Microsoft Graph

Azure AD – Determine App Roles and Scope Permissions

by

Adding a new application in Azure AD using a portal can be done with a few clicks in the ‘App Registration’ blade. Adding API permissions in this application is also not a big deal but when you are using PowerShell cmdlets like I did in this earlier blogpost, you will need to know App IDs, App Role ID and Permission Scope IDs.

These also plays a critical role while using Terraform to deploy Azure AD applications, where the required_resource_access argument in terraform azuread_application resource to set the permissions for the app being created.

While I was writing my earlier post on limiting Azure AD App Permissions to Specific mailboxes, I didn’t know how to get the App ID or the ID of the permissions I wanted to set for the application.

If you would like to check this, you can check any of your existing Azure AD application’s manifest.

API permissions blade in Azure AD application
Manifest blade in Azure AD application

Like I said earlier, if you are creating the app via the portal, you may not need all this information but when you are going down the automation route, these values play a vital role in setting up the Azure AD applications properly.

Using the Azure CLI we can get a list of all Azure AD service principals. I used the ImportExcel PowerShell module to export the list of all App IDs,

Install-Module -Name ImportExcel

and this will give the output in a nice excel sheet with all the AppID values,

$spList = az ad sp list --all
$spListObj = $spList | ConvertFrom-Json
$spListObj | Select appId, appDisplayName | Export-Excel -Path "C:\data\AppIDs.xlsx" -WorksheetName "AppIDs" -AutoSize

Below are some of common application IDs for some Microsoft resources. But you can find an extensive list of all the applications in the excel sheet exported with the above lines in Azure CLI.

Resource NameApplication ID
cfa8b339-82a2-471a-a3c9-0fc0be7a4093Azure Key Vault
c9a559d2-7aab-4f13-a6ed-e7e9c52aec87Microsoft Forms
00000003-0000-0000-c000-000000000000Microsoft Graph
0000000a-0000-0000-c000-000000000000Microsoft Intune
cc15fd57-2c6c-4117-a88c-83b1d56b4bbeMicrosoft Teams Services
00000002-0000-0ff1-ce00-000000000000Office 365 Exchange Online
00000003-0000-0ff1-ce00-000000000000Office 365 SharePoint Online
2d4d3d8e-2be3-4bef-9f87-7875a61c29deOneNote
00000004-0000-0ff1-ce00-000000000000Skype for Business Online

The az ad sp is part of Azure CLI and not a PS cmdlet. You’ll need to have Azure CLI installed and do az login as well before running this.

#This AppID information can be obtained from the earlier script's output
$appid = Read-Host "Enter the App ID for the resource"

# Get Service Principals
$spList = az ad sp list --all
$spListObj = $spList | ConvertFrom-Json

# Get Permissions
$SP = $spListObj | Where-Object {$_.appID -eq $appid} | Select-Object

# List of Application Roles
$appRoles = $SP.appRoles | Select-Object id, value, isEnabled, displayName, description | Export-Excel -Path "C:\Scripts\Get-AppRoles_PermissionScopeIDs\MSPermissions_$appid.xlsx" -WorksheetName "AppRoles" -AutoSize

# List of Application Scopes
$adminScopes = $SP.oauth2Permissions | Where-Object {$_.type -eq 'admin'} | Sort-Object value | Select-Object id, value, isEnabled, type, adminConsentDisplayName, adminConsentDescription | Export-Excel -Path "C:\Scripts\Get-AppRoles_PermissionScopeIDs\MSPermissions_$appid.xlsx" -WorksheetName "ApplicationScopeIDs" -AutoSize

# List of Delegated Scopes
$userScopes = $SP.oauth2Permissions | Where-Object {$_.type -eq 'User'} | Sort-Object value | Select-Object id, value, isEnabled, type, userConsentDisplayName,userConsentDescription | Export-Excel -Path "C:\Scripts\Get-AppRoles_PermissionScopeIDs\MSPermissions_$appid.xlsx" -WorksheetName "DelegatedScopeIDs" -AutoSize

In the Azure AD portal, Role permissions are displayed as Application and scope permissions are displayed as Delegated.

Role permissions are displayed in the AppRoles worksheet. Scope permissions are displayed in the ApplicationScopeIDs and DelegatedScopeIDs worksheets respectively. The worksheet ApplicationScopeIDs contains the API permissions that need admin consent, is indicated by the column type=admin and the DelegatedScopeIDs contains the API permissions that need user consent, is indicated by the column type=user.

I’ve included the output of the script with AppID = 00000003-0000-0000-c000-000000000000 (MS Graph) at the end of this post. It might help you if you are in a hurry and just needed Permissions ID of a single role or permission scope. And hope this post helped you out in one way or another. 😁

