应用程序向组织中的一组用户发起组通话 (POST /beta/app/calls)。Calls.InitiateGroupCall.All: Make a group call from the application to a group of users in the organization (POST /beta/app/calls).
  • Calls.JoinGroupCall.All:从应用程序加入组通话或联机会议 (POST /beta/app/calls)。Calls.JoinGroupCall.All: Join a group call or online meeting from the application (POST /beta/app/calls).
  • Calls.JoinGroupCallasGuest.All:从应用程序加入组通话或联机会议,但应用程序在会议中仅具有来宾特权 (POST /beta/app/calls)。Calls.JoinGroupCallasGuest.All: Join a group call or online meeting from the application, but the application only has guest privileges in the meeting (POST /beta/app/calls).
  • Calls.AccessMedia.All:创建或加入某个通话,且应用将能够直接访问该通话中的参与者媒体数据流 (POST /beta/app/calls)。Calls.AccessMedia.All: Create or Join a call and the app gets direct access to participant media streams in the call (POST /beta/app/calls).

注意: 有关请求示例,请参阅创建通话Note: For request examples, see to Create call.

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

ChannelMessage 权限ChannelMessage permissions

委派权限Delegated permissions

无。None.

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ChannelMessage.Read.AllChannelMessage.Read.All 读取所有频道消息Read all chat messages  允许应用在没有登录的用户的情况下读取 Microsoft Teams 中的频道消息。Allows the app to read all 1:1 or group chat messages in Microsoft Teams, without a signed-in user. Yes No
ChannelMessage.UpdatePolicyViolation.AllChannelMessage.UpdatePolicyViolation.All 标记违反策略的频道消息Flag channel messages for violating policy 允许应用更新 Microsoft Teams 频道消息,方法是通过修补数据丢失保护 (DLP) 策略违反属性集来处理 DLP 处理的输出。Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Yes No

注意: 另请参阅 Group.Read.AllNote: See also Group.Read.All.

聊天权限Chats permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Chat.ReadChat.Read 读取聊天消息Read your chat messages  允许应用代表你读取 Microsoft Teams 中的一对一或群组聊天消息。Allows an app to read your 1:1 or group chat messages in Microsoft Teams, on your behalf. No No
Chat.ReadWriteChat.ReadWrite 读取聊天消息并发送新消息Read your chat messages and send new ones  允许应用代表你在 Microsoft Teams 中读取并发送一对一或群组聊天消息。Allows an app to read your 1:1 or group chat messages in Microsoft Teams, on your behalf. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Chat.Read.AllChat.Read.All 读取所有聊天消息Read all chat messages  允许应用在没有登录的用户的情况下读取 Microsoft Teams 中的一对一或群组聊天消息。Allows the app to read all 1:1 or group chat messages in Microsoft Teams, without a signed-in user. Yes No
Chat.UpdatePolicyViolation.AllChat.UpdatePolicyViolation.All 标记违反策略的聊天消息Flag chat messages for violating policy 允许应用更新 Microsoft Teams 一对一聊天或群组聊天消息,方法是通过修补数据丢失保护 (DLP) 策略违反属性集来处理 DLP 处理的输出。Allows the app to update Microsoft Teams 1:1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Yes No

注意: 对于频道中的消息,请参阅 ChannelMessage 权限Note: For messages in a channel, see Group.Read.All.

联系人权限Contacts permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Contacts.ReadContacts.Read 读取用户联系人Read user contacts  允许应用读取用户联系人。Allows the app to read user contacts. No Yes
Contacts.Read.SharedContacts.Read.Shared 读取用户联系人和共享联系人Read user and shared contacts 允许应用读取用户有权访问的联系人,包括用户个人联系人和共享联系人。Allows the app to read contacts that the user has permissions to access, including the user's own and shared contacts.  No No
Contacts.ReadWriteContacts.ReadWrite 具有对用户联系人的完整访问权限Have full access to user contacts 允许应用创建、读取、更新和删除用户联系人。Allows the app to create, read, update, and delete user contacts. No Yes
Contacts.ReadWrite.SharedContacts.ReadWrite.Shared 读取和写入用户联系人和共享联系人Read and write user and shared contacts 允许应用创建、读取、更新和删除用户有权访问的联系人,包括用户个人联系人和共享联系人。Allows the app to create, read, update and delete contacts that the user has permissions to, including the user's own and shared contacts. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Contacts.ReadContacts.Read 读取所有邮箱中的联系人Read contacts in all mailboxes  允许应用在没有已登录用户的情况下读取所有邮箱中的所有联系人。Allows the app to read all contacts in all mailboxes without a signed-in user.  Yes
Contacts.ReadWriteContacts.ReadWrite 读取和写入所有邮箱中的联系人Read and write contacts in all mailboxes 允许应用在没有登录用户的情况下创建、读取、更新和删除所有邮箱中的全部联系人。Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. Yes

重要说明 管理员可以配置应用程序访问策略,以限制应用程序访问_特定_邮箱,而不是组织中的所有邮箱,即使该应用程序已被授予 Contacts.Read 或 Contacts.ReadWrite 的应用程序权限。Important Administrators can configure application access policy to limit app access to specific mailboxes and not all the mailboxes in the organization, even if the app has been granted the application permissions of Contacts.Read or Contacts.ReadWrite.

用法示例Example usage

委派Delegated

  • Contacts.Read:从登录用户的一个顶层联系人文件夹读取联系人 (GET /me/contactfolders/{Id}/contacts/{id})。Contacts.Read: Read a contact from one of the top-level contact folders of the signed-in user (GET /me/contactfolders/{Id}/contacts/{id}).
  • Contacts.ReadWrite:更新登录用户的一个联系人的联系人照片 (PUT /me/contactfolders/{contactFolderId}/contacts/{id}/photo/$value)。Contacts.ReadWrite: Update the contact photo of one of the signed-in user's contacts (PUT /me/contactfolders/{contactFolderId}/contacts/{id}/photo/$value).
  • Contacts.ReadWrite:将联系人添加到登录用户的根文件夹 (POST /me/contacts)。Contacts.ReadWrite: Add contacts to the root folder of the signed-in user (POST /me/contacts).

应用程序Application

  • Contacts.Read:从组织中任意用户的一个顶层联系人文件夹读取联系人 (GET /users/{id | userPrincipalName}/contactfolders/{Id}/contacts/{id})。Contacts.Read: Read contacts from one of the top-level contact folders of any user in the organization (GET /users/{id | userPrincipalName}/contactfolders/{Id}/contacts/{id}).
  • Contacts.ReadWrite:更新组织中任意用户的所有联系人的照片 (PUT /user/{id | userPrincipalName}/contactfolders/{contactFolderId}/contacts/{id}/photo/$value)。Contacts.ReadWrite: Update the photo for any contact of any user in an organization (PUT /user/{id | userPrincipalName}/contactfolders/{contactFolderId}/contacts/{id}/photo/$value).
  • Contacts.ReadWrite:将联系人添加到组织中任意用户的根文件夹 (POST /users/{id | userPrincipalName}/contacts)。Contacts.ReadWrite: Add contacts to the root folder of any user in the organization (POST /users/{id | userPrincipalName}/contacts).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

设备权限Device permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Device.ReadDevice.Read 读取用户设备Read user devices 允许应用代表已登录用户读取用户的设备列表。Allows the app to read a user's list of devices on behalf of the signed-in user. No Yes
Device.CommandDevice.Command 与用户设备通信Communicate with user devices 允许应用启动其他应用,或代表已登录用户在用户设备上与其他应用进行通信。Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user. No Yes

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Device.ReadWrite.AllDevice.ReadWrite.All 读取和写入设备Read and write devices 支持应用程序读取和写入所有设备属性,而无需有登录用户。不得创建设备、删除设备或更新设备备用安全标识符。Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion, or update of device alternative security identifiers. Yes

用法示例Example usage

应用程序Application

  • Device.ReadWrite.All:读取组织中的所有已注册设备 (GET /devices)。Device.ReadWrite.All: Read all registered devices in the organization (GET /devices).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


目录权限Directory permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Directory.Read.AllDirectory.Read.All 读取目录数据Read directory data 允许应用程序读取组织目录中的数据,如用户、组和应用程序。Allows the app to read data in your organization's directory, such as users, groups and apps. 注意:如果应用程序已在自己组织的租户中注册,用户可能会同意应用程序要求必须有此权限。Note: Users may consent to applications that require this permission if the application is registered in their own organization’s tenant. Yes No
Directory.ReadWrite.AllDirectory.ReadWrite.All 读取和写入目录数据Read and write directory data 允许应用读取和写入组织目录中的数据,如用户和组。它不允许应用删除用户或组,或重置用户密码。Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. Yes No
Directory.AccessAsUser.AllDirectory.AccessAsUser.All 以登录用户身份访问目录Access directory as the signed-in user 允许应用以登录用户身份访问目录中的信息。Allows the app to have the same access to information in the directory as the signed-in user. Yes No
PrivilegedAccess.ReadWrite.AzureADPrivilegedAccess.ReadWrite.AzureAD 为目录读取和写入 Privileged Identity Management 数据Read and write Privileged Identity Management data for Directory 允许应用读取和写入 Azure AD 的 Privileged Identity Management API。Allows the app to have read and write access to Privileged Identity Management APIs for Azure AD. Yes No
PrivilegedAccess.ReadWrite.AzureResourcesPrivilegedAccess.ReadWrite.AzureResources 为 Azure 资源读取和写入 Privileged Identity Management 数据Read and write Privileged Identity Management data for Azure Resources 允许应用读取和写入 Azure 资源的 Privileged Identity Management API。Allows the app to have read and write access to Privileged Identity Management APIs for Azure resources. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Directory.Read.AllDirectory.Read.All 读取目录数据Read directory data 允许应用在没有登录用户的情况下读取组织目录中的数据(如用户、组和应用)。Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. Yes
Directory.ReadWrite.AllDirectory.ReadWrite.All 读取和写入目录数据Read and write directory data 允许应用在没有登录用户的情况下读取和写入组织目录中的数据(如用户和组)。不允许删除用户或组。Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. Yes

注解Remarks

Directory 权限提供访问目录资源(如组织中的 UserGroupDevice)的最高级特权。Directory permissions provide the highest level of privilege for accessing directory resources such as User, Group, and Device in an organization.

它们还专门控制对其他目录资源的访问,如组织联系人架构扩展 APIPrivileged Identity Management (PIM) API,以及 v1.0 和 beta API 参考文档中 Azure Active Directory 节点下列出的许多资源和 API。They also exclusively control access to other directory resources like: organizational contacts, schema extension APIs, Privileged Identity Management (PIM) APIs, as well as many of the resources and APIs listed under the Azure Active Directory node in the v1.0 and beta API reference documentation. 其中包括管理单元、目录角色、目录设置、策略等。These include administrative units, directory roles, directory settings, policy, and many more.

Directory.ReadWrite.All 权限可授予以下特权:The Directory.ReadWrite.All permission grants the following privileges:

  • 完全读取所有目录资源(包括声明属性和导航属性)Full read of all directory resources (both declared properties and navigation properties)
  • 创建和更新用户Create and update users
  • 禁用和启用用户(而不是公司管理员)Disable and enable users (but not company administrator)
  • 设置用户可选安全 ID(而不是管理员)Set user alternative security id (but not administrators)
  • 创建和更新组Create and update groups
  • 管理组成员Manage group memberships
  • 更新组所有者Update group owner
  • 管理许可证分配Manage license assignments
  • 在应用程序上定义架构扩展Define schema extensions on applications

注意Note:

  • 无权重置用户密码。No rights to reset user passwords
  • 如需更新其他用户的 businessPhonesmobilePhoneotherMails 属性,仅允许针对非管理员或分配了以下角色之一的用户执行该操作:目录读取者、来宾邀请者、消息中心读取者和报告读取者。Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. 有关详细信息,请参阅 Azure AD 可用角色中的支持人员(密码)管理员。For more details, see Helpdesk (Password) Administrator in Azure AD available roles. 这适用于获得了 User.ReadWrite.All 或 Directory.ReadWrite.All 委派或应用程序权限的应用。This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
  • 无权删除资源(包括用户或组)。No rights to delete resources (including users or groups)
  • 特别排除创建或更新以上未列出的资源。Specifically excludes create or update for resources not listed above. 这包括:application、oAauth2Permissiongrant、appRoleAssignment、device、servicePrincipal、organization、domains等。This includes: application, oAauth2Permissiongrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.

用法示例Example usage

委派Delegated

  • Directory.Read.All:列出组织中的所有管理单元 (GET /beta/administrativeUnits)Directory.Read.All: List all administrative units in an organization (GET /beta/administrativeUnits)
  • Directory.ReadWrite.All:将成员添加到目录角色 (POST /directoryRoles/{id}/members/$ref)Directory.ReadWrite.All: Add members to a directory role (POST /directoryRoles/{id}/members/$ref)

应用程序Application

  • Directory.Read.All:列出用户的所有成员资格,包括目录角色和管理单元 (GET /beta/users/{id}/memberOf)Directory.Read.All: List all memberships of a user, including directory roles and administrative units (GET /beta/users/{id}/memberOf)
  • Directory.Read.All:列出所有组成员,包括服务主体 (GET /beta/groups/{id}/members)Directory.Read.All: List all group members, including service principals (GET /beta/groups/{id}/members)
  • Directory.ReadWrite.All:向组添加所有者 (POST /groups/{id}/owners/$ref)Directory.ReadWrite.All: Add an owner to a group (POST /groups/{id}/owners/$ref)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


教育版权限Education permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
EduAdministration.ReadEduAdministration.Read 读取教育应用设置Read education app settings 允许应用代表用户读取教育应用设置。Allows the app to read education app settings on behalf of the user. Yes No
EduAdministration.ReadWriteEduAdministration.ReadWrite 管理教育应用设置Manage education app settings 允许应用代表用户管理教育应用设置。Allows the app to manage education app settings on behalf of the user. Yes No
EduAssignments.ReadBasicEduAssignments.ReadBasic 读取不含成绩的用户课堂作业Read users' class assignments without grades 允许应用代表用户读取不含成绩的作业Allows the app to read assignments without grades on behalf of the user Yes No
EduAssignments.ReadWriteBasicEduAssignments.ReadWriteBasic 对不含成绩的用户课堂作业执行读取和写入操作Read and write users' class assignments without grades 允许应用代表用户对不含成绩的作业执行读取和写入操作Allows the app to read and write assignments without grades on behalf of the user Yes No
EduAssignments.ReadEduAssignments.Read 读取用户的课堂作业及其成绩视图Read users' view of class assignments and their grades 允许应用代表用户读取作业及其成绩Allows the app to read assignments and their grades on behalf of the user Yes No
EduAssignments.ReadWriteEduAssignments.ReadWrite 对用户的课堂作业及其成绩视图执行读取和写入操作Read and write users' view of class assignments and their grades 允许应用代表用户对作业及其成绩执行读取和写入操作Allows the app to read and write assignments and their grades on behalf of the user Yes No
EduRostering.ReadBasicEduRostering.ReadBasic 读取用户的名单视图的有限子集Read a limited subset of users' view of the roster 允许应用代表用户读取组织名单中学校和班级结构数据以及用户的教育专属信息的有限子集。Allows the app to read a limited subset of the data from the structure of schools and classes in an organization's roster and education-specific information about users to be read on behalf of the user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需要征得管理员同意Admin Consent Required
EduAssignments.ReadBasic.AllEduAssignments.ReadBasic.All 读取不含成绩的课堂作业Read class assignments without grades 允许应用为所有用户读取不含成绩的作业Allows the app to read assignments without grades for all users Yes
EduAssignments.ReadWriteBasic.AllEduAssignments.ReadWriteBasic.All 对不含成绩的课堂作业执行读取和写入操作Read and write class assignments without grades 允许应用为所有用户对不含成绩的的作业执行读取和写入操作Allows the app to read and write assignments without grades for all users Yes
EduAssignments.Read.AllEduAssignments.Read.All 读取含成绩的课堂作业Read class assignments with grades 允许应用为所有用户读取作业及其成绩Allows the app to read assignments and their grades for all users Yes
EduAssignments.ReadWrite.AllEduAssignments.ReadWrite.All 对含成绩的课堂作业执行读取和写入操作Read and write class assignments with grades 允许应用为所有用户对作业及其成绩执行读取和写入操作Allows the app to read and write assignments and their grades for all users Yes
EduRostering.ReadBasic.AllEduRostering.ReadBasic.All 读取组织名单的有限子集。Read a limited subset of the organization's roster. 允许应用读取组织名单中的学校和班级结构数据以及所有用户的教育专属信息的有限子集。Allows the app to read a limited subset of both the structure of schools and classes in an organization's roster and education-specific information about all users. Yes
EduRostering.Read.AllEduRostering.Read.All 读取组织名单。Read the organization's roster. 允许应用读取组织名单中的学校和班级结构数据以及所有用户的教育专属信息。Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about all users to be read. Yes
EduRostering.ReadWrite.AllEduRostering.ReadWrite.All 对组织名单执行读取和写入操作。Read and write the organization's roster. 允许应用对组织名单中的学校和班级结构数据以及所有用户的教育专属信息执行读取和写入操作。Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written. Yes

用法示例Example usage

委派Delegated

  • EduAssignments.Read:获取登录学生的作业信息 (GET /education/classes/{id}/assignments/{id})EduAssignments.Read: Get the signed-in student's assignment information (GET /education/classes/{id}/assignments/{id})
  • EduAssignments.ReadWriteBasic:提交登录学生的作业 (GET /education/classes/{id}/assignments/{id}submit)EduAssignments.ReadWriteBasic: Submit signed-in student assignment (GET /education/classes/{id}/assignments/{id}submit)
  • EduRoster.ReadBasic:登录用户听讲或教授的课程 (GET /education/classes/{id}/members)EduRoster.ReadBasic: Classes a signed-in user attends or teaches (GET /education/classes/{id}/members)

有关涉及多个权限的更复杂方案,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


文件权限Files permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Files.ReadFiles.Read 读取用户文件Read user files 允许应用读取登录用户的文件。Allows the app to read the signed-in user's files. No Yes
Files.Read.AllFiles.Read.All 读取用户可以访问的所有文件Read all files that user can access 允许应用读取登录用户可以访问的所有文件。Allows the app to read all files the signed-in user can access. No Yes
Files.ReadWriteFiles.ReadWrite 具有对用户文件的完全访问权限Have full access to user files 允许应用读取、创建、更新和删除登录用户的文件。Allows the app to read, create, update, and delete the signed-in user's files. No Yes
Files.ReadWrite.AllFiles.ReadWrite.All 具备对用户可以访问的所有文件的完全访问权限Have full access to all files user can access 允许应用读取、创建、更新和删除登录用户可以访问的所有文件。Allows the app to read, create, update, and delete all files the signed-in user can access. No Yes
Files.ReadWrite.AppFolderFiles.ReadWrite.AppFolder 具有对应用程序文件夹的完全访问权限(预览)Have full access to the application's folder (preview) (预览)允许应用读取、创建、更新和删除应用程序文件夹中的文件。(Preview) Allows the app to read, create, update, and delete files in the application's folder. No No
Files.Read.SelectedFiles.Read.Selected 读取用户选择的文件Read files that the user selects Microsoft Graph 提供一定程度的支持(见“注解”)Limited support in Microsoft Graph; see Remarks
(预览)允许应用读取用户选择的文件。在用户选择文件后,应用有几个小时的访问权限。(Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file.
No No
Files.ReadWrite.SelectedFiles.ReadWrite.Selected 读取和写入用户选择的文件Read and write files that the user selects Microsoft Graph 提供一定程度的支持(见“注解”)Limited support in Microsoft Graph; see Remarks
(预览)允许应用读取和写入用户选择的文件。在用户选择文件后,应用有几个小时的访问权限。(Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file.
No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Files.Read.AllFiles.Read.All 读取所有网站集中的文件Read files in all site collections 允许应用在没有登录用户的情况下读取所有网站集中的全部文件。Allows the app to read all files in all site collections without a signed in user. Yes
Files.ReadWrite.AllFiles.ReadWrite.All 读取和写入所有网站集中的文件Read and write files in all site collections 允许应用在没有登录用户的情况下读取、创建、更新和删除所有网站集中的全部文件。Allows the app to read, create, update, and delete all files in all site collections without a signed in user. Yes

注解Remarks

注意:对于个人帐户,Files.Read 和 Files.ReadWrite 还会授予与登录用户共享的文件的访问权限。Note: For personal accounts, Files.Read and Files.ReadWrite also grant access to files shared with the signed-in user.

Files.Read.Selected 和 Files.ReadWrite.Selected 委派权限仅在工作或学校帐户上有效,并仅在处理 Office 365 文件处理程序 (v1.0) 时才公开。它们不应该用来直接调用 Microsoft Graph API。The Files.Read.Selected and Files.ReadWrite.Selected delegated permissions are only valid on work or school accounts and are only exposed for working with Office 365 file handlers (v1.0). They should not be used for directly calling Microsoft Graph APIs.

Files.ReadWrite.AppFolder 委派权限仅适于个人帐户,并仅用于访问带有 OneDrive 获取特殊文件夹 Microsoft Graph API 的应用程序根特殊文件夹The Files.ReadWrite.AppFolder delegated permission is only valid for personal accounts and is used for accessing the App Root special folder with the OneDrive Get special folder Microsoft Graph API.

用法示例Example usage

委派Delegated

  • Files.Read:读取登录用户的 OneDrive 中存储的文件 (GET /me/drive/root/children)Files.Read: Read files stored in the signed-in user's OneDrive (GET /me/drive/root/children)
  • Files.Read.All:列出与登录用户共享的文件 (GET /me/drive/root/sharedWithMe)Files.Read.All: Read files shared with the signed-in user (GET /me/drive/root/sharedWithMe)
  • Files.ReadWrite:在登录用户的 OneDrive 中写入文件 (PUT /me/drive/root/children/filename.txt/content)Files.ReadWrite: Write a file in the signed-in user's OneDrive (PUT /me/drive/root/children/filename.txt/content)
  • Files.ReadWrite.All:写入与用户共享的文件 (PUT /users/rgregg@contoso.com/drive/root/children/file.txt/content)Files.ReadWrite.All: Write a file shared with the user (PUT /users/rgregg@contoso.com/drive/root/children/file.txt/content)
  • Files.ReadWrite.AppFolder:在 OneDrive 中将文件写入应用程序的文件夹 (PUT /me/drive/special/approot/children/file.txt/content)Files.ReadWrite.AppFolder: Write files into the app's folder in OneDrive (PUT /me/drive/special/approot/children/file.txt/content)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


财务权限Financials permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Financials.ReadWrite.AllFinancials.ReadWrite.All 读取和写入财务数据Read and write financials data 允许应用代表登录用户读取和写入财务数据Allows the app to read and write financials data on behalf of the signed-in user No

组权限Group permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Group.Read.AllGroup.Read.All 读取所有组Read all groups 允许应用代表登录用户列出组,并读取其属性以及所有组成员身份。此外,还允许应用读取登录用户可以访问的所有组的日历、 对话、 文件和其他组内容。Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. Yes No
Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups 允许应用代表登录用户创建组并读取所有组属性和成员身份。Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. 此外,还允许应用读取和写入登录用户可以访问的所有组的日历、对话、文件和其他组内容。Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. 此外,还允许组所有者管理他们的组并允许组成员更新组内容。Additionally allows group owners to manage their groups and allows group members to update group content. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Group.Read.AllGroup.Read.All 读取所有组Read all groups 允许应用在没有登录用户的情况下读取所有组的成员身份。Allows the app to read memberships for all groups without a signed-in user. 此外,还允许应用读取所有组的日历、对话、文件和其他组内容。Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. > 注意: 并非所有组 API 都支持使用仅限应用权限进行访问。 > NOTE: that not all group API supports access using app-only permissions. 有关示例,请参阅已知问题See known issues for examples. Yes
Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups 允许应用创建组、读取和更新组成员以及删除组。Allows the app to create groups, read and update group memberships, and delete groups. 此外,还允许应用读取和写入所有组的日历、对话、文件和其他组内容。Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. 应用可以在没有登录用户的情况下执行所有这些操作。All of these operations can be performed by the app without a signed-in user. > 注意: 并非所有组 API 都支持使用仅限应用权限进行访问。 > NOTE: that not all group API supports access using app-only permissions. 有关示例,请参阅已知问题See known issues for examples. Yes

注解Remarks

Microsoft 个人帐户不支持组功能。Group functionality is not supported on personal Microsoft accounts.

对于 Office 365 组,组权限授予应用对组内容的访问权限;例如对话、文件、注释等。For Office 365 groups, Group permissions grant the app access to the contents of the group; for example, conversations, files, notes, and so on.

应用程序权限对受支持的 API 有一些限制。有关详细信息,请参阅已知问题For application permissions, there are some limitations for the APIs that are supported. For more information, see known issues.

在某些情况下,应用可能需要目录权限才能读取 membermemberOf 等组属性。例如,如果组将一个或多个 servicePrincipals 作为成员,则应用将需要有效权限才能通过授予的其中一个_目录*_ 权限读取服务主体,否则 Microsoft Graph 将返回错误。(如果是委派权限,已登录用户还需要组织的足够的权限才能读取服务主体。)相同的指导适用于 memberOf 属性,该属性可以返回 administrativeUnitsIn some cases, an app may need Directory permissions to read some group properties like member and memberOf. For example, if a group has a one or more servicePrincipals as members, the app will need effective permissions to read service principals through being granted one of the Directory.* permissions, otherwise Microsoft Graph will return an error. (In the case of delegated permissions, the signed-in user will also need sufficient privileges in the organization to read service principals.) The same guidance applies for the memberOf property, which can return administrativeUnits.

组权限用于控制对 Microsoft Teams 资源和 API 的访问权限。Group permissions are used to control access to Microsoft Teams resources and APIs. 不支持 Microsoft 个人帐户。Personal Microsoft accounts are not supported.

组权限也用于控制对 Microsoft Planner 资源和 API 的访问权限。Microsoft Planner API 仅支持委派权限,不支持应用程序权限。不支持 Microsoft 个人帐户。Group permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are not supported.