Thank you for stopping by. ✌

Addendum – MS Graph Role Permissions and Permission Scope IDs

Role permissions

Role NameIDAdmin DisplayName
AccessReview.Read.Alld07a8cc0-3d51-4b77-b3b0-32704d1f69faRead all access reviews
AccessReview.ReadWrite.Allef5f7d5c-338f-44b0-86c3-351f46c8bb5fManage all access reviews
AccessReview.ReadWrite.Membership18228521-a591-40f1-b215-5fad4488c117Manage access reviews for group and app memberships
AdministrativeUnit.Read.All134fd756-38ce-4afd-ba33-e9623dbe66c2Read all administrative units
AdministrativeUnit.ReadWrite.All5eb59dd3-1da2-4329-8733-9dabdc435916Read and write all administrative units
Agreement.Read.All2f3e6f8c-093b-4c57-a58b-ba5ce494a169Read all terms of use agreements
Agreement.ReadWrite.Allc9090d00-6101-42f0-a729-c41074260d47Read and write all terms of use agreements
AgreementAcceptance.Read.Alld8e4ec18-f6c0-4620-8122-c8b1f2bf400eRead all terms of use acceptance statuses
APIConnectors.Read.Allb86848a7-d5b1-41eb-a9b4-54a4e6306e97Read API connectors for authentication flows
APIConnectors.ReadWrite.All1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171Read and write API connectors for authentication flows
AppCatalog.Read.Alle12dae10-5a57-4817-b79d-dfbec5348930Read all app catalogs
AppCatalog.ReadWrite.Alldc149144-f292-421e-b185-5953f2e98d7fRead and write to all app catalogs
Application.Read.All9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30Read all applications
Application.ReadWrite.All1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9Read and write all applications
Application.ReadWrite.OwnedBy18a4783c-866b-4cc7-a460-3d5e5662c884Manage apps that this app creates or owns
AppRoleAssignment.ReadWrite.All06b708a9-e830-4db3-a914-8e69da51d44fManage app permission grants and app role assignments
AttackSimulation.Read.All93283d0a-6322-4fa8-966b-8c121624760dRead attack simulation data of an organization
AuditLog.Read.Allb0afded3-3588-46d8-8b3d-9842eff778daRead all audit log data
AuthenticationContext.Read.All381f742f-e1f8-4309-b4ab-e3d91ae4c5c1Read all authentication context information
AuthenticationContext.ReadWrite.Alla88eef72-fed0-4bf7-a2a9-f19df33f8b83Read and write all authentication context information
Bookings.Read.All6e98f277-b046-4193-a4f2-6bf6a78cd491Read all Bookings related resources.
BookingsAppointment.ReadWrite.All9769393e-5a9f-4302-9e3d-7e018ecb64a7Read and write all Bookings related resources.
Calendars.Read798ee544-9d2d-430c-a058-570e29e34338Read calendars in all mailboxes
Calendars.ReadWriteef54d2bf-783f-4e0f-bca1-3210c0444d99Read and write calendars in all mailboxes
CallRecord-PstnCalls.Read.Alla2611786-80b3-417e-adaa-707d4261a5f0Read PSTN and direct routing call log data
CallRecords.Read.All45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8Read all call records
Calls.AccessMedia.Alla7a681dc-756e-4909-b988-f160edc6655fAccess media streams in a call as an app
Calls.Initiate.All284383ee-7f6e-4e40-a2a8-e85dcb029101Initiate outgoing 1 to 1 calls from the app
Calls.InitiateGroupCall.All4c277553-8a09-487b-8023-29ee378d8324Initiate outgoing group calls from the app
Calls.JoinGroupCall.Allf6b49018-60ab-4f81-83bd-22caeabfed2dJoin group calls and meetings as an app
Calls.JoinGroupCallAsGuest.Allfd7ccf6b-3d28-418b-9701-cd10f5cd2fd4Join group calls and meetings as a guest
Channel.Createf3a65bd4-b703-46df-8f7e-0174fea562aaCreate channels
Channel.Delete.All6a118a39-1227-45d4-af0c-ea7b40d210bcDelete channels
Channel.ReadBasic.All59a6b24b-4225-4393-8165-ebaec5f55d7aRead the names and descriptions  of all channels
ChannelMember.Read.All3b55498e-47ec-484f-8136-9013221c06a9Read the members of all channels
ChannelMember.ReadWrite.All35930dcf-aceb-4bd1-b99a-8ffed403c974Add and remove members from all channels
ChannelMessage.Read.All7b2449af-6ccd-4f4d-9f78-e550c193f0d1Read all channel messages
ChannelMessage.UpdatePolicyViolation.All4d02b0cc-d90b-441f-8d82-4fb55c34d6bbFlag channel messages for violating policy
ChannelSettings.Read.Allc97b873f-f59f-49aa-8a0e-52b32d762124Read the names, descriptions, and settings of all channels
ChannelSettings.ReadWrite.All243cded2-bd16-4fd6-a953-ff8177894c3dRead and write the names, descriptions, and settings of all channels
Chat.Created9c48af6-9ad9-47ad-82c3-63757137b9afCreate chats
Chat.Read.All6b7d71aa-70aa-4810-a8d9-5d9fb2830017Read all chat messages
Chat.Read.WhereInstalled1c1b4c8e-3cc7-4c58-8470-9b92c9d5848bRead all chat messages for chats where the associated Teams application is installed.
Chat.ReadBasic.Allb2e060da-3baf-4687-9611-f4ebc0f0cbdeRead names and members of all chat threads
Chat.ReadBasic.WhereInstalled818ba5bd-5b3e-4fe0-bbe6-aa4686669073Read names and members of all chat threads where the associated Teams application is installed.
Chat.ReadWrite.All294ce7c9-31ba-490a-ad7d-97a7d075e4edRead and write all chat messages
Chat.ReadWrite.WhereInstalledad73ce80-f3cd-40ce-b325-df12c33df713Read and write all chat messages for chats where the associated Teams application is installed.
Chat.UpdatePolicyViolation.All7e847308-e030-4183-9899-5235d7270f58Flag chat messages for violating policy
ChatMember.Read.Alla3410be2-8e48-4f32-8454-c29a7465209dRead the members of all chats
ChatMember.Read.WhereInstalled93e7c9e4-54c5-4a41-b796-f2a5adaacda7Read the members of all chats where the associated Teams application is installed.
ChatMember.ReadWrite.All57257249-34ce-4810-a8a2-a03adf0c5693Add and remove members from all chats
ChatMember.ReadWrite.WhereInstallede32c2cd9-0124-4e44-88fc-772cd98afbdbAdd and remove members from all chats where the associated Teams application is installed.
ChatMessage.Read.Allb9bb2381-47a4-46cd-aafb-00cb12f68504Read all chat messages
CloudPC.Read.Alla9e09520-8ed4-4cde-838e-4fdea192c227Read Cloud PCs
CloudPC.ReadWrite.All3b4349e1-8cf5-45a3-95b7-69d1751d3e6aRead and write Cloud PCs
ConsentRequest.Read.All1260ad83-98fb-4785-abbb-d6cc1806fd41Read all consent requests
ConsentRequest.ReadWrite.All9f1b81a7-0223-4428-bfa4-0bcb5535f27dRead and write all consent requests
Contacts.Read089fe4d0-434a-44c5-8827-41ba8a0b17f5Read contacts in all mailboxes
Contacts.ReadWrite6918b873-d17a-4dc1-b314-35f528134491Read and write contacts in all mailboxes
CrossTenantInformation.ReadBasic.Allcac88765-0581-4025-9725-5ebc13f729eeRead cross-tenant basic information
CrossTenantUserProfileSharing.Read.All8b919d44-6192-4f3d-8a3b-f86f8069ae3cRead all shared cross-tenant user profiles and export their data
CrossTenantUserProfileSharing.ReadWrite.All306785c5-c09b-4ba0-a4ee-023f3da165cbRead all shared cross-tenant user profiles and export or delete their data
CustomAuthenticationExtension.Read.All88bb2658-5d9e-454f-aacd-a3933e079526Read all custom authentication extensions
CustomAuthenticationExtension.ReadWrite.Allc2667967-7050-4e7e-b059-4cbbb3811d03Read and write all custom authentication extensions
CustomAuthenticationExtension.Receive.Payload214e810f-fda8-4fd7-a475-29461495eb00Receive custom authentication extension HTTP requests
CustomSecAttributeAssignment.Read.All3b37c5a4-1226-493d-bec3-5d6c6b866f3fRead custom security attribute assignments
CustomSecAttributeAssignment.ReadWrite.Allde89b5e4-5b8f-48eb-8925-29c2b33bd8bdRead and write custom security attribute assignments
CustomSecAttributeDefinition.Read.Allb185aa14-d8d2-42c1-a685-0f5596613624Read custom security attribute definitions
CustomSecAttributeDefinition.ReadWrite.All12338004-21f4-4896-bf5e-b75dfaf1016dRead and write custom security attribute definitions
DelegatedAdminRelationship.Read.Allf6e9e124-4586-492f-adc0-c6f96e4823fdRead Delegated Admin relationships with customers
DelegatedAdminRelationship.ReadWrite.Allcc13eba4-8cd8-44c6-b4d4-f93237adce58Manage Delegated Admin relationships with customers
DelegatedPermissionGrant.ReadWrite.All8e8e4742-1d95-4f68-9d56-6ee75648c72aManage all delegated permission grants
Device.Read.All7438b122-aefc-4978-80ed-43db9fcc7715Read all devices
Device.ReadWrite.All1138cb37-bd11-4084-a2b7-9f71582aeddbRead and write devices
DeviceManagementApps.Read.All7a6ee1e7-141e-4cec-ae74-d9db155731ffRead Microsoft Intune apps
DeviceManagementApps.ReadWrite.All78145de6-330d-4800-a6ce-494ff2d33d07Read and write Microsoft Intune apps
DeviceManagementConfiguration.Read.Alldc377aa6-52d8-4e23-b271-2a7ae04cedf3Read Microsoft Intune device configuration and policies
DeviceManagementConfiguration.ReadWrite.All9241abd9-d0e6-425a-bd4f-47ba86e767a4Read and write Microsoft Intune device configuration and policies
DeviceManagementManagedDevices.PrivilegedOperations.All5b07b0dd-2377-4e44-a38d-703f09a0dc3cPerform user-impacting remote actions on Microsoft Intune devices
DeviceManagementManagedDevices.Read.All2f51be20-0bb4-4fed-bf7b-db946066c75eRead Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All243333ab-4d21-40cb-a475-36241daa0842Read and write Microsoft Intune devices
DeviceManagementRBAC.Read.All58ca0d9a-1575-47e1-a3cb-007ef2e4583bRead Microsoft Intune RBAC settings
DeviceManagementRBAC.ReadWrite.Alle330c4f0-4170-414e-a55a-2f022ec2b57bRead and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.Read.All06a5fe6d-c49d-46a7-b082-56b1b14103c7Read Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.All5ac13192-7ace-4fcf-b828-1a26f28068eeRead and write Microsoft Intune configuration
Directory.Read.All7ab1d382-f21e-4acd-a863-ba3e13f7da61Read directory data
Directory.ReadWrite.All19dbc75e-c2e2-444c-a770-ec69d8559fc7Read and write directory data
Directory.Write.Restrictedf20584af-9290-4153-9280-ff8bb2c0ea7fManage restricted resources in the directory
DirectoryRecommendations.Read.Allae73097b-cb2a-4447-b064-5d80f6093921Read all Azure AD recommendations
DirectoryRecommendations.ReadWrite.All0e9eea12-4f01-45f6-9b8d-3ea4c8144158Read and update all Azure AD recommendations
Domain.Read.Alldbb9058a-0e50-45d7-ae91-66909b5d4664Read domains
Domain.ReadWrite.All7e05723c-0bb0-42da-be95-ae9f08a6e53cRead and write domains
eDiscovery.Read.All50180013-6191-4d1e-a373-e590ff4e66afRead all eDiscovery objects