用法示例Example usage

委派Delegated

  • Group.Read.All:读取登录用户所属的全部 Office 365 组 (GET /me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified'))。Group.Read.All: Read all Office 365 groups that the signed-in user is a member of (GET /me/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(a:a%20eq%20'unified')).
  • Group.Read.All:读取诸如对话之类的所有 Office 365 组内容 (GET /groups/{id}/conversations)。Group.Read.All: Read all Office 365 group content like conversations (GET /groups/{id}/conversations).
  • Group.ReadWrite.All:更新组属性,如照片 (PUT /groups/{id}/photo/$value)。Group.ReadWrite.All: Update group properties, like photo (PUT /groups/{id}/photo/$value).
  • Group.ReadWrite.All:更新组成员 (POST /groups/{id}/members/$ref).Group.ReadWrite.All: Update group members (POST /groups/{id}/members/$ref).

注意: 这还要求 User.ReadBasic.All 读取要作为成员添加的用户。Note:: This also requires User.ReadBasic.All to read the user to add as a member.

应用程序Application

  • Group.Read.All:查找名称以“Sales”开头的所有组 (GET /groups?$filter=startswith(displayName,'Sales'))。Group.Read.All: Find all groups with name that starts with 'Sales' (GET /groups?$filter=startswith(displayName,'Sales')).
  • Group.ReadWrite.All:守护程序服务在 Office 365 组日历上新建事件 (POST /groups/{id}/events)。Group.ReadWrite.All: Daemon service creates new events on an Office 365 group's calendar (POST /groups/{id}/events).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


标识提供程序权限Identity provider permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
IdentityProvider.Read.AllIdentityProvider.Read.All 读取标识提供程序信息Read identity provider information 支持应用程序代表登录用户读取在 Azure AD 或 Azure AD B2C 租户中配置的标识提供程序。Allows the app to read identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. Yes No
IdentityProvider.ReadWrite.AllIdentityProvider.ReadWrite.All 读取和写入标识提供程序信息Read and write identity provider information 支持应用程序代表登录用户读取或写入在 Azure AD 或 Azure AD B2C 租户中配置的标识提供程序。Allows the app to read or write identity providers configured in your Azure AD or Azure AD B2C tenant on behalf of the signed-in user. Yes No

注解Remarks

IdentityProvider.Read.AllIdentityProvider.ReadWrite.All 仅对工作或学校帐户有效。IdentityProvider.Read.All and IdentityProvider.ReadWrite.All are valid only for work or school accounts. 登录用户必须分配有全局管理员角色,应用程序才能通过委派权限读取或写入标识提供程序。For an app to read or write identity providers with delegated permissions, the signed-in user must be assigned the Global Administrator role. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

示例用法Example usage

委派Delegated

以下用法对两种委派权限均有效:The following usages are valid for both delegated permissions:

  • IdentityProvider.Read.All:读取在租户中配置的所有标识提供程序 (GET /beta/identityProviders)IdentityProvider.Read.All: Read all identity providers configured in the tenant (GET /beta/identityProviders)
  • IdentityProvider.Read.All:读取现有标识提供程序 (GET /beta/identityProviders/{id})IdentityProvider.Read.All: Read an existing identity provider (GET /beta/identityProviders/{id})
  • IdentityProvider.ReadWrite.All:创建标识提供程序 (POST /beta/identityProviders)IdentityProvider.ReadWrite.All Create an identity provider (POST /beta/identityProviders)
  • IdentityProvider.ReadWrite.All:更新现有标识提供程序 (PATCH /beta/identityProviders/{id})IdentityProvider.ReadWrite.All Update an existing identity provider (PATCH /beta/identityProviders/{id})
  • IdentityProvider.ReadWrite.All:删除现有标识提供程序 (DELETE /beta/identityProviders/{id})IdentityProvider.ReadWrite.All Delete an existing identity provider (DELETE /beta/identityProviders/{id})

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


标识风险事件权限Identity Risk Event permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
IdentityRiskEvent.Read.AllIdentityRiskEvent.Read.All 读取标识风险事件信息Read identity risk event information 允许应用代表登录用户为组织中所有用户读取标识风险事件信息。Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
IdentityRiskEvent.Read.AllIdentityRiskEvent.Read.All 读取标识风险事件信息Read identity risk event information 允许应用无需具有已登录用户即可为组织中所有用户读取标识风险事件信息。Allows the app to read identity risk event information for all users in your organization without a signed-in user. Yes

注解Remarks

IdentityRiskEvent.Read.All 仅适用于工作或学校帐户。对于通过委派权限读取标识风险信息的应用,登录用户必须是以下管理员角色之一的成员:全局管理员、安全管理员或安全读者。有关管理员角色的详细信息,请参阅在 Azure Active Directory 中分配管理员角色IdentityRiskEvent.Read.All is valid only for work or school accounts. For an app with delegated permissions to read identity risk information, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, or Security Reader. For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

用法示例Example usage

委派和应用程序Delegated and Application

以下用法对委派权限和应用程序权限均有效:The following usages are valid for both delegated and application permissions:

  • 读取为租户中的所有用户所生成的全部风险事件 (GET /beta/identityRiskEvents)Read all risk events generated for all users in the tenant (GET /beta/identityRiskEvents)
  • 读取由 Dorknet 僵尸网络所生成的恶意软件风险事件 (GET /beta/malwareRiskEvents?$filter=malwareName eq 'Dorkbot')Read malware risk events generated by the Dorknet botnet (GET /beta/malwareRiskEvents?$filter=malwareName eq 'Dorkbot')
  • 阅读最新的 50 个风险事件 (GET /beta/identityRiskEvents?$orderBy=riskEventDateTime desc&top=50)Read most recent 50 risk events (GET /beta/identityRiskEvents?$orderBy=riskEventDateTime desc&top=50)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


标识风险用户权限Identity Risky User permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
IdentityRiskyUser.Read.AllIdentityRiskyUser.Read.All 读取标识用户风险信息Read identity user risk information 允许应用代表登录用户读取组织中所有用户的标识用户风险信息。Allows the app to read identity user risk information for all users in your organization on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
IdentityRiskyUser.Read.AllIdentityRiskyUser.Read.All 读取标识用户风险信息Read identity user risk information 允许应用在没有登录用户的情况下读取组织中所有用户的标识用户风险信息。Allows the app to read identity user risk information for all users in your organization without a signed-in user. Yes

注解Remarks

IdentityRiskyUser.Read.All 仅适用于工作或学校帐户。IdentityRiskyUser.Read.All is valid only for work or school accounts. 对于通过委派权限读取标识用户风险信息的应用,登录用户必须是以下管理员角色之一的成员:全局管理员、安全管理员或安全读者。For an app with delegated permissions to read identity user risk information, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, or Security Reader. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

用法示例Example usage

委派和应用程序Delegated and Application

以下用法对委派权限和应用程序权限均有效:The following usages are valid for both delegated and application permissions:

  • 读取租户中的所有风险用户和属性 (GET /beta/riskyUsers)Read all risky users and properties in the tenant (GET /beta/riskyUsers)
  • 读取所有聚合风险级别为中等的风险用户 (GET /beta/riskyUsers?$filter=risk/riskLevelAggregated eq microsoft.graph.riskLevel'medium')Read all risky users whose aggregate risk level is Medium (GET /beta/riskyUsers?$filter=risk/riskLevelAggregated eq microsoft.graph.riskLevel'medium')
  • 阅读特定用户的风险信息 (GET /beta/riskyUsers/$filter=id eq ‘{userObjectId}’)Read the risk information for a specific user (GET /beta/riskyUsers/$filter=id eq ‘{userObjectId}’)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


Intune 设备管理权限Intune Device Management permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
DeviceManagementApps.Read.AllDeviceManagementApps.Read.All 读取 Microsoft Intune 应用Read Microsoft Intune apps 允许应用读取由 Microsoft Intune 管理的应用、应用配置和应用保护策略的属性、组分配情况和状态。Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementApps.ReadWrite.AllDeviceManagementApps.ReadWrite.All 读取和写入 Microsoft Intune 应用Read and write Microsoft Intune apps 允许应用读取和写入由 Microsoft Intune 管理的应用、应用配置和应用保护策略的属性、组分配情况和状态。Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. Yes No
DeviceManagementConfiguration.Read.AllDeviceManagementConfiguration.Read.All 读取 Microsoft Intune 设备配置和策略Read Microsoft Intune device configuration and policies 允许应用读取 Microsoft Intune 管理的设备配置的属性和设备符合性策略以及它们对组的分配情况。Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementConfiguration.ReadWrite.AllDeviceManagementConfiguration.ReadWrite.All 读取和写入 Microsoft Intune 设备配置和策略Read and write Microsoft Intune device configuration and policies 允许应用读取和写入 Microsoft Intune 管理的设备配置的属性和设备符合性策略以及它们对组的分配情况。Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. Yes No
DeviceManagementManagedDevices.PrivilegedOperations.AllDeviceManagementManagedDevices.PrivilegedOperations.All 在 Microsoft Intune 设备上执行影响用户的远程操作Perform user-impacting remote actions on Microsoft Intune devices 允许应用执行高影响级别远程操作,如在由 Microsoft Intune 管理的设备上擦除设备或重置密码。Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.Read.AllDeviceManagementManagedDevices.Read.All 读取 Microsoft Intune 设备Read Microsoft Intune devices 允许应用读取由 Microsoft Intune 管理的设备的属性。Allows the app to read the properties of devices managed by Microsoft Intune. Yes No
DeviceManagementManagedDevices.ReadWrite.AllDeviceManagementManagedDevices.ReadWrite.All 读取和写入 Microsoft Intune 设备Read and write Microsoft Intune devices 允许应用读取和写入由 Microsoft Intune 管理的设备的属性。不允许执行具有高影响级别的操作,例如针对设备所有者的远程擦除和密码重置。Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. Yes No
DeviceManagementRBAC.Read.AllDeviceManagementRBAC.Read.All 读取 Microsoft Intune RBAC 设置Read Microsoft Intune RBAC settings 允许应用读取与基于 Microsoft Intune 角色的访问控制 (RBAC) 设置相关的属性。Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementRBAC.ReadWrite.AllDeviceManagementRBAC.ReadWrite.All 读取和写入 Microsoft Intune RBAC 设置Read and write Microsoft Intune RBAC settings 允许应用读取和写入与基于 Microsoft Intune 角色的访问控制 (RBAC) 设置相关的属性。Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. Yes No
DeviceManagementServiceConfig.Read.AllDeviceManagementServiceConfig.Read.All 读取 Microsoft Intune 配置Read Microsoft Intune configuration 允许应用读取 Intune 服务属性,其中包括设备注册和第三方服务连接配置。Allows the app to read Intune service properties including device enrollment and third party service connection configuration. Yes No
DeviceManagementServiceConfig.ReadWrite.AllDeviceManagementServiceConfig.ReadWrite.All 读取和写入 Microsoft Intune 配置Read and write Microsoft Intune configuration 允许应用读取和写入 Microsoft Intune 服务属性,其中包括设备注册和第三方服务连接配置。Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. Yes No

应用程序权限Application permissions

无。None.

注解Remarks

注意: 使用 Microsoft Graph API 配置 Intune 控件和策略仍需要客户正确许可 Intune 服务。Note: Using the Microsoft Graph APIs to configure Intune controls and policies still requires that the Intune service is correctly licensed by the customer.

这些权限仅对工作或学校帐户有效。These permissions are only valid for work or school accounts.