eDiscovery.ReadWrite.Allb2620db1-3bf7-4c5b-9cb9-576d29eac736Read and write all eDiscovery objects
EduAdministration.Read.All7c9db06a-ec2d-4e7b-a592-5a1e30992566Read Education app settings
EduAdministration.ReadWrite.All9bc431c3-b8bc-4a8d-a219-40f10f92eff6Manage education app settings
EduAssignments.Read.All4c37e1b6-35a1-43bf-926a-6f30f2cdf585Read class assignments with grades
EduAssignments.ReadBasic.All6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0eRead class assignments without grades
EduAssignments.ReadWrite.All0d22204b-6cad-4dd0-8362-3e3f2ae699d9Read and write class assignments with grades
EduAssignments.ReadWriteBasic.Allf431cc63-a2de-48c4-8054-a34bc093af84Read and write class assignments without grades
EduRoster.Read.Alle0ac9e1b-cb65-4fc5-87c5-1a8bc181f648Read the organization’s roster
EduRoster.ReadBasic.All0d412a8c-a06c-439f-b3ec-8abcf54d2f96Read a limited subset of the organization’s roster
EduRoster.ReadWrite.Alld1808e82-ce13-47af-ae0d-f9b254e6d58aRead and write the organization’s roster
EntitlementManagement.Read.Allc74fd47d-ed3c-45c3-9a9e-b8676de685d2Read all entitlement management resources
EntitlementManagement.ReadWrite.All9acd699f-1e81-4958-b001-93b1d2506e19Read and write all entitlement management resources
EventListener.Read.Allb7f6385c-6ce6-4639-a480-e23c42ed9784Read all authentication event listeners
EventListener.ReadWrite.All0edf5e9e-4ce8-468a-8432-d08631d18c43Read and write all authentication event listeners
ExternalConnection.Read.All1914711b-a1cb-4793-b019-c2ce0ed21b8cRead all external connections
ExternalConnection.ReadWrite.All34c37bc0-2b40-4d5e-85e1-2365cd256d79Read and write all external connections
ExternalConnection.ReadWrite.OwnedByf431331c-49a6-499f-be1c-62af19c34a9dRead and write external connections
ExternalItem.Read.All7a7cffad-37d2-4f48-afa4-c6ab129adcc2Read all external items
ExternalItem.ReadWrite.All38c3d6ee-69ee-422f-b954-e17819665354Read and write items in external datasets
ExternalItem.ReadWrite.OwnedBy8116ae0f-55c2-452d-9944-d18420f5b2c8Read and write external items
Files.Read.All01d4889c-1287-42c6-ac1f-5d1e02578ef6Read files in all site collections
Files.ReadWrite.All75359482-378d-4052-8f01-80520e7db3cdRead and write files in all site collections
Group.Createbf7b1a76-6e77-406b-b258-bf5c7720e98fCreate groups
Group.Read.All5b567255-7703-4780-807c-7be8301ae99bRead all groups
Group.ReadWrite.All62a82d76-70ea-41e2-9197-370581804d09Read and write all groups
GroupMember.Read.All98830695-27a2-44f7-8c18-0c3ebc9698f6Read all group memberships
GroupMember.ReadWrite.Alldbaae8cf-10b5-4b86-a4a1-f871c94c6695Read and write all group memberships
IdentityProvider.Read.Alle321f0bb-e7f7-481e-bb28-e3b0b32d4bd0Read identity providers
IdentityProvider.ReadWrite.All90db2b9a-d928-4d33-a4dd-8442ae3d41e4Read and write identity providers
IdentityRiskEvent.Read.All6e472fd1-ad78-48da-a0f0-97ab2c6b769eRead all identity risk event information
IdentityRiskEvent.ReadWrite.Alldb06fb33-1953-4b7b-a2ac-f1e2c854f7aeRead and write all risk detection information
IdentityRiskyServicePrincipal.Read.All607c7344-0eed-41e5-823a-9695ebe1b7b0Read all identity risky service principal information
IdentityRiskyServicePrincipal.ReadWrite.Allcb8d6980-6bcb-4507-afec-ed6de3a2d798Read and write all identity risky service principal information
IdentityRiskyUser.Read.Alldc5007c0-2d7d-4c42-879c-2dab87571379Read all identity risky user information
IdentityRiskyUser.ReadWrite.All656f6061-f9fe-4807-9708-6a2e0934df76Read and write all risky user information
IdentityUserFlow.Read.All1b0c317f-dd31-4305-9932-259a8b6e8099Read all identity user flows
IdentityUserFlow.ReadWrite.All65319a09-a2be-469d-8782-f6b07debf789Read and write all identity user flows
InformationProtectionContent.Sign.Allcbe6c7e4-09aa-4b8d-b3c3-2dbb59af4b54Sign digests for data
InformationProtectionContent.Write.All287bd98c-e865-4e8c-bade-1a85523195b9Create protected content
InformationProtectionPolicy.Read.All19da66cb-0fb0-4390-b071-ebc76a349482Read all published labels and label policies for an organization.
LearningContent.Read.All8740813e-d8aa-4204-860e-2a0f8f84dbc8Read all learning content
LearningContent.ReadWrite.All444d6fcb-b738-41e5-b103-ac4f2a2628a3Manage alllearningcontent
LicenseAssignment.ReadWrite.All5facf0c1-8979-4e95-abcf-ff3d079771c0Manage all license assignments
LifecycleWorkflows.Read.All7c67316a-232a-4b84-be22-cea2c0906404Read all lifecycle workflows resources
LifecycleWorkflows.ReadWrite.All5c505cf4-8424-4b8e-aa14-ee06e3bb23e3Read and write all lifecycle workflows resources
Mail.Read810c84a8-4a9e-49e6-bf7d-12d183f40d01Read mail in all mailboxes
Mail.ReadBasic6be147d2-ea4f-4b5a-a3fa-3eab6f3c140aRead basic mail in all mailboxes
Mail.ReadBasic.All693c5e45-0940-467d-9b8a-1022fb9d42efRead basic mail in all mailboxes
Mail.ReadWritee2a3a72e-5f79-4c64-b1b1-878b674786c9Read and write mail in all mailboxes
Mail.Sendb633e1c5-b582-4048-a93e-9f11b44c7e96Send mail as any user
MailboxSettings.Read40f97065-369a-49f4-947c-6a255697ae91Read all user mailbox settings
MailboxSettings.ReadWrite6931bccd-447a-43d1-b442-00a195474933Read and write all user mailbox settings
Member.Read.Hidden658aa5d8-239f-45c4-aa12-864f4fc7e490Read all hidden memberships
Notes.Read.All3aeca27b-ee3a-4c2b-8ded-80376e2134a4Read all OneNote notebooks
Notes.ReadWrite.All0c458cef-11f3-48c2-a568-c66751c238c0Read and write all OneNote notebooks
OnlineMeetingArtifact.Read.Alldf01ed3b-eb61-4eca-9965-6b3d789751b2Read online meeting artifacts
OnlineMeetingRecording.Read.Alla4a08342-c95d-476b-b943-97e100569c8dRead all recordings of online meetings.
OnlineMeetings.Read.Allc1684f21-1984-47fa-9d61-2dc8c296bb70Read online meeting details
OnlineMeetings.ReadWrite.Allb8bb2037-6e08-44ac-a4ea-4674e010e2a4Read and create online meetings
OnlineMeetingTranscript.Read.Alla4a80d8d-d283-4bd8-8504-555ec3870630Read all transcripts of online meetings.
OnPremisesPublishingProfiles.ReadWrite.All0b57845e-aa49-4e6f-8109-ce654fffa618Manage on-premises published resources
Organization.Read.All498476ce-e0fe-48b0-b801-37ba7e2685c6Read organization information
Organization.ReadWrite.All292d869f-3427-49a8-9dab-8c70152b74e9Read and write organization information
OrgContact.Read.Alle1a88a34-94c4-4418-be12-c87b00e26beaRead organizational contacts
People.Read.Allb528084d-ad10-4598-8b93-929746b4d7d6Read all users’ relevant people lists
Place.Read.All913b9306-0ce1-42b8-9137-6a7df690a760Read all company places
Policy.Read.All246dd0d5-5bd0-4def-940b-0421030a5b68Read your organization’s policies
Policy.Read.ConditionalAccess37730810-e9ba-4e46-b07e-8ca78d182097Read your organization’s conditional access policies
Policy.Read.PermissionGrant9e640839-a198-48fb-8b9a-013fd6f6cbcdRead consent and permission grant policies
Policy.ReadWrite.AccessReview77c863fd-06c0-47ce-a7eb-49773e89d319Read and write your organization’s directory access review default policy
Policy.ReadWrite.ApplicationConfigurationbe74164b-cff1-491c-8741-e671cb536e13Read and write your organization’s application configuration policies
Policy.ReadWrite.AuthenticationFlows25f85f3c-f66c-4205-8cd5-de92dd7f0cecRead and write authentication flow policies
Policy.ReadWrite.AuthenticationMethod29c18626-4985-4dcd-85c0-193eef327366Read and write all authentication method policies
Policy.ReadWrite.Authorizationfb221be6-99f2-473f-bd32-01c6a0e9ca3bRead and write your organization’s authorization policy
Policy.ReadWrite.ConditionalAccess01c0a623-fc9b-48e9-b794-0756f8e8f067Read and write your organization’s conditional access policies
Policy.ReadWrite.ConsentRequest999f8c63-0a38-4f1b-91fd-ed1947bdd1a9Read and write your organization’s consent request policy
Policy.ReadWrite.CrossTenantAccess338163d7-f101-4c92-94ba-ca46fe52447cRead and write your organization’s cross tenant access policies
Policy.ReadWrite.FeatureRollout2044e4f1-e56c-435b-925c-44cd8f6ba89aRead and write feature rollout policies
Policy.ReadWrite.PermissionGranta402ca1c-2696-4531-972d-6e5ee4aa11eaManage consent and permission grant policies
Policy.ReadWrite.TrustFramework79a677f7-b79d-40d0-a36a-3e6f8688dd7aRead and write your organization’s trust framework policies
Presence.ReadWrite.All83cded22-8297-4ff6-a7fa-e97e9545a259Read and write presence information for all users
Printer.Read.All9709bb33-4549-49d4-8ed9-a8f65e45bb0fRead printers
Printer.ReadWrite.Allf5b3f73d-6247-44df-a74c-866173fddab0Read and update printers
PrintJob.Manage.All58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8Perform advanced operations on print jobs
PrintJob.Read.Allac6f956c-edea-44e4-bd06-64b1b4b9aec9Read print jobs
PrintJob.ReadBasic.Allfbf67eee-e074-4ef7-b965-ab5ce1c1f689Read basic information for print jobs
PrintJob.ReadWrite.All5114b07b-2898-4de7-a541-53b0004e2e13Read and write print jobs
PrintJob.ReadWriteBasic.All57878358-37f4-4d3a-8c20-4816e0d457b1Read and write basic information for print jobs
PrintSettings.Read.Allb5991872-94cf-4652-9765-29535087c6d8Read tenant-wide print settings
PrintTaskDefinition.ReadWrite.All456b71a7-0ee0-4588-9842-c123fcc8f664Read, write and update print task definitions
PrivilegedAccess.Read.AzureAD4cdc2547-9148-4295-8d11-be0db1391d6bRead privileged access to Azure AD roles
PrivilegedAccess.Read.AzureADGroup01e37dc9-c035-40bd-b438-b2879c4870a6Read privileged access to Azure AD groups
PrivilegedAccess.Read.AzureResources5df6fe86-1be0-44eb-b916-7bd443a71236Read privileged access to Azure resources
PrivilegedAccess.ReadWrite.AzureAD854d9ab1-6657-4ec8-be45-823027bcd009Read and write privileged access to Azure AD roles
PrivilegedAccess.ReadWrite.AzureADGroup2f6817f8-7b12-4f0f-bc18-eeaf60705a9eRead and write privileged access to Azure AD groups
PrivilegedAccess.ReadWrite.AzureResources6f9d5abc-2db6-400b-a267-7de22a40fb87Read and write privileged access to Azure resources
ProgramControl.Read.Alleedb7fdd-7539-4345-a38b-4839e4a84cbdRead all programs
ProgramControl.ReadWrite.All60a901ed-09f7-4aa5-a16e-7dd3d6f9de36Manage all programs