用法示例Example usage

委派Delegated

  • DeviceManagementServiceConfiguration.Read.All:检查 Intune 订阅的当前状态 (GET /deviceManagement/subscriptionState)。DeviceManagementServiceConfiguration.Read.All: Check the current state of the Intune subscription (GET /deviceManagement/subscriptionState).
  • DeviceManagementServiceConfiguration.ReadWrite.All:新建条款和条件 (POST /deviceManagement/termsAndConditions)。DeviceManagementServiceConfiguration.ReadWrite.All: Create new Terms and Conditions (POST /deviceManagement/termsAndConditions).
  • DeviceManagementConfiguration.Read.All:查找设备配置状态 (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses)。DeviceManagementConfiguration.Read.All: Find the status of a device configuration (GET /deviceManagement/deviceConfigurations/{id}/deviceStatuses).
  • DeviceManagementConfiguration.ReadWrite.All:向组分配设备符合性策略 (POST deviceCompliancePolicies/{id}/assign)。DeviceManagementConfiguration.ReadWrite.All: Assign a device compliance policy to a group (POST deviceCompliancePolicies/{id}/assign).
  • DeviceManagementApps.Read.All:查找发布到 Intune 的所有 Windows 应用商店应用 (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp'))。DeviceManagementApps.Read.All: Find all the Windows Store apps published to Intune (GET /deviceAppManagement/mobileApps?$filter=isOf('microsoft.graph.windowsStoreApp')).
  • DeviceManagementApps.ReadWrite.All:发布新应用程序 (POST /deviceAppManagement/mobileApps)。DeviceManagementApps.ReadWrite.All: Publish a new application (POST /deviceAppManagement/mobileApps).
  • DeviceManagementRBAC.Read.All:按名称查找角色分配 (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment')。DeviceManagementRBAC.Read.All: Find a role assignment by name (GET /deviceManagement/roleAssignments?$filter=displayName eq 'My Role Assignment').
  • DeviceManagementRBAC.ReadWrite.All:新建自定义角色 (POST /deviceManagement/roleDefinitions)。DeviceManagementRBAC.ReadWrite.All: Create a new custom role (POST /deviceManagement/roleDefinitions).
  • DeviceManagementManagedDevices.Read.All:按名称查找受管理设备 (GET /managedDevices/?$filter=deviceName eq 'My Device')。DeviceManagementManagedDevices.Read.All: Find a managed device by name (GET /managedDevices/?$filter=deviceName eq 'My Device').
  • DeviceManagementManagedDevices.ReadWrite.All:删除受管理设备 (DELETE /managedDevices/{id})。DeviceManagementManagedDevices.ReadWrite.All: Remove a managed device (DELETE /managedDevices/{id}).
  • DeviceManagementManagedDevices.PrivilegedOperations.All:重置用户的受管理设备上的密码 (POST /managedDevices/{id}/resetPasscode)。DeviceManagementManagedDevices.PrivilegedOperations.All: Reset the passcode on a user's managed device (POST /managedDevices/{id}/resetPasscode).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


邮件权限Mail permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Mail.ReadMail.Read 读取用户邮件Read user mail  允许应用读取用户邮箱中的电子邮件。Allows the app to read email in user mailboxes.  No Yes
Mail.ReadBasicMail.ReadBasic 读取用户基本邮件(预览)Read user basic mail (preview) (预览版)让应用能够读取已登录用户的邮箱,但不读取正文、previewBody、附件和所有扩展属性。(Preview) Allows the app to read the signed-in user's mailbox except body, previewBody, attachments and any extended properties. 不包含邮件搜索权限。Does not include permissions to search messages. No Yes
Mail.ReadWriteMail.ReadWrite 对用户邮件的读写权限Read and write access to user mail  允许应用创建、读取、更新和删除用户邮箱中的电子邮件。不包括发送电子邮件的权限。Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. No Yes
Mail.Read.SharedMail.Read.Shared 读取用户邮件和共享邮件Read user and shared mail 允许应用读取用户可以访问的邮件,包括用户个人邮件和共享邮件。Allows the app to read mail that the user can access, including the user's own and shared mail.  No No
Mail.ReadWrite.SharedMail.ReadWrite.Shared 读取和写入用户邮件和共享邮件Read and write user and shared mail  允许应用创建、读取、更新和删除用户有权访问的邮件,包括用户个人邮件和共享邮件。不包括邮件发送权限。Allows the app to create, read, update, and delete mail that the user has permission to access, including the user's own and shared mail. Does not include permission to send mail. No No
Mail.SendMail.Send 以用户身份发送邮件Send mail as a user  允许应用以组织用户身份发送邮件。Allows the app to send mail as users in the organization.  No Yes
Mail.Send.SharedMail.Send.Shared 代表他人发送邮件Send mail on behalf of others  允许应用以登录用户身份发送邮件,包括代表他人发送邮件。Allows the app to send mail as the signed-in user, including sending on-behalf of others.  No No
MailboxSettings.ReadMailboxSettings.Read 读取用户的邮箱设置Read user mailbox settings  允许应用读取用户的邮箱设置。不包括邮件发送权限。Allows the app to the read user's mailbox settings. Does not include permission to send mail. No Yes
MailboxSettings.ReadWriteMailboxSettings.ReadWrite 读取和写入用户邮箱设置Read and write user mailbox settings  允许应用创建、读取、更新和删除用户邮箱设置。Allows the app to create, read, update, and delete user's mailbox settings. 不包含直接发送邮件的权限,但允许应用创建能够转发或重定向邮件的规则。Does not include permission to directly send mail, but allows the app to create rules that can forward or redirect messages. No Yes

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Mail.ReadMail.Read 读取所有邮箱中的邮件Read mail in all mailboxes 允许应用在没有登录用户的情况下读取所有邮箱中的邮件。Allows the app to read mail in all mailboxes without a signed-in user. Yes
Mail.ReadBasic.AllMail.ReadBasic.All 读取所有用户基本邮件(预览版)Read all users basic mail (preview) (预览版)让应用能够读取所有用户的邮箱,但不读取正文、previewBody、附件和所有扩展属性。(Preview) Allows the app to read the signed-in user's mailbox except body, previewBody, attachments and any extended properties. 不包含邮件搜索权限。Does not include permissions to search messages. Yes No
Mail.ReadWriteMail.ReadWrite 读取和写入所有邮箱中的邮件Read and write mail in all mailboxes 允许应用在没有登录用户的情况下创建、读取、更新和删除所有邮箱中的邮件。不包括发送电子邮件的权限。Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. Yes
Mail.SendMail.Send 以任意用户身份发送邮件Send mail as any user 允许应用在没有登录用户的情况下以任意用户身份发送邮件。Allows the app to send mail as any user without a signed-in user. Yes
MailboxSettings.ReadMailboxSettings.Read 读取用户的所有邮箱设置Read all user mailbox settings  允许应用在没有已登录用户的情况下读取用户邮箱设置。不包括邮件发送权限。Allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail. No
MailboxSettings.ReadWriteMailboxSettings.ReadWrite 读取和写入所有用户邮箱设置Read and write all user mailbox settings 允许应用在没有登录用户的情况下创建、读取、更新和删除用户邮箱设置。不包括邮件发送权限。Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail. Yes

重要说明 管理员可以配置应用程序访问策略,以限制应用程序访问_特定_邮箱,而不是组织中的所有邮箱,即使该应用程序已被授予 Mail.Read、Mail.ReadWrite、Mail.Send、MailboxSettings.Read 或 MailboxSettings.ReadWrite 的应用程序权限。Important Administrators can configure application access policy to limit app access to specific mailboxes and not to all the mailboxes in the organization, even if the app has been granted the application permissions of Mail.Read, Mail.ReadWrite, Mail.Send, MailboxSettings.Read, or MailboxSettings.ReadWrite.

说明Remarks

Mail.Read.SharedMail.ReadWrite.SharedMail.Send.Shared 仅适用于工作或学校帐户。所有其他权限对于 Microsoft 帐户和工作或学校帐户均有效。Mail.Read.Shared, Mail.ReadWrite.Shared, and Mail.Send.Shared are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.

通过 Mail.SendMail.Send.Shared 权限,应用可以发送邮件并将副本保存到用户的“已发送邮件”文件夹中,即使应用不使用相应的 Mail.ReadWrite 或 _Mail.ReadWrite.Shared _ 权限也是如此。With the Mail.Send or Mail.Send.Shared permission, an app can send mail and save a copy to the user's Sent Items folder, even if the app does not use a corresponding Mail.ReadWrite or Mail.ReadWrite.Shared permission.

用法示例Example usage

委派Delegated

  • Mail.Read:列出用户收件箱中的邮件,按 receivedDateTime 排序 (GET /me/mailfolders/inbox/messages?$orderby=receivedDateTime DESC)。Mail.Read: List messages in the user's inbox, sorted by receivedDateTime (GET /me/mailfolders/inbox/messages?$orderby=receivedDateTime DESC).
  • Mail.Read.Shared:在已与登录用户共享其收件箱的用户收件箱中查找带有附件的所有邮件 (GET /users{id | userPrincipalName}/mailfolders/inbox/messages?$filter=hasAttachments eq true)。Mail.Read.Shared: Find all messages with attachments in a user's inbox that has shared their inbox with the signed-in user (GET /users{id | userPrincipalName}/mailfolders/inbox/messages?$filter=hasAttachments eq true).
  • Mail.ReadWrite:将邮件标记为已读 (PATCH /me/messages/{id})。Mail.ReadWrite: Mark a message read (PATCH /me/messages/{id}).
  • Mail.Send:发送邮件 (POST /me/sendmail)。Mail.Send: Send a message (POST /me/sendmail).
  • MailboxSettings.ReadWrite:更新用户的自动答复 (PATCH /me/mailboxSettings)。MailboxSettings.ReadWrite: Update the user's automatic reply (PATCH /me/mailboxSettings).

应用程序Application

  • Mail.Read:从 bob@contoso.com 查找邮件 (GET /users/{id | userPrincipalName}/messages?$filter=from/emailAddress/address eq 'bob@contoso.com')。Mail.Read: Find messages from bob@contoso.com (GET /users/{id | userPrincipalName}/messages?$filter=from/emailAddress/address eq 'bob@contoso.com').
  • Mail.ReadWrite:在名为“Expense Reports”的收件箱中新建文件夹 (POST /users/{id | userPrincipalName}/mailfolders)。Mail.ReadWrite: Create a new folder in the Inbox named Expense Reports (POST /users/{id | userPrincipalName}/mailfolders).
  • Mail.Send:发送邮件 (POST /users/{id | userPrincipalName}/sendmail)。Mail.Send: Send a message (POST /users/{id | userPrincipalName}/sendmail).
  • MailboxSettings.Read:获取用户邮箱的默认时区 (GET /users/{id | userPrincipalName}/mailboxSettings/timeZone)MailboxSettings.Read: Get the default timezone for the user's mailbox (GET /users/{id | userPrincipalName}/mailboxSettings/timeZone)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


成员权限Member permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Member.Read.HiddenMember.Read.Hidden 读取隐藏成员资格Read hidden memberships 对于已登录用户具有访问权限的隐藏组和管理单元,允许应用代表已登录用户读取隐藏组和管理单元的成员资格。Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Member.Read.HiddenMember.Read.Hidden 读取所有隐藏成员Read all hidden memberships 允许应用在没有登录用户的情况下读取隐藏的组和管理单元中的成员。Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. Yes

注释Remarks

Member.Read.Hidden 仅对工作或学校帐户有效。Member.Read.Hidden is valid only on work or school accounts.

可以隐藏某些 Office 365 组中的成员资格。这意味着只有该组的成员可以查看其成员。此功能可用于帮助遵守要求组织对外部用户(例如,表示某个班级内注册的学生的 Office 365 组)隐藏组成员身份的规定。Membership in some Office 365 groups can be hidden. This means that only the members of the group can view its members. This feature can be used to help comply with regulations that require an organization to hide group membership from outsiders (for example, an Office 365 group that represents students enrolled in a class).

用法示例Example usage

委派Delegated

  • Member.Read.Hidden:代表登录用户读取隐藏了成员资格的管理单元成员 (GET /administrativeUnits/{id}/members)。Member.Read.Hidden: Read the members of an administrative unit with hidden membership on behalf of the signed-in user (GET /administrativeUnits/{id}/members).
  • Member.Read.Hidden:代表登录用户读取隐藏了成员资格的组成员 (GET /groups/{id}/members)。Member.Read.Hidden: Read the members of a group with hidden membership on behalf of the signed-in user (GET /groups/{id}/members).

应用程序Application

  • Member.Read.Hidden:读取隐藏了成员资格的管理单元成员 (GET /administrativeUnits/{id}/members)。Member.Read.Hidden: Read the members of an administrative unit with hidden membership (GET /administrativeUnits/{id}/members).
  • Member.Read.Hidden:读取隐藏了成员资格的组成员 (GET /groups/{id}/members)。Member.Read.Hidden: Read the members of a group with hidden membership (GET /groups/{id}/members).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

注释权限Notes permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Notes.ReadNotes.Read 读取用户 OneNote 笔记本Read user OneNote notebooks 允许应用代表已登录用户读取 OneNote 笔记本和分区标题并创建新的页面、笔记本和分区。Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. No Yes
Notes.CreateNotes.Create 创建用户 OneNote 笔记本Create user OneNote notebooks 允许应用代表已登录用户读取 OneNote 笔记本和分区标题并创建新的页面、笔记本和分区。Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. No Yes
Notes.ReadWriteNotes.ReadWrite 读取和写入用户 OneNote 笔记本Read and write user OneNote notebooks 允许应用代表已登录用户读取、共享和修改 OneNote 笔记本。Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user. No Yes
Notes.Read.AllNotes.Read.All 读取用户可以访问的所有 OneNote 笔记本Read all OneNote notebooks that user can access 允许应用读取登录用户在组织中有权访问的 OneNote 笔记本。Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. No No
Notes.ReadWrite.AllNotes.ReadWrite.All 读取和写入用户可以访问的所有 OneNote 笔记本。Read and write all OneNote notebooks that user can access 允许应用读取、共享和修改已登录用户在组织中有权访问的 OneNote 笔记本。Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. No No
Notes.ReadWrite.CreatedByAppNotes.ReadWrite.CreatedByApp 有限的笔记本访问权限(不推荐使用)Limited notebook access (deprecated) 不推荐使用Deprecated
请勿使用。此权限不授予任何特权。Do not use. No privileges are granted by this permission.
No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Notes.Read.AllNotes.Read.All 读取所有 OneNote 笔记本Read all OneNote notebooks 允许应用无需具有已登录用户即可读取组织中的所有 OneNote 笔记本。Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. Yes
Notes.ReadWrite.AllNotes.ReadWrite.All 读取和写入所有 OneNote 笔记本Read and write all OneNote notebooks 允许应用无需具有已登录用户即可读取、共享和修改组织中的所有 OneNote 笔记本。Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user. Yes

说明Remarks

Notes.Read.AllNotes.ReadWrite.All 仅适用于工作或学校帐户。所有其他权限对于 Microsoft 帐户和工作或学校帐户均有效。Notes.Read.All and Notes.ReadWrite.All are only valid for work or school accounts. All other permissions are valid for both Microsoft accounts and work or school accounts.

通过 Notes.Create 权限,应用可以查看已登录用户的 OneNote 笔记本层次结构,并创建 OneNote 内容(笔记本、分区组、分区、页面等)。With the Notes.Create permission, an app can view the OneNote notebook hierarchy of the signed-in user and create OneNote content (notebooks, section groups, sections, pages, etc.).

Notes.ReadWriteNotes.ReadWrite.All 还允许应用修改针对已登录用户可以访问的 OneNote 内容的权限。Notes.ReadWrite and Notes.ReadWrite.All also allow the app to modify the permissions on the OneNote content that can be accessed by the signed-in user.

对于工作或学校帐户,Notes.Read.AllNotes.ReadWrite.All 允许该应用访问已登录用户有权限在组织内访问的其他用户的 OneNote 内容。For work or school accounts, Notes.Read.All and Notes.ReadWrite.All allow the app to access other users' OneNote content that the signed-in user has permission to within the organization.

用法示例Example usage

委派Delegated

  • Notes.Create:为登录用户新建笔记本 (POST /me/onenote/notebooks)。Notes.Create: Create a new notebooks for the signed-in user (POST /me/onenote/notebooks).
  • Notes.Read:读取登录用户的笔记本 (GET /me/onenote/notebooks)。Notes.Read: Read the notebooks for the signed-in user (GET /me/onenote/notebooks).
  • Notes.Read.All:获取登录用户有权在组织内访问的所有笔记本 (GET /me/onenote/notebooks?includesharednotebooks=true)。Notes.Read.All: Get all notebooks that the signed-in user has access to within the organization (GET /me/onenote/notebooks?includesharednotebooks=true).
  • Notes.ReadWrite:更新登录用户的页面 (PATCH /me/onenote/pages/{id}/$value)。Notes.ReadWrite: Update the page of the signed-in user (PATCH /me/onenote/pages/{id}/$value).
  • Notes.ReadWrite.All:在登录用户有权在组织内访问的其他用户笔记本中创建页面 (POST /users/{id}/onenote/pages)。Notes.ReadWrite.All: Create a page in another user's notebook that the signed-in user has access to within the organization (POST /users/{id}/onenote/pages).

应用程序Application

  • Notes.Read.All:读取组中的所有用户笔记本 (GET /groups/{id}/onenote/notebooks)。Notes.Read.All: Read all users notebooks in a group (GET /groups/{id}/onenote/notebooks).
  • Notes.ReadWrite.All:更新组织中任意用户的笔记本中的页面 (PATCH /users/{id}/onenote/pages/{id}/$value)。Notes.ReadWrite.All: Update the page in a notebook for any user in the organization (PATCH /users/{id}/onenote/pages/{id}/$value).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

通知权限Notifications permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Notifications.ReadWrite.CreatedByAppNotifications.ReadWrite.CreatedByApp 提供和管理此应用的通知。Deliver and manage notifications for this app. 允许应用代表登录用户提供其通知。Allow the app to deliver its notifications on behalf of signed-in users. 此外,还允许应用读取、更新和删除此应用的用户通知项目。Also allows the app to read, update, and delete the user’s notification items for this app. No

注解Remarks

Notifications.ReadWrite.CreatedByApp 对 Microsoft 帐户和工作或学校帐户均有效。Notifications.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts. 与此权限相关联的 CreatedByApp 约束指示服务将基于通话应用的标识(Microsoft 帐户应用 ID 或针对跨平台应用程序标识配置的一组应用 ID)对结果应用隐式筛选。The CreatedByApp constraint associated with this permission indicates that the service will apply implicit filtering to results based on the identity of the calling app, either the Microsoft account app ID or a set of app IDs configured for a cross-platform application identity.

用法示例Example usage

委派Delegated

  • Notifications.ReadWrite.CreatedByApp:发布以用户为中心的通知,然后可能会将该通知传递至用户运行在不同端点上的多个应用程序客户端。Notifications.ReadWrite.CreatedByApp: Publish a user-centric notification, which might then be delivered to the user’s multiple application clients running on different endpoints. (POST /me/notifications/)。(POST /me/notifications/).

联机会议权限Online meetings permissions

委派权限Delegated permissions

无。None.


应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
OnlineMeetings.Read.AllOnlineMeetings.Read.All 从应用阅读联机会议详细信息(预览版)Read Online Meeting details from the app (preview) 允许应用在没有登录用户的情况下读取组织中的联机会议详细信息。Allows the app to read Online Meeting details in your organization, without a signed-in user. Yes
OnlineMeetings.ReadWrite.AllOnlineMeetings.ReadWrite.All 代表用户从应用读取和创建联机会议(预览版)Read and Create Online Meetings from the app (preview) on behalf of a user 允许应用在没有登录用户的情况下代表用户创建组织中的联机会议。Allows the app to create Online Meetings in your organization on behalf of a user, without a signed-in user. Yes

用法示例Example usage

应用程序Application

  • OnlineMeetings.Read.All:检索联机会议的属性和关系 (GET /beta/app/onlinemeetings/{id})。OnlineMeetings.Read.All: Retrieve the properties and relationships of an Online Meeting (GET /beta/app/onlinemeetings/{id}).
  • OnlineMeetings.ReadWrite.All:创建联机会议 (POST /beta/app/onlinemeetings)。OnlineMeetings.ReadWrite.All: Create an Online Meeting (POST /beta/app/onlinemeetings).

注意:创建联机会议时,会代表在请求正文中指定的用户创建一个会议,但不会在该用户的日历上显示该会议。Note: Creating an Online Meeting creates a meeting on behalf of a user specified in the request body, but does not show it on the user's Calendar.

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


本地发布配置文件权限On-premises Publishing Profiles permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
OnPremisesPublishingProfiles.ReadWrite.AllOnPremisesPublishingProfiles.ReadWrite.All 访问本地发布配置文件Access On-Premises Publishing Profiles 允许应用通过代表已登录用户创建、查看、更新和删除本地发布的资源、本地代理和代理组来管理混合标识服务配置。Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
OnPremisesPublishingProfiles.ReadWrite.AllOnPremisesPublishingProfiles.ReadWrite.All 访问本地发布配置文件Access On-Premises Publishing Profiles 允许应用通过代表已登录用户创建、查看、更新和删除本地发布的资源、本地代理和代理组来管理混合标识服务配置。Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. No No

OpenID 权限OpenID permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
emailemail 查看用户的电子邮件地址View users' email address 允许应用读取用户的主电子邮件地址。Allows the app to read your users' primary email address. No No
offline_accessoffline_access 随时访问用户数据Access user's data anytime 允许应用读取和更新用户数据,即使用户当前没有在使用此应用,也不例外。Allows the app to read and update user data, even when they are not currently using the app. No No
openidopenid 让用户登录Sign users in 允许用户以其工作或学校帐户登录应用,并允许应用查看用户的基本个人资料信息。Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. No No
个人资料profile 查看用户的基本个人资料View users' basic profile 允许应用查看用户的基本个人资料(名称、图片、用户名称)。Allows the app to see your users' basic profile (name, picture, user name). No No

应用程序权限Application permissions

无。None.

注解Remarks

可以使用这些权限指定要在 Azure AD 授权和令牌请求中返回的项目。Azure AD v1.0 和 v2.0 终结点以不同的方式支持它们。You can use these permissions to specify artifacts that you want returned in Azure AD authorization and token requests. They are supported differently by the Azure AD v1.0 and v2.0 endpoints.

使用 Azure AD (v1.0) 终结点时,仅使用 openid 权限。在授权请求的 scope 参数中指定它,以在使用 OpenID Connect 协议让用户登录应用时返回 ID 令牌。有关详细信息,请参阅使用 OpenID Connect 和 Azure Active Directory 来授权访问 Web 应用程序。若要成功返回 ID 令牌,还必须确保在注册应用时已配置 User.Read 权限。With the Azure AD (v1.0) endpoint, only the openid permission is used. You specify it in the scope parameter in an authorization request to return an ID token when you use the OpenID Connect protocol to sign in a user to your app. For more information, see Authorize access to web applications using OpenID Connect and Azure Active Directory. To successfully return an ID token, you must also make sure that the User.Read permission is configured when you register your app.

使用 Azure AD v2.0 终结点时,在 scope 参数中指定 offline_access 权限,以在使用 OAuth 2.0 或 OpenID Connect 协议时显式请求获取刷新令牌。使用 OpenID Connect 时,指定 openid 权限来请求获取 ID 令牌。还可指定 email 权限和/或 profile 权限,以在 ID 令牌中返回其他声明。使用 v2.0 终结点时,无需指定 User.Read 来返回 ID 令牌。有关详细信息,请参阅 OpenID Connect 作用域With the Azure AD v2.0 endpoint, you specify the offline_access permission in the scope parameter to explicitly request a refresh token when using the OAuth 2.0 or OpenID Connect protocols. With OpenID Connect, you specify the openid permission to request an ID token. You can also specify the email permission, profile permission, or both to return additional claims in the ID token. You do not need to specify User.Read to return an ID token with the v2.0 endpoint. For more information, see OpenID Connect scopes.

重要说明:目前,Microsoft 身份验证库 (MSAL) 默认在授权和令牌请求中指定 offline_accessopenidprofileemail。也就是说,在默认情况下,如果显式指定这些权限,Azure AD 可能会返回错误。Important The Microsoft Authentication Library (MSAL) currently specifies offline_access, openid, profile, and email by default in authorization and token requests. This means that, for the default case, if you specify these permissions explicitly, Azure AD may return an error.


组织权限Organization permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Organization.Read.AllOrganization.Read.All 读取组织信息Read organization information 允许应用代表已登录用户读取组织和相关资源。Allows the app to read and write TrustFramework Policies on behalf of the signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes No
Organization.ReadWrite.AllOrganization.ReadWrite.All 读取和写入组织信息Read and write identity provider information 允许应用代表已登录用户读取和写入组织和相关资源。Allows the app to read and write TrustFramework Policies on behalf of the signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Organization.Read.AllOrganization.Read.All 读取组织信息Read organization information 允许应用在没有已登录用户的情况下读取组织和相关资源。Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes
Organization.ReadWrite.AllOrganization.ReadWrite.All 读取和写入组织信息Read and write identity provider information 允许应用在没有已登录用户的情况下读取和写入组织和相关资源。Allows the app to read and write the organization and related resources, without a signed-in user.相关资源包括订阅的 SKU 和租户品牌信息等内容。 Related resources include things like subscribed SKUs and tenant branding information. Yes

用法示例Example usage

DelegatedDelegated

  • Organization.Read.All:获取组织信息 (GET /organization)。Organization.Read.All: Get organization information (GET /organization).
  • Organization.Read.All:获取组织订阅的 SKU (GET /subscribedSkus)。Organization.Read.All: Get the SKUs that the organization has subscribed to (GET /subscribedSkus).

应用程序Application

  • Organization.ReadWrite.All:更新组织信息(例如 technicalNotificationMails)(PATCH /organization/{id})。Organization.ReadWrite.All: Update organization information (such as technicalNotificationMails) (PATCH /organization/{id}).

组织联系人权限Organizational contact permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
OrgContact.Read.AllOrgContact.Read.All 读取组织联系人Read organizational contacts 允许应用代表已登录用户读取所有组织联系人。Allows the app to read all TrustFramework Policies on behalf of the signed-in user. 这些联系人由组织管理,不同于用户的个人联系人。These contacts are managed by the organization and are different from a user's personal contacts. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
OrgContact.Read.AllOrgContact.Read.All 读取组织联系人Read organizational contacts 允许应用在没有已登录用户的情况下读取所有组织联系人。Allows the app to read all contacts in all mailboxes without a signed-in user. 这些联系人由组织管理,不同于用户的个人联系人。These contacts are managed by the organization and are different from a user's personal contacts. Yes

用法示例Example usage

DelegatedDelegated

  • OrgContact.Read.All:获取所有组织联系人 (GET /contacts)。OrgContact.Read.All: Get all organizational contacts (GET /contacts).

People 权限People permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
People.ReadPeople.Read 读取用户的相关人员列表Read users' relevant people lists 允许应用读取登录用户相关人员的得分列表。该列表可包括当地联系人、社交网络或你所在组织目录中的联系人以及来自最近通信(例如电子邮件和 Skype)的人员。Allows the app to read a scored list of people relevant to the signed-in user. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). No Yes
People.Read.AllPeople.Read.All 读取所有用户的相关人员列表Read all users' relevant people lists 允许应用读取登录用户或登录用户组织中的其他用户的相关人员得分列表。该列表可包括当地联系人、社交网络或你所在组织目录中的联系人以及来自最近通信(例如电子邮件和 Skype)的人员。此外,还允许应用搜索登录用户组织的整个目录。Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization. The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). Also allows the app to search the entire directory of the signed-in user's organization.  Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
People.Read.AllPeople.Read.All 读取所有用户的相关人员列表Read all users' relevant people lists 允许应用读取登录用户或登录用户组织中的其他用户的相关人员得分列表。Allows the app to read a scored list of people relevant to the signed-in user or other users in the signed-in user's organization.