RecordsManagement.Read.Allac3a2b8e-03a3-4da9-9ce0-cbe28bf1accdRead Records Management configuration,labels and policies
RecordsManagement.ReadWrite.Alleb158f57-df43-4751-8b21-b8932adb3d34Read and write Records Management configuration, labels and policies
Reports.Read.All230c1aed-a721-4c5d-9cb4-a90514e508efRead all usage reports
ReportSettings.Read.Allee353f83-55ef-4b78-82da-555bfa2b4b95Read all admin report settings
ReportSettings.ReadWrite.All2a60023f-3219-47ad-baa4-40e17cd02a1dRead and write all admin report settings
RoleManagement.Read.Allc7fbd983-d9aa-4fa7-84b8-17382c103bc4Read role management data for all RBAC providers
RoleManagement.Read.CloudPC031a549a-bb80-49b6-8032-2068448c6a3cRead Cloud PC RBAC settings
RoleManagement.Read.Directory483bed4a-2ad3-4361-a73b-c83ccdbdc53cRead all directory RBAC settings
RoleManagement.ReadWrite.CloudPC274d0592-d1b6-44bd-af1d-26d259bcb43aRead and write all Cloud PC RBAC settings
RoleManagement.ReadWrite.Directory9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8Read and write all directory RBAC settings
Schedule.Read.All7b2ebf90-d836-437f-b90d-7b62722c4456Read all schedule items
Schedule.ReadWrite.Allb7760610-0545-4e8a-9ec3-cce9e63db01cRead and write all schedule items
SearchConfiguration.Read.Allada977a5-b8b1-493b-9a91-66c206d76ecfRead your organization’s search configuration
SearchConfiguration.ReadWrite.All0e778b85-fefa-466d-9eec-750569d92122Read and write your organization’s search configuration
SecurityActions.Read.All5e0edab9-c148-49d0-b423-ac253e121825Read your organization’s security actions
SecurityActions.ReadWrite.Allf2bf083f-0179-402a-bedb-b2784de8a49bRead and update your organization’s security actions
SecurityAlert.Read.All472e4a4d-bb4a-4026-98d1-0b0d74cb74a5Read all security alerts
SecurityAlert.ReadWrite.Alled4fca05-be46-441f-9803-1873825f8fdbRead and write to all security alerts
SecurityEvents.Read.Allbf394140-e372-4bf9-a898-299cfc7564e5Read your organizations security events
SecurityEvents.ReadWrite.Alld903a879-88e0-4c09-b0c9-82f6a1333f84Read and update your organizations security events
SecurityIncident.Read.All45cc0394-e837-488b-a098-1918f48d186cRead all security incidents
SecurityIncident.ReadWrite.All34bf0e97-1971-4929-b999-9e2442d941d7Read and write to all security incidents
ServiceHealth.Read.All79c261e0-fe76-4144-aad5-bdc68fbe4037Read service health
ServiceMessage.Read.All1b620472-6534-4fe6-9df2-4680e8aa28ecRead service messages
ServicePrincipalEndpoint.Read.All5256681e-b7f6-40c0-8447-2d9db68797a0Read service principal endpoints
ServicePrincipalEndpoint.ReadWrite.All89c8469c-83ad-45f7-8ff2-6e3d4285709eRead and update service principal endpoints
SharePointTenantSettings.Read.All83d4163d-a2d8-4d3b-9695-4ae3ca98f888Read SharePoint and OneDrive tenant settings
SharePointTenantSettings.ReadWrite.All19b94e34-907c-4f43-bde9-38b1909ed408Read and change SharePoint and OneDrive tenant settings
ShortNotes.Read.All0c7d31ec-31ca-4f58-b6ec-9950b6b0de69Read all users’ short notes
ShortNotes.ReadWrite.All842c284c-763d-4a97-838d-79787d129babRead, create, edit, and delete all users’ short notes
Sites.FullControl.Alla82116e5-55eb-4c41-a434-62fe8a61c773Have full control of all site collections
Sites.Manage.All0c0bf378-bf22-4481-8f81-9e89a9b4960aCreate, edit, and delete items and lists in all site collections
Sites.Read.All332a536c-c7ef-4017-ab91-336970924f0dRead items in all site collections
Sites.ReadWrite.All9492366f-7969-46a4-8d15-ed1a20078fffRead and write items in all site collections
Sites.Selected883ea226-0bf2-4a8f-9f9d-92c9162a727dAccess selected site collections
SubjectRightsRequest.Read.Allee1460f0-368b-4153-870a-4e1ca7e72c42Readall subjectrights requests
SubjectRightsRequest.ReadWrite.All8387eaa4-1a3c-41f5-b261-f888138e6041Readandwriteall subjectrights requests
Tasks.Read.Allf10e1f91-74ed-437f-a6fd-d6ae88e26c1fRead all users tasks and tasklist
Tasks.ReadWrite.All44e666d1-d276-445b-a5fc-8815eeb81d55Read and write all users tasks and tasklists
Team.Create23fc2474-f741-46ce-8465-674744c5c361Create teams
Team.ReadBasic.All2280dda6-0bfd-44ee-a2f4-cb867cfc4c1eGet a list of all teams
TeamMember.Read.All660b7406-55f1-41ca-a0ed-0b035e182f3eRead the members of all teams
TeamMember.ReadWrite.All0121dc95-1b9f-4aed-8bac-58c5ac466691Add and remove members from all teams
TeamMember.ReadWriteNonOwnerRole.All4437522e-9a86-4a41-a7da-e380edd4a97dAdd and remove members with non-owner role for all teams
TeamsActivity.Read.All70dec828-f620-4914-aa83-a29117306807Read all users’ teamwork activity feed
TeamsActivity.Senda267235f-af13-44dc-8385-c1dc93023186Send a teamwork activity to any user
TeamsAppInstallation.ReadForChat.Allcc7e7635-2586-41d6-adaa-a8d3bcad5ee5Read installed Teams apps for all chats
TeamsAppInstallation.ReadForTeam.All1f615aea-6bf9-4b05-84bd-46388e138537Read installed Teams apps for all teams
TeamsAppInstallation.ReadForUser.All9ce09611-f4f7-4abd-a629-a05450422a97Read installed Teams apps for all users
TeamsAppInstallation.ReadWriteForChat.All9e19bae1-2623-4c4f-ab6e-2664615ff9a0Manage Teams apps for all chats
TeamsAppInstallation.ReadWriteForTeam.All5dad17ba-f6cc-4954-a5a2-a0dcc95154f0Manage Teams apps for all teams
TeamsAppInstallation.ReadWriteForUser.All74ef0291-ca83-4d02-8c7e-d2391e6a444fManage Teams apps for all users
TeamsAppInstallation.ReadWriteSelfForChat.All73a45059-f39c-4baf-9182-4954ac0e55cfAllow the Teams app to manage itself for all chats
TeamsAppInstallation.ReadWriteSelfForTeam.All9f67436c-5415-4e7f-8ac1-3014a7132630Allow the Teams app to manage itself for all teams
TeamsAppInstallation.ReadWriteSelfForUser.All908de74d-f8b2-4d6b-a9ed-2a17b3b78179Allow the app to manage itself for all users
TeamSettings.Read.All242607bd-1d2c-432c-82eb-bdb27baa23abRead all teams’ settings
TeamSettings.ReadWrite.Allbdd80a03-d9bc-451d-b7c4-ce7c63fe3c8fRead and change all teams’ settings
TeamsTab.Create49981c42-fd7b-4530-be03-e77b21aed25eCreate tabs in Microsoft Teams.
TeamsTab.Read.All46890524-499a-4bb2-ad64-1476b4f3e1cfRead tabs in Microsoft Teams.
TeamsTab.ReadWrite.Alla96d855f-016b-47d7-b51c-1218a98d791cRead and write tabs in Microsoft Teams.
TeamsTab.ReadWriteForChat.Allfd9ce730-a250-40dc-bd44-8dc8d20f39eaAllow the Teams app to manage all tabs for all chats
TeamsTab.ReadWriteForTeam.All6163d4f4-fbf8-43da-a7b4-060fe85ed148Allow the Teams app to manage all tabs for all teams
TeamsTab.ReadWriteForUser.All425b4b59-d5af-45c8-832f-bb0b7402348aAllow the app to manage all tabs for all users
TeamsTab.ReadWriteSelfForChat.All9f62e4a2-a2d6-4350-b28b-d244728c4f86Allow the Teams app to manage only its own tabs for all chats
TeamsTab.ReadWriteSelfForTeam.All91c32b81-0ef0-453f-a5c7-4ce2e562f449Allow the Teams app to manage only its own tabs for all teams
TeamsTab.ReadWriteSelfForUser.All3c42dec6-49e8-4a0a-b469-36cff0d9da93Allow the Teams app to manage only its own tabs for all users
Teamwork.Migrate.Alldfb0dd15-61de-45b2-be36-d6a69fba3c79Create chat and channel messages with anyone’s identity and with any timestamp
TeamworkAppSettings.Read.All475ebe88-f071-4bd7-af2b-642952bd4986Read Teams app settings
TeamworkAppSettings.ReadWrite.Allab5b445e-8f10-45f4-9c79-dd3f8062cc4eRead and write Teams app settings
TeamworkDevice.Read.All0591bafd-7c1c-4c30-a2a5-2b9aacb1dfe8Read Teams devices
TeamworkDevice.ReadWrite.All79c02f5b-bd4f-4713-bc2c-a8a4a66e127bRead and write Teams devices
TeamworkTag.Read.Allb74fd6c4-4bde-488e-9695-eeb100e4907fRead tags in Teams
TeamworkTag.ReadWrite.Alla3371ca5-911d-46d6-901c-42c8c7a937d8Read and write tags in Teams
TermStore.Read.Allea047cc2-df29-4f3e-83a3-205de61501caRead all term store data
TermStore.ReadWrite.Allf12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95Read and write all term store data
ThreatAssessment.Read.Allf8f035bb-2cce-47fb-8bf5-7baf3ecbee48Read threat assessment requests
ThreatHunting.Read.Alldd98c7f5-2d42-42d3-a0e4-633161547251Run hunting queries
ThreatIndicators.Read.All197ee4e9-b993-4066-898f-d6aecc55125bRead all threat indicators
ThreatIndicators.ReadWrite.OwnedBy21792b6c-c986-4ffc-85de-df9da54b52faManage threat indicators this app creates or owns
ThreatSubmission.Read.All86632667-cd15-4845-ad89-48a88e8412e1Read all of the organization’s threat submissions
ThreatSubmission.ReadWrite.Alld72bdbf4-a59b-405c-8b04-5995895819acRead and write all of the organization’s threat submissions
ThreatSubmissionPolicy.ReadWrite.All926a6798-b100-4a20-a22f-a4918f13951dRead and write all of the organization’s threat submission policies
TrustFrameworkKeySet.Read.Allfff194f1-7dce-4428-8301-1badb5518201Read trust framework key sets
TrustFrameworkKeySet.ReadWrite.All4a771c9a-1cf2-4609-b88e-3d3e02d539cdRead and write trust framework key sets
User.Export.All405a51b5-8d8d-430b-9842-8be4b0e9f324Export user’s data
User.Invite.All09850681-111b-4a89-9bed-3f2cae46d706Invite guest users to the organization
User.ManageIdentities.Allc529cfca-c91b-489c-af2b-d92990b66ce6Manage all users’ identities
User.Read.Alldf021288-bdef-4463-88db-98f22de89214Read all users’ full profiles
User.ReadWrite.All741f803b-c850-494e-b5df-cde7c675a1caRead and write all users’ full profiles
UserAuthenticationMethod.Read.All38d9df27-64da-44fd-b7c5-a6fbac20248f Read all users’ authentication methods
UserAuthenticationMethod.ReadWrite.All50483e42-d915-4231-9639-7fdb7fd190e5Read and write all users’ authentication methods
UserNotification.ReadWrite.CreatedByApp4e774092-a092-48d1-90bd-baad67c7eb47Deliver and manage all user’s notifications
UserShiftPreferences.Read.Allde023814-96df-4f53-9376-1e2891ef5a18Read all user shift preferences
UserShiftPreferences.ReadWrite.Alld1eec298-80f3-49b0-9efb-d90e224798acRead and write all user shift preferences
WindowsUpdates.ReadWrite.All7dd1be58-6e76-4401-bf8d-31d1e8180d5bRead and write all Windows update deployment settings
WorkforceIntegration.ReadWrite.All202bf709-e8e6-478e-bcfd-5d63c50b68e3Read and write workforce integrations

Scope permissions

Scope NameIDtypeDisplayName
AccessReview.Read.Allebfcd32b-babb-40f4-a14b-42706e83bd28AdminRead all access reviews that user can access
AccessReview.ReadWrite.Alle4aa47b9-9a69-4109-82ed-36ec70d85ff1AdminManage all access reviews that user can access
AccessReview.ReadWrite.Membership5af8c3f5-baca-439a-97b0-ea58a435e269AdminManage access reviews for group and app memberships
AdministrativeUnit.Read.All3361d15d-be43-4de6-b441-3c746d05163dAdminRead administrative units
AdministrativeUnit.ReadWrite.All7b8a2d34-6b3f-4542-a343-54651608ad81AdminRead and write administrative units
Agreement.Read.Allaf2819c9-df71-4dd3-ade7-4d7c9dc653b7AdminRead all terms of use agreements
Agreement.ReadWrite.Allef4b5d93-3104-4664-9053-a5c49ab44218AdminRead and write all terms of use agreements
AgreementAcceptance.Read0b7643bb-5336-476f-80b5-18fbfbc91806AdminRead user terms of use acceptance statuses
AgreementAcceptance.Read.Alla66a5341-e66e-4897-9d52-c2df58c2bfb9AdminRead terms of use acceptance statuses that user can access
APIConnectors.Read.All1b6ff35f-31df-4332-8571-d31ea5a4893fAdminRead API connectors for authentication flows
APIConnectors.ReadWrite.Allc67b52c5-7c69-48b6-9d48-7b3af3ded914AdminRead and write API connectors for authentication flows
AppCatalog.ReadWrite.All1ca167d5-1655-44a1-8adf-1414072e1ef9AdminRead and write to all app catalogs
Application.Read.Allc79f8feb-a9db-4090-85f9-90d820caa0ebAdminRead applications
Application.ReadWrite.Allbdfbf15f-ee85-4955-8675-146e8e5296b5AdminRead and write all applications
AppRoleAssignment.ReadWrite.All84bccea3-f856-4a8a-967b-dbe0a3d53a64AdminManage app permission grants and app role assignments
Approval.Read.All1196552e-b226-4363-b01e-b8901fe10a11AdminRead approvals
Approval.ReadWrite.All1d3d0bc7-4b3a-427a-ae9f-6de4e1edc95fAdminRead and write approvals
AttackSimulation.Read.All104a7a4b-ca76-4677-b7e7-2f4bc482f381AdminRead attack simulation data of an organization
AuditLog.Read.Alle4c9e354-4dc5-45b8-9e7c-e1393b0b1a20AdminRead audit log data
AuthenticationContext.Read.All57b030f1-8c35-469c-b0d9-e4a077debe70AdminRead all authentication context information
AuthenticationContext.ReadWrite.Allba6d575a-1344-4516-b777-1404f5593057AdminRead and write all authentication context information
BitlockerKey.Read.Allb27a61ec-b99c-4d6a-b126-c4375d08ae30AdminRead BitLocker keys
BitlockerKey.ReadBasic.All5a107bfc-4f00-4e1a-b67e-66451267bc68AdminRead BitLocker keys basic information
Channel.Create101147cf-4178-4455-9d58-02b5c164e759AdminCreate channels
Channel.Delete.Allcc83893a-e232-4723-b5af-bd0b01bcfe65AdminDelete channels
ChannelMember.Read.All2eadaff8-0bce-4198-a6b9-2cfc35a30075AdminRead the members of channels
ChannelMember.ReadWrite.All0c3e411a-ce45-4cd1-8f30-f99a3efa7b11AdminAdd and remove members from channels
ChannelMessage.Read.All767156cb-16ae-4d10-8f8b-41b657c8c8c8AdminRead user channel messages
ChannelMessage.ReadWrite5922d31f-46c8-4404-9eaf-2117e390a8a4AdminRead and write user channel messages
ChannelSettings.Read.All233e0cf1-dd62-48bc-b65b-b38fe87fcf8eAdminRead the names, descriptions, and settings of channels
ChannelSettings.ReadWrite.Alld649fb7c-72b4-4eec-b2b4-b15acf79e378AdminRead and write the names, descriptions, and settings of channels
ChatMember.Readc5a9e2b1-faf6-41d4-8875-d381aa549b24AdminRead the members of chats
ChatMember.ReadWritedea13482-7ea6-488f-8b98-eb5bbecf033dAdminAdd and remove members from chats
CloudPC.ReadWrite.All9d77138f-f0e2-47ba-ab33-cd246c8b79d1AdminRead and write Cloud PCs
ConsentRequest.Read.Allf3bfad56-966e-4590-a536-82ecf548ac1eAdminRead consent requests
ConsentRequest.ReadWrite.All497d9dfa-3bd1-481a-baab-90895e54568cAdminRead and write consent requests
CrossTenantInformation.ReadBasic.All81594d25-e88e-49cf-ac8c-fecbff49f994AdminRead cross-tenant basic information
CrossTenantUserProfileSharing.Readcb1ba48f-d22b-4325-a07f-74135a62ee41AdminRead shared cross-tenant user profile and export data
CrossTenantUserProfileSharing.Read.All759dcd16-3c90-463c-937e-abf89f991c18AdminRead all shared cross-tenant user profiles and export their data
CrossTenantUserProfileSharing.ReadWriteeed0129d-dc60-4f30-8641-daf337a39ffdAdminRead shared cross-tenant user profile and export or delete data
CrossTenantUserProfileSharing.ReadWrite.All64dfa325-cbf8-48e3-938d-51224a0cac01AdminRead all shared cross-tenant user profiles and export or delete their data
CustomAuthenticationExtension.Read.Allb2052569-c98c-4f36-a5fb-43e5c111e6d0AdminRead your oganization’s custom authentication extensions
CustomAuthenticationExtension.ReadWrite.All8dfcf82f-15d0-43b3-bc78-a958a13a5792AdminRead and write your organization’s custom authentication extensions
CustomSecAttributeAssignment.Read.Allb46ffa80-fe3d-4822-9a1a-c200932d54d0AdminRead custom security attribute assignments
CustomSecAttributeAssignment.ReadWrite.Allca46335e-8453-47cd-a001-8459884efeaeAdminRead and write custom security attribute assignments
CustomSecAttributeDefinition.Read.Allce026878-a0ff-4745-a728-d4fedd086c07AdminRead custom security attribute definitions
CustomSecAttributeDefinition.ReadWrite.All8b0160d4-5743-482b-bb27-efc0a485ca4aAdminRead and write custom security attribute definitions
DelegatedAdminRelationship.Read.All0c0064ea-477b-4130-82a5-4c2cc4ff68aaAdminRead Delegated Admin relationships with customers
DelegatedAdminRelationship.ReadWrite.All885f682f-a990-4bad-a642-36736a74b0c7AdminManage Delegated Admin relationships with customers
DelegatedPermissionGrant.ReadWrite.All41ce6ca6-6826-4807-84f1-1c82854f7ee5AdminManage all delegated permission grants
Device.Read.All951183d1-1a61-466f-a6d1-1fde911bfd95AdminRead all devices
DeviceManagementApps.Read.All4edf5f54-4666-44af-9de9-0144fb4b6e8cAdminRead Microsoft Intune apps
DeviceManagementApps.ReadWrite.All7b3f05d5-f68c-4b8d-8c59-a2ecd12f24afAdminRead and write Microsoft Intune apps
DeviceManagementConfiguration.Read.Allf1493658-876a-4c87-8fa7-edb559b3476aAdminRead Microsoft Intune Device Configuration and Policies
DeviceManagementConfiguration.ReadWrite.All0883f392-0a7a-443d-8c76-16a6d39c7b63AdminRead and write Microsoft Intune Device Configuration and Policies
DeviceManagementManagedDevices.PrivilegedOperations.All3404d2bf-2b13-457e-a330-c24615765193AdminPerform user-impacting remote actions on Microsoft Intune devices
DeviceManagementManagedDevices.Read.All314874da-47d6-4978-88dc-cf0d37f0bb82AdminRead Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All44642bfe-8385-4adc-8fc6-fe3cb2c375c3AdminRead and write Microsoft Intune devices
DeviceManagementRBAC.Read.All49f0cc30-024c-4dfd-ab3e-82e137ee5431AdminRead Microsoft Intune RBAC settings
DeviceManagementRBAC.ReadWrite.All0c5e8a55-87a6-4556-93ab-adc52c4d862dAdminRead and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.Read.All8696daa5-bce5-4b2e-83f9-51b6defc4e1eAdminRead Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.All662ed50a-ac44-4eef-ad86-62eed9be2a29AdminRead and write Microsoft Intune configuration
Directory.AccessAsUser.All0e263e50-5827-48a4-b97c-d940288653c7AdminAccess directory as the signed in user
Directory.Read.All06da0dbc-49e2-44d2-8312-53f166ab848aAdminRead directory data
Directory.ReadWrite.Allc5366453-9fb0-48a5-a156-24f0c49a4b84AdminRead and write directory data
Directory.Write.Restrictedcba5390f-ed6a-4b7f-b657-0efc2210ed20AdminManage restricted resources in the directory
DirectoryRecommendations.Read.All34d3bd24-f6a6-468c-b67c-0c365c1d6410AdminRead Azure AD recommendations
DirectoryRecommendations.ReadWrite.Allf37235e8-90a0-4189-93e2-e55b53867ccdAdminRead and update Azure AD recommendations
Domain.Read.All2f9ee017-59c1-4f1d-9472-bd5529a7b311AdminRead domains.
Domain.ReadWrite.All0b5d694c-a244-4bde-86e6-eb5cd07730feAdminRead and write domains
eDiscovery.Read.All99201db3-7652-4d5a-809a-bdb94f85fe3cAdminRead all eDiscovery objects
eDiscovery.ReadWrite.Allacb8f680-0834-4146-b69e-4ab1b39745adAdminRead and write all eDiscovery objects
EduAdministration.Read8523895c-6081-45bf-8a5d-f062a2f12c9fAdminRead education app settings
EduAdministration.ReadWrite63589852-04e3-46b4-bae9-15d5b1050748AdminManage education app settings
EduAssignments.Read091460c9-9c4a-49b2-81ef-1f3d852acce2AdminRead users’ class assignments and their grades
EduAssignments.ReadBasicc0b0103b-c053-4b2e-9973-9f3a544ec9b8AdminRead users’ class assignments without grades
EduAssignments.ReadWrite2f233e90-164b-4501-8bce-31af2559a2d3AdminRead and write users’ class assignments and their grades
EduAssignments.ReadWriteBasic2ef770a1-622a-47c4-93ee-28d6adbed3a0AdminRead and write users’ class assignments without grades
EduRoster.Reada4389601-22d9-4096-ac18-36a927199112AdminRead users’ view of the roster
EduRoster.ReadBasic5d186531-d1bf-4f07-8cea-7c42119e1bd9AdminRead a limited subset of users’ view of the roster
EduRoster.ReadWrite359e19a6-e3fa-4d7f-bcab-d28ec592b51eAdminRead and write users’ view of the roster
EntitlementManagement.Read.All5449aa12-1393-4ea2-a7c7-d0e06c1a56b2AdminRead all entitlement management resources
EntitlementManagement.ReadWrite.Allae7a573d-81d7-432b-ad44-4ed5c9d89038AdminRead and write entitlement management resources
EventListener.Read.Allf7dd3bed-5eec-48da-bc73-1c0ef50bc9a1AdminRead your organization’s authentication event listeners
EventListener.ReadWrite.Alld11625a6-fe21-4fc6-8d3d-063eba5525adAdminRead and write your organization’s authentication event listeners
ExternalConnection.Read.Alla38267a5-26b6-4d76-9493-935b7599116bAdminRead all external connections
ExternalConnection.ReadWrite.Allbbbbd9b3-3566-4931-ac37-2b2180d9e334AdminRead and write all external connections
ExternalConnection.ReadWrite.OwnedBy4082ad95-c812-4f02-be92-780c4c4f1830AdminRead and write external connections
ExternalItem.Read.All922f9392-b1b7-483c-a4be-0089be7704fbAdminRead items in external datasets
ExternalItem.ReadWrite.Allb02c54f8-eb48-4c50-a9f0-a149e5a2012fAdminRead and write all external items
ExternalItem.ReadWrite.OwnedBy4367b9d7-cee7-4995-853c-a0bdfe95c1f9AdminRead and write external items
Group.Read.All5f8c59db-677d-491f-a6b8-5f174b11ec1dAdminRead all groups
Group.ReadWrite.All4e46008b-f24c-477d-8fff-7bb4ec7aafe0AdminRead and write all groups
GroupMember.Read.Allbc024368-1153-4739-b217-4326f2e966d0AdminRead group memberships
GroupMember.ReadWrite.Allf81125ac-d3b7-4573-a3b2-7099cc39df9eAdminRead and write group memberships
IdentityProvider.Read.All43781733-b5a7-4d1b-98f4-e8edff23e1a9AdminRead identity providers
IdentityProvider.ReadWrite.Allf13ce604-1677-429f-90bd-8a10b9f01325AdminRead and write identity providers
IdentityRiskEvent.Read.All8f6a01e7-0391-4ee5-aa22-a3af122cef27AdminRead identity risk event information
IdentityRiskEvent.ReadWrite.All9e4862a5-b68f-479e-848a-4e07e25c9916AdminRead and write risk event information
IdentityRiskyServicePrincipal.Read.Allea5c4ab0-5a73-4f35-8272-5d5337884e5dAdminRead all identity risky service principal information
IdentityRiskyServicePrincipal.ReadWrite.Allbb6f654c-d7fd-4ae3-85c3-fc380934f515AdminRead and write all identity risky service principal information
IdentityRiskyUser.Read.Alld04bb851-cb7c-4146-97c7-ca3e71baf56cAdminRead identity risky user information
IdentityRiskyUser.ReadWrite.Alle0a7cdbb-08b0-4697-8264-0069786e9674AdminRead and write risky user information
IdentityUserFlow.Read.All2903d63d-4611-4d43-99ce-a33f3f52e343AdminRead all identity user flows
IdentityUserFlow.ReadWrite.All281892cc-4dbf-4e3a-b6cc-b21029bb4e82AdminRead and write all identity user flows
LearningContent.Read.Allea4c1fd9-6a9f-4432-8e5d-86e06cc0da77AdminRead learning content
LearningContent.ReadWrite.All53cec1c4-a65f-4981-9dc1-ad75dbf1c077AdminManagelearningcontent
LearningProvider.Readdd8ce36f-9245-45ea-a99e-8ac398c22861AdminRead learning provider
LearningProvider.ReadWrite40c2eb57-abaf-49f5-9331-e90fd01f7130AdminManagelearningprovider
LicenseAssignment.ReadWrite.Allf55016cc-149c-447e-8f21-7cf3ec1d6350AdminManage all license assignments
LifecycleWorkflows.Read.All9bcb9916-765a-42af-bf77-02282e26b01aAdminRead all lifecycle workflows resources
LifecycleWorkflows.ReadWrite.All84b9d731-7db8-4454-8c90-fd9e95350179AdminRead and write all lifecycle workflows resources