该列表可包括当地联系人、社交网络或你所在组织目录中的联系人以及来自最近通信(例如电子邮件和 Skype)的人员。The list can include local contacts, contacts from social networking or your organization's directory, and people from recent communications (such as email and Skype). 此外,还允许应用搜索登录用户组织的整个目录。Also allows the app to search the entire directory of the signed-in user's organization. 
Yes

备注Remarks

People.Read.All 权限仅适用于工作和学校帐户。The People.Read.All permission is only valid for work and school accounts.

用法示例Example usage

委派Delegated

  • People.Read:读取相关人员列表 (GET /me/people)People.Read: Read a list of relevant people (GET /me/people)
  • People.Read.All:读取同一组织中与其他用户相关的人员列表 (GET /users('{id})/people)People.Read.All: Read a list of relevant people to another user in the same organization (GET /users('{id})/people)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


位置权限Places permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Place.Read.AllPlace.Read.All 读取所有公司位置Read all company places 允许应用读取日历事件和其他应用程序的公司位置(会议室和房间列表)。Allows the app to read company places (conference rooms and room lists) for calendar events and other applications. No No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Place.Read.AllPlace.Read.All 读取所有公司位置Read all company places 允许应用读取日历事件和其他应用程序的公司位置(会议室和房间列表)。Allows the app to read company places (conference rooms and room lists) for calendar events and other applications. Yes

策略权限Policy and compliance permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Policy.Read.AllPolicy.Read.All 阅读你组织的策略Read your organization's policies 允许应用代表已登录用户阅读你组织的策略。Allows the app to read your organization’s security events on behalf of the signed-in user. Yes No
Policy.ReadWrite.FeatureRolloutPolicy.ReadWrite.FeatureRollout 读取和写入你组织的功能推出策略Read and write your organization's feature rollout policies 允许应用代表已登录用户读取和写入你组织的功能推出策略。Allows the app to read and write TrustFramework Policies on behalf of the signed-in user. 包括分配用户和组来推出特定功能以及删除此类用户和组的能力。Includes abilities to assign and remove users and groups to rollout of a specific feature. Yes No
Policy.ReadWrite.TrustFrameworkPolicy.ReadWrite.TrustFramework 读取和写入你组织的信任框架策略Read and write your organization's trust framework policies 允许应用代表已登录用户读取和写入你组织的信任框架策略。Allows the app to read and write TrustFramework Policies on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Policy.Read.AllPolicy.Read.All 阅读你组织的策略Read your organization's policies 允许应用无需登录的用户即可读取你所在组织的所有策略。Allows the app to read all your organization's policies without a signed in user. Yes
Policy.Read.FeatureRolloutPolicy.Read.FeatureRollout 读取和写入功能推出策略Read and write feature rollout policies 允许用户无需登录的用户即可读取和写入功能推出策略。Allows the app to read and write programs without a signed-in user. 包括分配用户和组来推出特定功能以及删除此类用户和组的能力。Includes abilities to assign and remove users and groups to rollout of a specific feature. Yes
Policy.Read.TrustFrameworkPolicy.Read.TrustFramework 读取和写入你组织的信任框架策略Read and write your organization's trust framework policies 允许应用无需登录的用户即可读取和写入你所在组织的信任框架策略。Allows the app to read and write your organization's trust framework policies without a signed in user. Yes

用法示例Example usage

以下用法对委派权限和应用程序权限均有效:The following usages are valid for both delegated and application permissions:

  • _Policy.Read.All_读取你所在组织的策略 (GET /policies)Policy.Read.All: Read all trustFramework policies (GET /policies)
  • _Policy.Read.All_读取你所在组织的信任框架策略 (GET /beta/trustFramework/policies)Policy.Read.All: Read your organization's trust framework policies (GET /beta/trustFramework/policies)
  • _Policy.Read.All_读取你所在组织的功能推出策略 (GET /beta/directory/featureRolloutPolicies)Policy.Read.All: Read your organization's feature rollout policies (GET /beta/directory/featureRolloutPolicies)
  • Policy.ReadWrite.FeatureRollout:读取和写入你组织的功能推出策略 (POST /beta/directory/featureRolloutPolicies)Policy.ReadWrite.FeatureRollout: Read and write your organization's feature rollout policies (POST /beta/directory/featureRolloutPolicies)
  • Policy.ReadWrite.TrustFramework:读取和写入你组织的信任框架策略 (POST /beta/trustFramework/policies)Policy.ReadWrite.TrustFramework: Read and write your organization's trust framework policies (POST /beta/trustFramework/policies)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


程序和程序控制权限Programs and program controls permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
ProgramControl.Read.AllProgramControl.Read.All 读取所有程序Read all programs 允许应用代表已登录的用户读取程序。Allows the app to read programs on behalf of the signed-in user. Yes No
ProgramControl.ReadWrite.AllProgramControl.ReadWrite.All 管理所有程序Manage all programs 允许应用代表已登录的用户读取和写入程序。Allows the app to read and write programs on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
ProgramControl.Read.AllProgramControl.Read.All 读取所有程序Read all programs 允许应用在没有登录的用户的情况下读取程序。Allows the app to read programs without a signed-in user. Yes
ProgramControl.ReadWrite.AllProgramControl.ReadWrite.All 管理所有程序Manage all programs 允许应用在没有登录的用户的情况下读取和写入程序。Allows the app to read and write programs without a signed-in user. Yes

说明Remarks

ProgramControl.Read.AllProgramControl.ReadWrite.All 仅对工作或学校帐户有效。ProgramControl.Read.All and ProgramControl.ReadWrite.All are valid only for work or school accounts.

对于通过委派权限读取程序和程序控件的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或用户管理员。For an app with delegated permissions to read programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator, Security Administrator, Security Reader or User Administrator. 对于通过委派权限写入程序和程序控件的应用,登录的用户必须是以下管理员角色之一的成员:全局管理员、安全管理员、安全读取者或用户管理员。For an app with delegated permissions to write programs and program controls, the signed-in user must be a member of one of the following administrator roles: Global Administrator or User Administrator. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.


报告权限Reports permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Reports.Read.AllReports.Read.All 读取所有使用情况报告Read all usage reports 允许应用在没有登录用户的情况下读取所有服务使用情况报告。提供使用情况报告的服务包括 Office 365 和 Azure Active Directory。Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Reports.Read.AllReports.Read.All 读取所有使用情况报告Read all usage reports 允许应用在没有登录用户的情况下读取所有服务使用情况报告。提供使用情况报告的服务包括 Office 365 和 Azure Active Directory。Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. Yes

注解Remarks

这些报告权限仅对工作或学校帐户有效。Reports permissions are only valid for work or school accounts.

用法示例Example usage

应用程序Application

  • Reports.Read.All:读取电子邮件应用程序在 7 天内的使用情况详情报告 (GET /reports/EmailAppUsage(view='Detail',period='D7')/content)。Reports.Read.All: Read usage detail report of email apps with period of 7 days (GET /reports/EmailAppUsage(view='Detail',period='D7')/content).
  • Reports.Read.All:读取电子邮件在日期“2017-01-01”的的活动详情报告 (GET /reports/EmailActivity(view='Detail',data='2017-01-01')/content)。Reports.Read.All: Read activity detail report of email with date of '2017-01-01' (GET /reports/EmailActivity(view='Detail',data='2017-01-01')/content).
  • Reports.Read.All:读取 Office 365 激活详情报告 (GET /reports/Office365Activations(view='Detail')/content)。Reports.Read.All: Read Office 365 activations detail report (GET /reports/Office365Activations(view='Detail')/content).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


角色管理权限Role management permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
RoleManagement.Read.DirectoryRoleManagement.Read.Directory 读取目录 RBAC 设置Read directory RBAC settings 允许应用代表已登录的用户读取公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. 这包括读取目录角色模板、目录角色和成员身份。This includes reading directory role templates, directory roles and memberships. Yes No
RoleManagement.ReadWrite.DirectoryRoleManagement.ReadWrite.Directory 读取和写入目录 RBAC 设置Read and write Microsoft Intune RBAC settings 允许应用代表已登录的用户读取和管理公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. 这包括实例化目录角色和管理目录角色成员身份,以及读取目录角色模板、目录角色和成员身份。This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
RoleManagement.Read.DirectoryRoleManagement.Read.Directory 读取所有目录 RBAC 设置Read all directory RBAC settings 允许应用在没有已登录用户的情况下读取公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. 这包括读取目录角色模板、目录角色和成员身份。This includes reading directory role templates, directory roles and memberships. Yes
RoleManagement.ReadWrite.DirectoryRoleManagement.ReadWrite.Directory 读取和写入所有目录 RBAC 设置Read and write all directory RBAC settings 允许应用在没有已登录用户的情况下读取并管理公司目录的基于角色的访问控制 (RBAC) 设置。Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. 这包括实例化目录角色和管理目录角色成员身份,以及读取目录角色模板、目录角色和成员身份。This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. Yes

说明Remarks

使用 RoleManagement.Read.Directory 权限,应用程序可以读取 directoryRoles 和 directoryRoleTemplates。With the RoleManagement.Read.Directory permission an application can read directoryRoles and directoryRoleTemplates. 这包括读取目录角色的成员身份信息。This includes reading membership information for directory roles.

使用 RoleManagement.ReadWrite.Directory 权限,应用程序可以读取和写入 directoryRoles(directoryRoleTemplates 是只读资源)。With the RoleManagement.ReadWrite.Directory permission an application can read and write directoryRoles (directoryRoleTemplates are readonly resources). 这包括向目录角色添加成员和从目录角色中删除成员。This includes adding and removing members to and from directory roles.

角色管理权限仅对工作或学校帐户有效。Reports permissions are only valid for work or school accounts.

用法示例Example usage

  • RoleManagement.Read.Directory:读取可用角色模板列表 (GET /directoryRoleTemplates)RoleManagement.Read.Directory: Read the list of available role templates (GET /directoryRoleTemplates)
  • RoleManagement.Read.Directory:读取你的目录中已激活角色的列表 (GET /directoryRoles)RoleManagement.Read.Directory: Read the list of activated roles in your directory (GET /directoryRoles)
  • RoleManagement.Read.Directory:读取某一角色的成员列表 (GET /directoryRoles/<id>/members)RoleManagement.Read.Directory: Read the list of members for a role (GET /directoryRoles/<id>/members)
  • RoleManagement.Read.Directory:读取某一角色的管理单元范围的成员列表 (GET /directoryRoles/<id>/scopedMembers)RoleManagement.Read.Directory: Read the list of administrative unit-scoped members for a role (GET /directoryRoles/<id>/scopedMembers)
  • RoleManagement.ReadWrite.Directory:激活来自角色模板的目录角色 (POST /directoryRoles)RoleManagement.ReadWrite.Directory: Activate a directory role from a role template (POST /directoryRoles)
  • RoleManagement.ReadWrite.Directory:将成员添加到目录角色 (POST /directoryRoles/<id>/members)RoleManagement.ReadWrite.Directory: Add a member to a directory role (POST /directoryRoles/<id>/members)
  • RoleManagement.ReadWrite.Directory:将管理单元范围的成员添加到目录角色 (POST /directoryRoles/<id>/scopedMembers)RoleManagement.ReadWrite.Directory: Add an administrative unit-scoped member to a directory role (POST /directoryRoles/<id>/scopedMembers)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


安全权限Security permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
SecurityEvents.Read.AllSecurityEvents.Read.All 读取组织的安全事件Read your organization’s security events 允许应用代表已登录用户读取组织的安全事件。Allows the app to read your organization’s security events on behalf of the signed-in user. Yes No
SecurityEvents.ReadWrite.AllSecurityEvents.ReadWrite.All 读取和更新组织的安全事件。Read and update your organization’s security events 允许应用代表已登录用户读取组织的安全事件。Allows the app to read your organization’s security events on behalf of the signed-in user. 还允许应用代表已登录用户更新安全事件中的可编辑属性。Also allows the app to update editable properties in security events on behalf of the signed-in user. Yes No
SecurityActions.Read.AllSecurityActions.Read.All 读取组织的安全措施Read your organization's security actions 允许应用代表登录的用户读取组织的安全措施。Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No
SecurityActions.ReadWrite.AllSecurityActions.ReadWrite.All 读取和更新组织的安全措施Read and update your organization's security actions 允许应用代表登录的用户读取组织的安全措施。Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No
ThreatIndicators.ReadWrite.OwnedByThreatIndicators.ReadWrite.OwnedBy 管理此应用创建或拥有的威胁指标Manage threat indicators this app creates or owns 允许应用代表登录的用户读取组织的安全措施。Allows the app to read your organization’s security actions on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
SecurityEvents.Read.AllSecurityEvents.Read.All 读取组织的安全事件Read your organization’s security events 允许应用读取组织的安全事件。Allows the app to read your organization’s security events. Yes
SecurityEvents.ReadWrite.AllSecurityEvents.ReadWrite.All 读取和更新组织的安全事件。Read and update your organization’s security events 允许应用读取组织的安全事件。Allows the app to read your organization’s security events. 还允许应用更新安全事件中的可编辑属性。Also allows the app to update editable properties in security events. Yes
SecurityActions.Read.AllSecurityActions.Read.All 读取组织的安全事件Read your organization’s security events 允许应用读取组织的安全措施。Allows the app to read your organization’s security actions. Yes
SecurityActions.ReadWrite.AllSecurityActions.ReadWrite.All 创建和读取组织的安全措施Create and read your organization's security actions 允许应用读取或创建安全措施,无需已登录用户。Allows the app to read or create security actions, without a signed-in user. Yes
ThreatIndicators.ReadWrite.OwnedByThreatIndicators.ReadWrite.OwnedBy 管理此应用创建或拥有的威胁指标Manage threat indicators this app creates or owns 允许应用创建威胁指标,并完全管理这些威胁指标(阅读、更新和删除),无需已登录用户。Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. 它无法删除其不拥有的任何威胁指标。It cannot update any threat indicators it does not own. Yes

说明Remarks

安全权限仅对工作或学校帐户有效。Security permissions are valid only on work or school accounts.