ManagedTenants.Read.Alldc34164e-6c4a-41a0-be89-3ae2fbad7cd3AdminRead all managed tenant information
ManagedTenants.ReadWrite.Allb31fa710-c9b3-4d9e-8f5e-8036eecddab9AdminRead and write all managed tenant information
Member.Read.Hiddenf6a3db3e-f7e8-4ed2-a414-557c8c9830beAdminRead hidden memberships
OnlineMeetingRecording.Read.All190c2bb6-1fdd-4fec-9aa2-7d571b5e1fe3AdminRead all recordings of online meetings.
OnlineMeetingTranscript.Read.All30b87d18-ebb1-45db-97f8-82ccb1f0190cAdminRead all transcripts of online meetings.
OnPremisesPublishingProfiles.ReadWrite.All8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42AdminManage on-premises published resources
Organization.Read.All4908d5b9-3fb2-4b1e-9336-1888b7937185AdminRead organization information
Organization.ReadWrite.All46ca0847-7e6b-426e-9775-ea810a948356AdminRead and write organization information
OrgContact.Read.All08432d1b-5911-483c-86df-7980af5cdee0AdminRead organizational contacts
People.Read.Allb89f9189-71a5-4e70-b041-9887f0bc7e4aAdminRead all users’ relevant people lists
Place.Read.Allcb8f45a0-5c2e-4ea1-b803-84b870a7d7ecAdminRead all company places
Place.ReadWrite.All4c06a06a-098a-4063-868e-5dfee3827264AdminRead and write organization places
Policy.Read.All572fea84-0151-49b2-9301-11cb16974376AdminRead your organization’s policies
Policy.Read.PermissionGrant414de6ea-2d92-462f-b120-6e2a809a6d01AdminRead consent and permission grant policies
Policy.ReadWrite.AccessReview4f5bc9c8-ea54-4772-973a-9ca119cb0409AdminRead and write your organization’s directory access review default policy
Policy.ReadWrite.ApplicationConfigurationb27add92-efb2-4f16-84f5-8108ba77985cAdminRead and write your organization’s application configuration policies
Policy.ReadWrite.AuthenticationFlowsedb72de9-4252-4d03-a925-451deef99db7AdminRead and write authentication flow policies
Policy.ReadWrite.AuthenticationMethod7e823077-d88e-468f-a337-e18f1f0e6c7cAdminRead and write authentication method policies
Policy.ReadWrite.Authorizationedd3c878-b384-41fd-95ad-e7407dd775beAdminRead and write your organization’s authorization policy
Policy.ReadWrite.ConditionalAccessad902697-1014-4ef5-81ef-2b4301988e8cAdminRead and write your organization’s conditional access policies
Policy.ReadWrite.ConsentRequest4d135e65-66b8-41a8-9f8b-081452c91774AdminRead and write consent request policy
Policy.ReadWrite.CrossTenantAccess014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85AdminRead and write your organization’s cross tenant access policies
Policy.ReadWrite.DeviceConfiguration40b534c3-9552-4550-901b-23879c90bcf9AdminRead and write your organization’s device configuration policies
Policy.ReadWrite.FeatureRollout92a38652-f13b-4875-bc77-6e1dbb63e1b2AdminRead and write your organization’s feature rollout policies
Policy.ReadWrite.MobilityManagementa8ead177-1889-4546-9387-f25e658e2a79AdminRead and write your organization’s mobility management policies
Policy.ReadWrite.PermissionGrant2672f8bb-fd5e-42e0-85e1-ec764dd2614eAdminManage consent and permission grant policies
Policy.ReadWrite.TrustFrameworkcefba324-1a70-4a6e-9c1d-fd670b7ae392AdminRead and write your organization’s trust framework policies
PrintConnector.Read.Alld69c2d6d-4f72-4f99-a6b9-663e32f8cf68AdminRead print connectors
PrintConnector.ReadWrite.All79ef9967-7d59-4213-9c64-4b10687637d8AdminRead and write print connectors
Printer.Create90c30bed-6fd1-4279-bf39-714069619721AdminRegister printers
Printer.FullControl.All93dae4bd-43a1-4a23-9a1a-92957e1d9121AdminRegister, read, update, and unregister printers
Printer.Read.All3a736c8a-018e-460a-b60c-863b2683e8bfAdminRead printers
Printer.ReadWrite.All89f66824-725f-4b8f-928e-e1c5258dc565AdminRead and update printers
PrinterShare.ReadWrite.All06ceea37-85e2-40d7-bec3-91337a46038fAdminRead and write printer shares
PrintJob.Read.Allafdd6933-a0d8-40f7-bd1a-b5d778e8624bAdminRead print jobs
PrintJob.ReadBasic.All04ce8d60-72ce-4867-85cf-6d82f36922f3AdminRead basic information of print jobs
PrintJob.ReadWrite.All036b9544-e8c5-46ef-900a-0646cc42b271AdminRead and write print jobs
PrintJob.ReadWriteBasic.All3a0db2f6-0d2a-4c19-971b-49109b19ad3dAdminRead and write basic information of print jobs
PrintSettings.Read.All490f32fd-d90f-4dd7-a601-ff6cdc1a3f6cAdminRead tenant-wide print settings
PrintSettings.ReadWrite.All9ccc526a-c51c-4e5c-a1fd-74726ef50b8fAdminRead and write tenant-wide print settings
PrivilegedAccess.Read.AzureADb3a539c9-59cb-4ad5-825a-041ddbdc2bdbAdminRead privileged access to Azure AD
PrivilegedAccess.Read.AzureADGroupd329c81c-20ad-4772-abf9-3f6fdb7e5988AdminRead privileged access to Azure AD groups
PrivilegedAccess.Read.AzureResources1d89d70c-dcac-4248-b214-903c457af83aAdminRead privileged access to Azure resources
PrivilegedAccess.ReadWrite.AzureAD3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37AdminRead and write privileged access to Azure AD
PrivilegedAccess.ReadWrite.AzureADGroup32531c59-1f32-461f-b8df-6f8a3b89f73bAdminRead and write privileged access to Azure AD groups
PrivilegedAccess.ReadWrite.AzureResourcesa84a9652-ffd3-496e-a991-22ba5529156aAdminRead and write privileged access to Azure resources
ProgramControl.Read.Allc492a2e1-2f8f-4caa-b076-99bbf6e40fe4AdminRead all programs that user can access
ProgramControl.ReadWrite.All50fd364f-9d93-4ae1-b170-300e87cccf84AdminManage all programs that user can access
RecordsManagement.Read.All07f995eb-fc67-4522-ad66-2b8ca8ea3efdAdminRead Records Management configuration,labels, and policies
RecordsManagement.ReadWrite.Allf2833d75-a4e6-40ab-86d4-6dfe73c97605AdminRead and write Records Management configuration, labels, and policies
Reports.Read.All02e97553-ed7b-43d0-ab3c-f8bace0d040cAdminRead all usage reports
ReportSettings.Read.All84fac5f4-33a9-4100-aa38-a20c6d29e5e7AdminRead admin report settings
ReportSettings.ReadWrite.Allb955410e-7715-4a88-a940-dfd551018df3AdminRead and write admin report settings
RoleAssignmentSchedule.Read.Directory344a729c-0285-42c6-9014-f12b9b8d6129AdminRead all active role assignments for your company’s directory
RoleAssignmentSchedule.ReadWrite.Directory8c026be3-8e26-4774-9372-8d5d6f21daffAdminRead, update, and delete all active role assignments for your company’s directory
RoleEligibilitySchedule.Read.Directoryeb0788c2-6d4e-4658-8c9e-c0fb8053f03dAdminRead all eligible role assignments for your company’s directory
RoleEligibilitySchedule.ReadWrite.Directory62ade113-f8e0-4bf9-a6ba-5acb31db32fdAdminRead, update, and delete  all eligible role assignments for your company’s directory
RoleManagement.Read.All48fec646-b2ba-4019-8681-8eb31435adedAdminRead role management data for all RBAC providers
RoleManagement.Read.CloudPC9619b88a-8a25-48a7-9571-d23be0337a79AdminRead Cloud PC RBAC settings
RoleManagement.Read.Directory741c54c3-0c1e-44a1-818b-3f97ab4e8c83AdminRead directory RBAC settings
RoleManagement.ReadWrite.CloudPC501d06f8-07b8-4f18-b5c6-c191a4af7a82AdminRead and write Cloud PC RBAC settings
RoleManagement.ReadWrite.Directoryd01b97e9-cbc0-49fe-810a-750afd5527a3AdminRead and write directory RBAC settings
RoleManagementPolicy.Read.Directory3de2cdbe-0ff5-47d5-bdee-7f45b4749eadAdminRead all policies for privileged role assignments of your company’s directory
RoleManagementPolicy.ReadWrite.Directory1ff1be21-34eb-448c-9ac9-ce1f506b2a68AdminRead, update, and delete all policies for privileged role assignments of your company’s directory
Schedule.Read.Allfccf6dd8-5706-49fa-811f-69e2e1b585d0AdminRead user schedule items
Schedule.ReadWrite.All63f27281-c9d9-4f29-94dd-6942f7f1feb0AdminRead and write user schedule items
SearchConfiguration.Read.All7d307522-aa38-4cd0-bd60-90c6f0ac50bdAdminRead your organization’s search configuration
SearchConfiguration.ReadWrite.Allb1a7d408-cab0-47d2-a2a5-a74a3733600dAdminRead and write your organization’s search configuration
SecurityActions.Read.All1638cddf-07a4-4de2-8645-69c96cacad73AdminRead your organization’s security actions
SecurityActions.ReadWrite.Alldc38509c-b87d-4da0-bd92-6bec988bac4aAdminRead and update your organization’s security actions
SecurityAlert.Read.Allbc257fb8-46b4-4b15-8713-01e91bfbe4eaAdminRead all security alerts
SecurityAlert.ReadWrite.All471f2a7f-2a42-4d45-a2bf-594d0838070dAdminRead and write to all security alerts
SecurityEvents.Read.All64733abd-851e-478a-bffb-e47a14b18235AdminRead your organizations security events
SecurityEvents.ReadWrite.All6aedf524-7e1c-45a7-bd76-ded8cab8d0fcAdminRead and update your organizations security events
SecurityIncident.Read.Allb9abcc4f-94fc-4457-9141-d20ce80ec952AdminRead incidents
SecurityIncident.ReadWrite.All128ca929-1a19-45e6-a3b8-435ec44a36baAdminRead and write to incidents
ServiceHealth.Read.All55896846-df78-47a7-aa94-8d3d4442ca7fAdminRead service health
ServiceMessage.Read.Alleda39fa6-f8cf-4c3c-a909-432c683e4c9bAdminRead service announcement messages
ServiceMessageViewpoint.Write636e1b0b-1cc2-4b1c-9aa9-4eeed9b9761bAdminUpdate user status on service announcement messages
ServicePrincipalEndpoint.Read.All9f9ce928-e038-4e3b-8faf-7b59049a8ddcAdminRead service principal endpoints
ServicePrincipalEndpoint.ReadWrite.All7297d82c-9546-4aed-91df-3d4f0a9b3ff0AdminRead and update service principal endpoints
SharePointTenantSettings.Read.All2ef70e10-5bfd-4ede-a5f6-67720500b258AdminRead SharePoint and OneDrive tenant settings
SharePointTenantSettings.ReadWrite.Allaa07f155-3612-49b8-a147-6c590df35536AdminRead and change SharePoint and OneDrive tenant settings
Sites.FullControl.All5a54b8b3-347c-476d-8f8e-42d5c7424d29AdminHave full control of all site collections
SubjectRightsRequest.Read.All9c3af74c-fd0f-4db4-b17a-71939e2a9d77AdminRead subject rights requests
SubjectRightsRequest.ReadWrite.All2b8fcc74-bce1-4ae3-a0e8-60c53739299dAdminRead and write subject rights requests
Subscription.Read.All5f88184c-80bb-4d52-9ff2-757288b2e9b7AdminRead all webhook subscriptions
TeamMember.Read.All2497278c-d82d-46a2-b1ce-39d4cdde5570AdminRead the members of teams
TeamMember.ReadWrite.All4a06efd2-f825-4e34-813e-82a57b03d1eeAdminAdd and remove members from teams
TeamMember.ReadWriteNonOwnerRole.All2104a4db-3a2f-4ea0-9dba-143d457dc666AdminAdd and remove members with non-owner role for all teams
TeamsAppInstallation.ReadForTeam5248dcb1-f83b-4ec3-9f4d-a4428a961a72AdminRead installed Teams apps in teams
TeamsAppInstallation.ReadWriteForChataa85bf13-d771-4d5d-a9e6-bca04ce44edfAdminManage installed Teams apps in chats
TeamsAppInstallation.ReadWriteForTeam2e25a044-2580-450d-8859-42eeb6e996c0AdminManage installed Teams apps in teams
TeamsAppInstallation.ReadWriteForUser093f8818-d05f-49b8-95bc-9d2a73e9a43cAdminManage user’s installed Teams apps
TeamsAppInstallation.ReadWriteSelfForChat0ce33576-30e8-43b7-99e5-62f8569a4002AdminAllow the Teams app to manage itself in chats
TeamsAppInstallation.ReadWriteSelfForTeam0f4595f7-64b1-4e13-81bc-11a249df07a9AdminAllow the app to manage itself in teams
TeamSettings.Read.All48638b3c-ad68-4383-8ac4-e6880ee6ca57AdminRead teams’ settings
TeamSettings.ReadWrite.All39d65650-9d3e-4223-80db-a335590d027eAdminRead and change teams’ settings
TeamsTab.Createa9ff19c2-f369-4a95-9a25-ba9d460efc8eAdminCreate tabs in Microsoft Teams.
TeamsTab.Read.All59dacb05-e88d-4c13-a684-59f1afc8cc98AdminRead tabs in Microsoft Teams.
TeamsTab.ReadWrite.Allb98bfd41-87c6-45cc-b104-e2de4f0dafb9AdminRead and write tabs in Microsoft Teams.
TeamsTab.ReadWriteForChatee928332-e9c2-4747-b4a0-f8c164b68de6AdminAllow the Teams app to manage all tabs in chats
TeamsTab.ReadWriteForTeamc975dd04-a06e-4fbb-9704-62daad77bb49AdminAllow the Teams app to manage all tabs in teams
TeamsTab.ReadWriteSelfForChat0c219d04-3abf-47f7-912d-5cca239e90e6AdminAllow the Teams app to manage only its own tabs in chats
TeamsTab.ReadWriteSelfForTeamf266662f-120a-4314-b26a-99b08617c7efAdminAllow the Teams app to manage only its own tabs in teams
TeamworkDevice.Read.Allb659488b-9d28-4208-b2be-1c6652b3c970AdminRead Teams devices
TeamworkDevice.ReadWrite.Allddd97ecb-5c31-43db-a235-0ee20e635c40AdminRead and write Teams devices
TeamworkTag.Read57587d0b-8399-45be-b207-8050cec54575AdminRead tags in Teams
TeamworkTag.ReadWrite539dabd7-b5b6-4117-b164-d60cd15a8671AdminRead and write tags in Teams