用法示例Example usage

委派和应用程序Delegated and Application

  • SecurityEvents.Read.All:从对租户可用的所有许可安全提供程序中读取所有安全警报的列表 (GET /beta/security/alerts)SecurityEvents.Read.All: Read the list of all security alerts from all licensed security providers available to your tenant (GET /beta/security/alerts)
  • SecurityEvents.ReadWrite.All:更新或读取对租户可用的所有许可安全提供程序中的安全警报 (PATCH /beta/security/alerts/{id})SecurityEvents.ReadWrite.All: Update or read security alerts from all licensed security providers available to your tenant (PATCH /beta/security/alerts/{id})

站点权限Sites permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Sites.Read.AllSites.Read.All 读取所有网站集中的项目Read items in all site collections 允许应用代表登录用户读取文档,并列出所有网站集中的项目。Allows the app to read documents and list items in all site collections on behalf of the signed-in user. No No
Sites.ReadWrite.AllSites.ReadWrite.All 读取和写入所有网站集中的项目Read and write items in all site collections 允许应用代表登录用户编辑或删除所有网站集中的文档和列表项。Allows the app to edit or delete documents and list items in all site collections on behalf of the signed-in user. No No
Sites.Manage.AllSites.Manage.All 创建、编辑和删除所有网站集中的项目和列表Create, edit, and delete items and lists in all site collections 允许应用代表登录用户管理和创建所有网站集中的列表、文档和列表项。Allows the app to manage and create lists, documents, and list items in all site collections on behalf of the signed-in user. No No
Sites.FullControl.AllSites.FullControl.All 具有对所有网站集的完全控制权限Have full control of all site collections 允许应用代表登录用户具有对所有网站集中的 SharePoint 网站的完全控制权限。Allows the app to have full control to SharePoint sites in all site collections on behalf of the signed-in user. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
Sites.Read.AllSites.Read.All 读取所有网站集中的项目Read items in all site collections 允许应用在没有登录用户的情况下读取所有网站集中的文档和列表项。Allows the app to read documents and list items in all site collections without a signed in user. Yes
Sites.ReadWrite.AllSites.ReadWrite.All 读取和写入所有网站集中的项目Read and write items in all site collections 允许应用在没有登录用户的情况下创建、读取、更新和删除所有网站集中的文档和列表项。Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. Yes
Sites.Manage.AllSites.Manage.All 创建、编辑和删除所有网站集中的项目和列表Create, edit, and delete items and lists in all site collections 允许应用在没有登录用户的情况下管理和创建所有网站集中的列表、文档和列表项。Allows the app to manage and create lists, documents, and list items in all site collections without a signed-in user. Yes
Sites.FullControl.AllSites.FullControl.All 完全控制所有网站集Have full control of all site collections 允许应用在没有登录用户的情况下具有对所有网站集中的 SharePoint 网站的完全控制权限。Allows the app to have full control to SharePoint sites in all site collections without a signed-in user. Yes

注解Remarks

站点权限仅对工作或学校帐户有效。Sites permissions are valid only on work or school accounts.

用法示例Example usage

委派Delegated

  • Sites.Read.All:读取 SharePoint 根网站上的列表 (GET /v1.0/sites/root/lists)Sites.Read.All: Read the lists on the SharePoint root site (GET /v1.0/sites/root/lists)
  • Sites.ReadWrite.All:在 SharePoint 列表中新建列表项 (POST /v1.0/sites/root/lists/123/items)Sites.ReadWrite.All: Create new list items in a SharePoint list (POST /v1.0/sites/root/lists/123/items)
  • Sites.Manage.All:将新列表添加到 SharePoint 网站 (POST /v1.0/sites/root/lists)Sites.Manage.All: Add a new list to a SharePoint site (POST /v1.0/sites/root/lists)
  • Sites.FullControl.All:对 SharePoint 网站和列表的完全访问权限。Sites.FullControl.All: Complete access to SharePoint sites and lists.

任务权限Tasks permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Tasks.ReadTasks.Read 读取用户任务(预览版)Read user tasks (preview) 允许应用读取用户任务。Allows the app to read user tasks. No Yes
Tasks.Read.SharedTasks.Read.Shared 读取用户任务和共享任务(预览版)Read user and shared tasks (preview) 允许应用读取用户有权访问的任务,包括用户个人任务和共享任务。Allows the app to read tasks a user has permissions to access, including their own and shared tasks. No No
Tasks.ReadWriteTasks.ReadWrite 创建、读取、更新和删除用户任务和容器(预览版)Create, read, update and delete user tasks and containers (preview) 允许应用创建、读取、更新和删除分配给已登录用户或与已登录用户共享的任务和容器(以及其中的任务)。Allows the app to create, read, update and delete tasks and containers (and tasks in them) that are assigned to or shared with the signed-in user. No Yes
Tasks.ReadWrite.SharedTasks.ReadWrite.Shared 读取和写入用户任务和共享任务(预览版)Read and write user and shared tasks (preview) 允许应用创建、读取、更新和删除用户有权访问的任务,包括用户个人任务和共享任务。Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks. No No

应用程序权限Application permissions

无。None.

注解Remarks

_任务_权限用于控制对 Outlook 任务的访问权限。Microsoft Planner 任务的访问权限由_组_权限控制。Tasks permissions are used to control access for Outlook tasks. Access for Microsoft Planner tasks is controlled by Group permissions.

目前仅工作或学校帐户支持_共享_权限。即使具有_共享_权限,如果未授予拥有共享内容的用户在文件夹内修改内容访问用户权限,读取和写入仍会失败。Shared permissions are currently only supported for work or school accounts. Even with Shared permissions, reads and writes may fail if the user who owns the shared content has not granted the accessing user permissions to modify content within the folder.

用法示例Example usage

委派Delegated

  • Tasks.Read:获取用户邮箱中的所有任务 (GET /me/outlook/tasks)。Tasks.Read: Get all tasks in a user's mailbox (GET /me/outlook/tasks).
  • Tasks.Read.Shared:在文件夹中访问组织中其他用户与你共享的任务 (Get /users{id|userPrincipalName}/outlook/taskfolders/{id}/tasks)。Tasks.Read.Shared: Access tasks in a folder shared to you by another user in your organization (Get /users{id|userPrincipalName}/outlook/taskfolders/{id}/tasks).
  • Tasks.ReadWrite:将事件添加到用户的默认任务文件夹 (POST /me/outlook/tasks)。Tasks.ReadWrite: Add an event to the user's default task folder (POST /me/outlook/tasks).
  • Tasks.Read:获取用户邮箱中的所有未完成任务 (GET /users/{id | userPrincipalName}/outlook/tasks?$filter=status ne 'completed')。Tasks.Read: Get all uncompleted tasks in a user's mailbox (GET /users/{id | userPrincipalName}/outlook/tasks?$filter=status ne 'completed').
  • Tasks.ReadWrite:更新用户邮箱中的任务 (PATCH /users/{id | userPrincipalName}/outlook/tasks/id)。Tasks.ReadWrite: Update a task in a user's mailbox (PATCH /users/{id | userPrincipalName}/outlook/tasks/id).
  • Tasks.ReadWrite.Shared:代表其他用户完成任务 (POST /users/{id | userPrincipalName}/outlook/tasks/id/complete)。Tasks.ReadWrite.Shared: Complete a task on behalf of another user (POST /users/{id | userPrincipalName}/outlook/tasks/id/complete).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


使用条款权限Terms of use permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
Agreement.Read.AllAgreement.Read.All 阅读所有使用条款协议Read all terms of use agreements 允许应用代表登录用户阅读使用条款协议。Allows the app to read terms of use agreements on behalf of the signed-in user. Yes No
Agreement.ReadWrite.AllAgreement.ReadWrite.All 阅读和编写所有使用协议条款Read and write all terms of use agreements 允许应用代表登录用户阅读和编写使用条款协议。Allows the app to read and write terms of use agreements on behalf of the signed-in user. Yes No
AgreementAcceptance.ReadAgreementAcceptance.Read 阅读用户使用条款接受状态Read user terms of use acceptance statuses 允许应用代表登录用户阅读使用条款接受状态。Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. Yes No
AgreementAcceptance.Read.AllAgreementAcceptance.Read.All 阅读用户可以访问的使用条款接受状态Read terms of use acceptance statuses that user can access 允许应用代表登录用户阅读使用条款接受状态。Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. Yes No

注解Remarks

上述所有权限仅对工作或学校帐户有效。All the permissions above are valid only for work or school accounts.

若要使应用能够阅读或编写委派权限的所有协议或协议接受情况,登录用户必须分配有全局管理员、条件访问管理员或安全管理员角色。For an app to read or write all agreements or agreement acceptances with delegated permissions, the signed-in user must be assigned the Global Administrator, Conditional Access Administrator or Security Administrator role. 若要详细了解管理员角色,请参阅在 Azure Active Directory 中分配管理员角色For more information about administrator roles, see Assigning administrator roles in Azure Active Directory.

示例用法Example usage

委派Delegated

以下使用对两种委派权限均有效:The following usages are valid for both delegated permissions:

  • Agreement.Read.All:阅读所有使用条款协议 (GET /beta/agreements)Agreement.Read.All: Read all terms of use agreements (GET /beta/agreements)
  • Agreement.ReadWrite.All:阅读和编写所有使用条款协议 (POST /beta/agreements)Agreement.ReadWrite.All: Read and write all terms of use agreements (POST /beta/agreements)
  • AgreementAcceptance.Read:阅读用户使用条款接受状态 (GET /beta/me/agreementAcceptances)AgreementAcceptance.Read Read user terms of use acceptance statuses (GET /beta/me/agreementAcceptances)

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.


用户权限User permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
User.ReadUser.Read 登录并读取用户个人资料Sign-in and read user profile 允许用户登录应用,并允许应用读取登录用户的个人资料。它还允许应用读取登录用户的基本公司信息。Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. No Yes
User.ReadWriteUser.ReadWrite 对用户个人资料的读写权限Read and write access to user profile 允许应用读取登录用户的完整个人资料。Allows the app to read the signed-in user's full profile. 此外,它还允许应用代表登录用户来更新其个人资料信息。It also allows the app to update the signed-in user's profile information on their behalf. No Yes
User.ReadBasic.AllUser.ReadBasic.All 读取所有用户的基本个人资料Read all users' basic profiles 允许应用代表登录用户读取组织中其他用户的一套基本个人资料属性。Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. 其中包括显示名称、名字和姓氏、电子邮件地址、开放扩展和照片。This includes display name, first and last name, email address, open extensions and photo. 此外,还允许应用读取已登录用户的完整个人资料。Also allows the app to read the full profile of the signed-in user. No No
User.Read.AllUser.Read.All 读取所有用户的完整个人资料Read all users' full profiles 允许应用代表登录用户读取组织中其他用户的整套个人资料属性、下属和经理。Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Yes No
User.ReadWrite.AllUser.ReadWrite.All 读取和写入所有用户的完整个人资料Read and write all users' full profiles 允许应用代表登录用户读取和写入组织中其他用户的整套个人资料属性、下属和经理。还允许应用代表已登录用户创建和删除用户以及重置用户密码。Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. Yes No
User.Invite.AllUser.Invite.All 将来宾用户邀请到组织Invite guest users to the organization 允许应用代表已登录用户将来宾用户邀请到你的组织。Allows the app to invite guest users to your organization, on behalf of the signed-in user. Yes No
User.Export.AllUser.Export.All 导出用户数据Export users' data 当由公司管理员执行时,允许应用导出组织的用户数据。Allows the app to export an organizational user's data, when performed by a Company Administrator. Yes No

应用程序权限Application permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required
User.Read.AllUser.Read.All 读取所有用户的完整个人资料Read all users' full profiles 允许应用在没有登录用户的情况下读取组织中其他用户的整套个人资料属性、组成员身份、下属和经理。Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Yes
User.ReadWrite.AllUser.ReadWrite.All 读取和写入所有用户的完整个人资料Read and write all users' full profiles 允许应用在没有登录用户的情况下读取和写入组织中其他用户的整套个人资料属性、组成员身份、下属和经理。还允许应用创建和删除非管理用户。不允许重置用户密码。Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords. Yes
User.Invite.AllUser.Invite.All 将来宾用户邀请到组织Invite guest users to the organization 允许应用无需具有已登录用户即可将来宾用户邀请到你的组织。Allows the app to invite guest users to your organization, without a signed-in user. 可访问Yes
User.Export.AllUser.Export.All 导出用户数据Export users' data 允许应用导出组织用户数据,而无需是登录用户。Allows the app to export organizational users' data, without a signed-in user. 可访问Yes

说明Remarks

通过 User.Read 权限,应用还可以通过 organization 资源读取工作或学校帐户的已登录用户的基本公司信息。以下属性可用:ID、displayName 和 verifiedDomains。With the User.Read permission, an app can also read the basic company information of the signed-in user for a work or school account through the organization resource. The following properties are available: id, displayName, and verifiedDomains.

对于工作或学校帐户,完整个人资料包括 User 资源的所有声明属性。在读取时,默认情况下仅返回有限数量的属性。若要读取不在默认设置中的属性,请使用 $select。默认属性包括:For work or school accounts, the full profile includes all of the declared properties of the User resource. On reads, only a limited number of properties are returned by default. To read properties that are not in the default set, use $select. The default properties are:

  • displayNamedisplayName
  • givenNamegivenName
  • jobTitlejobTitle
  • mailmail
  • mobilePhonemobilePhone
  • officeLocationofficeLocation
  • preferredLanguagepreferredLanguage
  • surnamesurname
  • userPrincipalNameuserPrincipalName

User.ReadWriteUser.Readwrite.All 委派权限允许应用更新工作或学校帐户的以下配置文件属性:User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:

  • aboutMeaboutMe
  • birthdaybirthday
  • hireDatehireDate
  • interestsinterests
  • mobilePhonemobilePhone
  • mySitemySite
  • pastProjectspastProjects
  • photophoto
  • preferredNamepreferredName
  • responsibilitiesresponsibilities
  • schoolsschools
  • skillsskills

通过 User.ReadWrite.All 应用程序权限,应用可更新工作或学校帐户的所有声明属性,但密码除外。With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.

在具有 User.ReadWrite.All 委托或应用程序权限的情况下,如需更新其他用户的 businessPhonesmobilePhoneotherMails,仅允许针对非管理员或分配了以下角色之一的用户执行该操作:目录读取者、来宾邀请者、消息中心读取者和报告读取者。With the User.ReadWrite.All delegated or application permission, updating another user's businessPhones, mobilePhone or otherMails is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. 有关详细信息,请参阅 Azure AD 可用角色中的支持人员(密码)管理员。For more details, see Helpdesk (Password) Administrator in Azure AD available roles.

要读取或写入工作或学校帐户的直接下属 (directReports) 或经理 (manager),应用必须具有 User.Read.All(只读)或 User.ReadWrite.AllTo read or write direct reports (directReports) or the manager (manager) of a work or school account, the app must have either User.Read.All (read only) or User.ReadWrite.All.

User.ReadBasic.All 权限限制应用访问称为基本个人资料的有限属性集。这是因为完整的个人资料可能包含敏感的目录信息。基本个人资料仅包括以下属性:The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:

  • displayNamedisplayName
  • givenNamegivenName
  • mailmail
  • photophoto
  • surnamesurname
  • userPrincipalNameuserPrincipalName

若要读取用户的组成员资格 (memberOf),则应用必须具有 Group.Read.AllGroup.ReadWrite.All。但是,如果用户还具有 directoryRoleadministrativeUnit 中的成员资格,则应用还将需要有效权限来读取这些资源,否则 Microsoft Graph 将返回错误。这意味着应用还需要目录权限,而对于委派权限来说,已登录的用户还需要组织内的足够特权来访问目录角色和管理单元。To read the group memberships of a user (memberOf), the app must have either Group.Read.All or Group.ReadWrite.All. However, if the user also has membership in a directoryRole or an administrativeUnit, the app will need effective permissions to read those resources too, or Microsoft Graph will return an error. This means the app will also need Directory permissions, and, for delegated permissions, the signed-in user will also need sufficient privileges in the organization to access directory roles and administrative units.

用法示例Example usage

委派Delegated

  • User.Read:读取登录用户的完整配置文件 (GET /me)。User.Read: Read the full profile for the signed-in user (GET /me).
  • User.ReadWrite:更新登录用户的照片 (PUT /me/photo/$value)。User.ReadWrite: Update the photo of the signed-in user (PUT /me/photo/$value).
  • User.ReadBasic.All:查找名称以“David”开头的所有用户 (GET /users?$filter=startswith(displayName,'David'))。User.ReadBasic.All: Find all users whose name starts with "David" (GET /users?$filter=startswith(displayName,'David')).
  • User.Read.All:读取用户的经理 (GET /user/{id | userPrincipalName}/manager)。User.Read.All: Read a user's manager (GET /user/{id | userPrincipalName}/manager).

应用程序Application

  • User.Read.All:通过 delta 查询读取所有用户和关系 (GET /beta/users/delta?$select=displayName,givenName,surname)。User.Read.All: Read all users and relationships through delta query (GET /beta/users/delta?$select=displayName,givenName,surname).
  • User.ReadWrite.All:更新组织中任意用户的照片 (PUT /user/{id | userPrincipalName}/photo/$value)。User.ReadWrite.All: Update the photo for any user in the organization (PUT /user/{id | userPrincipalName}/photo/$value).

有关涉及多个权限的更复杂的情况,请参阅权限方案For more complex scenarios involving multiple permissions, see Permission scenarios.

用户活动权限User Activity permissions

委派权限Delegated permissions

权限Permission 显示字符串Display String 说明Description 需经过管理员同意Admin Consent Required 支持的 Microsoft 帐户Microsoft Account supported
UserActivity.ReadWrite.CreatedByAppUserActivity.ReadWrite.CreatedByApp 将应用活动读取和写入到用户的活动源Read and write app activity to users' activity feed 允许应用读取和报告登录用户在应用中的活动。Allows the app to read and report the signed-in user's activity in the app. No Yes

应用程序权限Application permissions

无。None.

说明Remarks

UserActivity.ReadWrite.CreatedByApp 对 Microsoft 帐户和工作或学校帐户均有效。UserActivity.ReadWrite.CreatedByApp is valid for both Microsoft accounts and work or school accounts.

与此权限相关联的 CreatedByApp 约束指示服务将基于调用应用的标识(MSA 应用 ID 或针对跨平台应用程序标识配置的一组应用 ID)对结果应用隐式筛选。The CreatedByApp constraint associated with this permission indicates the service will apply implicit filtering to results based on the identity of the calling app, either the MSA app id or a set of app ids configured for a cross-platform application identity.

用法示例Example usage

委派Delegated

  • UserActivity.ReadWrite.CreatedByApp:基于最后一天发布的相关联的历史记录项来获取最近特定用户活动的列表。UserActivity.ReadWrite.CreatedByApp: Get a list of recent unique user activities based on associated history items published in the last day. (GET /me/activities/recent)。(GET /me/activities/recent).
  • UserActivity.ReadWrite.CreatedByApp:发布或更新可能由应用程序用户恢复的用户活动。UserActivity.ReadWrite.CreatedByApp: Publish or update a user activity which may be resumed by the user of the application. (PUT /me/activities/%2Farticle%3F12345)。(PUT /me/activities/%2Farticle%3F12345).
  • UserActivity.ReadWrite.CreatedByApp:发布或更新指定用户活动的历史记录项,以表示用户参与的时间段。UserActivity.ReadWrite.CreatedByApp: Publish or update a history item for a specified user activity in order to represent the period of user engagement. (PUT /me/activities/{id}/historyItems/{id})。(PUT /me/activities/{id}/historyItems/{id}).
  • UserActivity.ReadWrite.CreatedByApp:根据用户发起的请求删除用户活动或删除无效数据。UserActivity.ReadWrite.CreatedByApp: Delete a user activity in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id})。(DELETE /me/activities/{id}).
  • UserActivity.ReadWrite.CreatedByApp:根据用户发起的请求删除历史记录项或删除无效数据。UserActivity.ReadWrite.CreatedByApp: Delete a history item in response to user initiated request or to remove invalid data. (DELETE /me/activities/{id}/historyItems/{id})。(DELETE /me/activities/{id}/historyItems/{id}).

权限方案Permission scenarios

本节介绍一些面向组织中 usergroup 资源的常见方案。这些表显示了应用执行方案要求的特定操作所需的权限。请注意,在某些情况下,应用执行特定操作的能力取决于权限是应用程序权限还是委派权限。如果是委派权限,应用的有效权限还将取决于组织内已登录用户的特权。有关详细信息,请参阅委派权限、应用程序权限和有效权限This section shows some common scenarios that target user and group resources in an organization. The tables show the permissions that an app needs to be able to perform specific operations required by the scenario. Note that in some cases the ability of the app to perform specific operations will depend on whether a permission is an application or delegated permission. In the case of delegated permissions, the app's effective permissions will also depend on the privileges of the signed-in user within the organization. For more information, see Delegated permissions, Application permissions, and effective permissions.

关于 User 资源的访问方案Access scenarios on the User resource

涉及用户的应用任务App tasks involving User 必需的权限Required permissions 权限字符串Permission strings
应用想要读取其他用户的基本信息(仅限显示名称和图片),例如展示人员挑选经验App wants to read other users' basic information (only display name and picture), for example to show in a people picking experience User.ReadBasic.AllUser.ReadBasic.All 读取所有用户的基本个人资料Read all user's basic profiles
应用想要读取已登录用户的完整用户个人资料(请参见直接下属和经理等)App wants to read complete user profile for signed in user (see direct reports, and manager, etc.) User.ReadUser.Read 允许登录和读取用户个人资料Enable sign-in and read user profile
应用想要读取所有用户的完整用户个人资料App wants to read complete user profile all users User.Read.AllUser.Read.All 读取所有用户的完整个人资料Read all user's full profiles
应用要读取登录用户的文件、邮件和日历信息App wants to read files, mail and calendar information for the signed in user User.Read, Files.Read, Mail.Read, Calendars.ReadUser.Read, Files.Read, Mail.Read, Calendars.Read 允许登录和读取用户配置文件、读取用户文件、读取用户邮件、读取用户日历Enable sign-in and read user profile, Read users' files, Read user mail, Read user calendars
应用想要读取登录用户(我)的文件,以及其他用户与登录用户(我)共享的文件。App wants to read the signed-in user's (my) files and files that other users have shared with the signed-in user (me). User.Read, Files.Read, Sites.Read.AllUser.Read, Files.Read, Sites.Read.All 允许登录和读取用户个人资料、读取用户文件、读取所有网站集中的项目Enable sign-in and read user profile, Read users' files, Read items in all site collections
应用想要读取和写入登录用户的完整用户个人资料App wants to read and write complete user profile for signed in user User.ReadWriteUser.ReadWrite 对用户个人资料的读写权限Read and write access to user profile
应用想要读取和写入所有用户的完整用户个人资料App wants to read and write complete user profile all users User.ReadWrite.AllUser.ReadWrite.All 读取和写入所有用户的完整个人资料Read and write all user's full profiles
应用要读取和写入登录用户的文件、邮件和日历信息App wants to read and write files, mail and calendar information for the signed in user User.ReadWrite, Files.ReadWrite, Mail.ReadWrite, Calendars.ReadWriteUser.ReadWrite, Files.ReadWrite, Mail.ReadWrite, Calendars.ReadWrite 对用户个人资料的读写权限、对用户个人资料的读写权限、对用户邮件的读写权限、具有访问用户日历的完整权限Read and write access to user profile, Read and write access to user profile, Read and write access to user mail, Have full access to user calendars
应用想要提交数据策略操作请求,以导出用户的个人数据App wants to submit a data policy operation request to export a user's personal data User.Export.AllUser.Export.All 导出用户的个人数据。Export a user'a personal data.

关于组资源的访问方案Access scenarios on the Group resource

涉及组的应用任务App tasks involving Group 必需的权限Required permissions 权限字符串Permission strings
应用想要读取基本组信息(仅限显示名称和图片),例如展示组挑选经验App wants to read basic group info (only display name and picture), for example to show in a group picking experience Group.Read.AllGroup.Read.All 读取所有组Read all groups
应用想要读取所有 Office 365 组中的全部内容(包括文件、对话)。它还需要显示组成员,同时能够更新组成员(若是所有者)。App wants to read all content in all Office 365 groups, including files, conversations. It also needs to show group memberships, be able to update group memberships, (if owner). Group.Read.AllGroup.Read.All 读取所有网站集中的项、读取所有组Read items in all site collections, Read all groups
应用想要读取和写入所有 Office 365 组中的全部内容(包括文件、对话)。它还需要显示组成员,同时能够更新组成员(若是所有者)。App wants to read and write all content in all Office 365 groups, including files, conversations. It also needs to show group memberships, be able to update group memberships, (if owner). Group.ReadWrite.All, Sites.ReadWrite.AllGroup.ReadWrite.All, Sites.ReadWrite.All 读取和写入所有组、编辑或删除所有网站集中的项Read and write all groups, Edit or delete items in all site collections
应用想要发现(找到)Office 365 组。它允许用户搜索特定组,然后从枚举列表中选择一个组,从而允许用户加入组。App wants to discover (find) an Office 365 group. It allows the user to search for a particular group and choose one from the enumerated list to allow the user to join the group. Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups
应用想要通过 AAD Graph 创建一个组App wants to create a group through AAD Graph Group.ReadWrite.AllGroup.ReadWrite.All 读取和写入所有组Read and write all groups