TermStore.Read.All297f747b-0005-475b-8fef-c890f5152b38AdminRead term store data
TermStore.ReadWrite.All6c37c71d-f50f-4bff-8fd3-8a41da390140AdminRead and write term store data
ThreatAssessment.ReadWrite.Allcac97e40-6730-457d-ad8d-4852fddab7adAdminRead and write threat assessment requests
ThreatHunting.Read.Allb152eca8-ea73-4a48-8c98-1a6742673d99AdminRun hunting queries
ThreatIndicators.Read.All9cc427b4-2004-41c5-aa22-757b755e9796AdminRead all threat indicators
ThreatIndicators.ReadWrite.OwnedBy91e7d36d-022a-490f-a748-f8e011357b42AdminManage threat indicators this app creates or owns
ThreatSubmission.Read.All7083913a-4966-44b6-9886-c5822a5fd910AdminRead all threat submissions
ThreatSubmission.ReadWrite.All8458e264-4eb9-4922-abe9-768d58f13c7fAdminRead and write all threat submissions
ThreatSubmissionPolicy.ReadWrite.All059e5840-5353-4c68-b1da-666a033fc5e8AdminRead and write all threat submission policies
TrustFrameworkKeySet.Read.All7ad34336-f5b1-44ce-8682-31d7dfcd9ab9AdminRead trust framework key sets
TrustFrameworkKeySet.ReadWrite.All39244520-1e7d-4b4a-aee0-57c65826e427AdminRead and write trust framework key sets
UnifiedGroupMember.Read.AsGuest73e75199-7c3e-41bb-9357-167164dbb415AdminRead unified group memberships as guest
User.Export.All405a51b5-8d8d-430b-9842-8be4b0e9f324AdminExport user’s data
User.Invite.All63dd7cd9-b489-4adf-a28c-ac38b9a0f962AdminInvite guest users to the organization
User.ManageIdentities.All637d7bec-b31e-4deb-acc9-24275642a2c9AdminManage  user identities
User.Read.Alla154be20-db9c-4678-8ab7-66f6cc099a59AdminRead all users’ full profiles
User.ReadWrite.All204e0828-b5ca-4ad8-b9f3-f32a958e7cc4AdminRead and write all users’ full profiles
UserAuthenticationMethod.Read1f6b61c5-2f65-4135-9c9f-31c0f8d32b52AdminRead user authentication methods.
UserAuthenticationMethod.Read.Allaec28ec7-4d02-4e8c-b864-50163aea77ebAdminRead all users’ authentication methods
UserAuthenticationMethod.ReadWrite48971fc1-70d7-4245-af77-0beb29b53ee2AdminRead and write user authentication methods
UserAuthenticationMethod.ReadWrite.Allb7887744-6746-4312-813d-72daeaee7e2dAdminRead and write all users’ authentication methods.
WindowsUpdates.ReadWrite.All11776c0c-6138-4db3-a668-ee621bea2555AdminRead and write all Windows update deployment settings
WorkforceIntegration.Read.Allf1ccd5a7-6383-466a-8db8-1a656f7d06faAdminRead workforce integrations
WorkforceIntegration.ReadWrite.All08c4b377-0d23-4a8b-be2a-23c1c1d88545AdminRead and write workforce integrations
Analytics.Reade03cf23f-8056-446a-8994-7d93dfc8b50eUserRead your activity statistics
AppCatalog.Read.All88e58d74-d3df-44f3-ad47-e89edf4472e4UserRead all app catalogs
AppCatalog.Submit3db89e36-7fa6-4012-b281-85f3d9d9fd2eUserSubmit application packages to your organization’s catalog and cancel pending submissions
Bookings.Manage.All7f36b48e-542f-4d3b-9bcb-8406f0ab9fdbUserManage bookings information
Bookings.Read.All33b1df99-4b29-4548-9339-7a7b83eaeebcUserRead bookings information
Bookings.ReadWrite.All948eb538-f19d-4ec5-9ccc-f059e1ea4c72UserRead and write bookings information
BookingsAppointment.ReadWrite.All02a5a114-36a6-46ff-a102-954d89d9ab02UserRead and write booking appointments
Calendars.Read465a38f9-76ea-45b9-9f34-9e8b0d4b0b42UserRead your calendars
Calendars.Read.Shared2b9c4092-424d-4249-948d-b43879977640UserRead calendarsyou can access
Calendars.ReadWrite1ec239c2-d7c9-4623-a91a-a9775856bb36UserHave full access to your calendars 
Calendars.ReadWrite.Shared12466101-c9b8-439a-8589-dd09ee67e8e9UserRead and write to your and shared calendars
Channel.ReadBasic.All9d8982ae-4365-4f57-95e9-d6032a4c0b87UserRead the names and descriptions of channels
ChannelMessage.Edit2b61aa8a-6d36-4b2f-ac7b-f29867937c53UserEdit your channel messages
ChannelMessage.Sendebf0f66e-9fb1-49e4-a278-222f76911cf4UserSend channel messages
Chat.Create38826093-1258-4dea-98f0-00003be2b8d0UserCreate chats
Chat.Readf501c180-9344-439a-bca0-6cbf209fd270UserRead your chat messages
Chat.ReadBasic9547fcb5-d03f-419d-9948-5928bbf71b0fUserRead names and members of your chat threads
Chat.ReadWrite9ff7295e-131b-4d94-90e1-69fde507ac11UserRead and write your chat messages
ChatMessage.Readcdcdac3a-fd45-410d-83ef-554db620e5c7UserRead user chat messages
ChatMessage.Send116b7235-7cc6-461e-b163-8e55691d839eUserSend chat messages
CloudPC.Read.All5252ec4e-fd40-4d92-8c68-89dd1d3c6110UserRead Cloud PCs
Contacts.Readff74d97f-43af-4b68-9f2a-b77ee6968c5dUserRead your contacts
Contacts.Read.Shared242b9d9e-ed24-4d09-9a52-f43769beb9d4UserRead your and shared contacts
Contacts.ReadWrited56682ec-c09e-4743-aaf4-1a3aac4caa21UserHave full access of your contacts
Contacts.ReadWrite.Sharedafb6c84b-06be-49af-80bb-8f3f77004eabUserRead and write to your and shared contacts
Device.Commandbac3b9c2-b516-4ef4-bd3b-c2ef73d8d804UserCommunicate with your other devices
Device.Read11d4cd79-5ba5-460f-803f-e22c8ab85ccdUserView your list of devices
EAS.AccessAsUser.Allff91d191-45a0-43fd-b837-bd682c4a0b0fUserAccess your mailboxes
email64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0UserView your email address
EWS.AccessAsUser.All9769c687-087d-48ac-9cb3-c37dde652038UserAccess your mailboxes
Family.Read3a1e4806-a744-4c70-80fc-223bf8582c46UserRead your family info
Files.Read10465720-29dd-4523-a11a-6a75c743c9d9UserRead your files
Files.Read.Alldf85f4d6-205c-4ac5-a5ea-6bf408dba283UserRead all files that you have access to
Files.Read.Selected5447fe39-cb82-4c1a-b977-520e67e724ebUserRead selected files
Files.ReadWrite5c28f0bf-8a70-41f1-8ab2-9032436ddb65UserHave full access to your files
Files.ReadWrite.All863451e7-0667-486c-a5d6-d135439485f0UserHave full access to all files you have access to
Files.ReadWrite.AppFolder8019c312-3263-48e6-825e-2b833497195bUserHave full access to the application’s folder
Files.ReadWrite.Selected17dde5bd-8c17-420f-a486-969730c1b827UserRead and write selected files
Financials.ReadWrite.Allf534bf13-55d4-45a9-8f3c-c92fe64d6131UserRead and write financials data
IMAP.AccessAsUser.All652390e4-393a-48de-9484-05f9b1212954UserRead and write access to your mail.
InformationProtectionPolicy.Read4ad84827-5578-4e18-ad7a-86530b12f884UserRead user sensitivity labels and label policies.
Mail.Read570282fd-fa5c-430d-a7fd-fc8dc98a9dcaUserRead your mail
Mail.Read.Shared7b9103a5-4610-446b-9670-80643382c1faUserRead mail you can access
Mail.ReadBasica4b8392a-d8d1-4954-a029-8e668a39a170UserRead user basic mail
Mail.ReadWrite024d486e-b451-40bb-833d-3e66d98c5c73UserRead and write access to your mail
Mail.ReadWrite.Shared5df07973-7d5d-46ed-9847-1271055cbd51UserRead and write mailyou can access
Mail.Sende383f46e-2787-4529-855e-0e479a3ffac0UserSend mail as you
Mail.Send.Shareda367ab51-6b49-43bf-a716-a1fb06d2a174UserSend mail on behalf of others or yourself
MailboxSettings.Read87f447af-9fa4-4c32-9dfa-4a57a73d18ceUserRead your mailbox settings
MailboxSettings.ReadWrite818c620a-27a9-40bd-a6a5-d96f7d610b4bUserRead and write to your mailbox settings
Notes.Create9d822255-d64d-4b7a-afdb-833b9a97ed02UserCreate your OneNote notebooks
Notes.Read371361e4-b9e2-4a3f-8315-2a301a3b0a3dUserRead your OneNote notebooks
Notes.Read.Alldfabfca6-ee36-4db2-8208-7a28381419b3UserRead all OneNote notebooks that you can access
Notes.ReadWrite615e26af-c38a-4150-ae3e-c3b0d4cb1d6aUserRead and write your OneNote notebooks
Notes.ReadWrite.All64ac0503-b4fa-45d9-b544-71a463f05da0UserRead and write all OneNote notebooks that you can access
Notes.ReadWrite.CreatedByApped68249d-017c-4df5-9113-e684c7f8760bUserLimited access to your OneNote notebooks for this app (preview)
Notifications.ReadWrite.CreatedByApp89497502-6e42-46a2-8cb2-427fd3df970aUserDeliver and manage your notifications for this app
offline_access7427e0e9-2fba-42fe-b0c0-848c9e6a8182UserMaintain access to data you have given it access to
OnlineMeetingArtifact.Read.All110e5abb-a10c-4b59-8b55-9b4daa4ef743UserRead user’s online meeting artifacts
OnlineMeetings.Read9be106e1-f4e3-4df5-bdff-e4bc531cbe43UserRead your online meetings
OnlineMeetings.ReadWritea65f2972-a4f8-4f5e-afd7-69ccb046d5dcUserRead and create your online meetings
openid37f7f235-527c-4136-accd-4a02d197296eUserSign in as you
People.Readba47897c-39ec-4d83-8086-ee8256fa737dUserRead your relevant people list
Policy.Read.ConditionalAccess633e0fce-8c58-4cfb-9495-12bbd5a24f7cUserRead your organization’s conditional access policies
POP.AccessAsUser.Alld7b7f2d9-0f45-4ea1-9d42-e50810c06991UserRead and write access to your mail.
Presence.Read76bc735e-aecd-4a1d-8b4c-2b915deabb79UserRead your presence information
Presence.Read.All9c7a330d-35b3-4aa1-963d-cb2b9f927841UserRead presence information of all users in your organization
Presence.ReadWrite8d3c54a7-cf58-4773-bf81-c0cd6ad522bbUserRead and write your presence information
PrinterShare.Read.Alled11134d-2f3f-440d-a2e1-411efada2502UserRead printer shares
PrinterShare.ReadBasic.All5fa075e9-b951-4165-947b-c63396ff0a37UserRead basic information about printer shares
PrintJob.Create21f0d9c0-9f13-48b3-94e0-b6b231c7d320UserCreate your print jobs
PrintJob.Read248f5528-65c0-4c88-8326-876c7236df5eUserRead your print jobs
PrintJob.ReadBasic6a71a747-280f-4670-9ca0-a9cbf882b274UserRead basic information of your print jobs
PrintJob.ReadWriteb81dd597-8abb-4b3f-a07a-820b0316ed04UserRead and update your print jobs
PrintJob.ReadWriteBasic6f2d22f2-1cb6-412c-a17c-3336817eaa82UserRead and write basic information of your print jobs
profile14dad69e-099b-42c9-810b-d002981feec1UserView your basic profile
ShortNotes.Read50f66e47-eb56-45b7-aaa2-75057d9afe08UserRead your short notes
ShortNotes.ReadWrite328438b7-4c01-4c07-a840-e625a749bb89UserRead, create, edit, and delete your short notes
Sites.Manage.All65e50fdc-43b7-4915-933e-e8138f11f40aUserCreate, edit, and delete items and lists in all your site collections
Sites.Read.All205e70e5-aba6-4c52-a976-6d2d46c48043UserRead items in all site collections
Sites.ReadWrite.All89fe6a52-be36-487e-b7d8-d061c450a026UserEdit or delete items in all site collections
SMTP.Send258f6531-6087-4cc4-bb90-092c5fb3ed3fUserAccess to sending emails from your mailbox.
Tasks.Readf45671fb-e0fe-4b4b-be20-3d3ce43f1bcbUserRead your tasks and task lists
Tasks.Read.Shared88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72UserRead your and shared tasks
Tasks.ReadWrite2219042f-cab5-40cc-b0d2-16b1540b4c5fUserCreate, read, update, and delete your tasks and task lists
Tasks.ReadWrite.Sharedc5ddf11b-c114-4886-8558-8a4e557cd52bUserRead and write to your and shared tasks
Team.Create7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0UserCreate teams
Team.ReadBasic.All485be79e-c497-4b35-9400-0e3fa7f2a5d4UserRead the names and descriptions of teams
TeamsActivity.Read0e755559-83fb-4b44-91d0-4cc721b9323eUserRead your teamwork activity feed
TeamsActivity.Send7ab1d787-bae7-4d5d-8db6-37ea32df9186UserSend a teamwork activity
TeamsAppInstallation.ReadForChatbf3fbf03-f35f-4e93-963e-47e4d874c37aUserRead installed Teams apps in chats
TeamsAppInstallation.ReadForUserc395395c-ff9a-4dba-bc1f-8372ba9dca84UserRead your installed Teams apps
TeamsAppInstallation.ReadWriteSelfForUser207e0cb1-3ce7-4922-b991-5a760c346ebcUserAllow the Teams app to manage itself for you
TeamsTab.ReadWriteForUserc37c9b61-7762-4bff-a156-afc0005847a0UserAllow the Teams app to manage all tabs for you
TeamsTab.ReadWriteSelfForUser395dfec1-a0b9-465f-a783-8250a430cb8cUserAllow the Teams app to manage only its own tabs for you
ThreatSubmission.Readfd5353c6-26dd-449f-a565-c4e16b9fce78UserRead threat submissions
ThreatSubmission.ReadWrite68a3156e-46c9-443c-b85c-921397f082b5UserRead and write threat submissions
User.Reade1fe6dd8-ba31-4d61-89e7-88639da4683dUserSign you in and read your profile
User.ReadBasic.Allb340eb25-3456-403f-be2f-af7a0d370277UserRead all users’ basic profiles
User.ReadWriteb4e74841-8e56-480b-be8b-910348b18b4cUserRead and update your profile
UserActivity.ReadWrite.CreatedByApp47607519-5fb1-47d9-99c7-da4b48f369b1UserRead and write app activity to your activity feed
UserNotification.ReadWrite.CreatedByApp26e2f3e8-b2a1-47fc-9620-89bb5b042024UserDeliver and manage your notifications
UserTimelineActivity.Write.CreatedByApp367492fc-594d-4972-a9b5-0d58c622c91cUserWrite app activity to your timeline

O365 – Limit App Only Permissions to Specific mailboxes

by

I was recently tasked with providing access to a SaaS Business Spend Management applications access to specific mailboxes in an O365 tenant. This lead me in reading and understanding how this can be achieved and I’ve detailed it in this post.

Before we go further, it is important to understand the differences between Application permissions and Delegated permissions supported by the Microsoft identity platform:

  • Delegated permissions allow an Azure AD application perform actions on behalf of the signed-in user. The user or an administrator consents to the permissions that the app requests. The app has permission to act as the signed-in user when it makes API calls to the target resource.
  • Application permissions allow an Azure AD application run as background services or daemon apps without the presence of a signed-in user.

This SaaS application needed to access emails from a shared mailbox in the tenant. This permission was needed by the SaaS application to read invoices and bills sent to a shared mailbox.

This would be application permissions. Applications like these use OAuth 2.0 Client credentials grant flow to authenticate. So, creating an Azure AD application and granting application permissions as mail.read should solve what we are trying to achieve..right? but wait, there this more. Adding mail.read application permissions allows this app, ability to read mail in all mailboxes in an organization in Exchange Online.

In my above statement, ‘ability to read mail in all mailboxes’ should make any mail administrator scream. Well, that is the problem statement and what we have to solve here.

OAuth 2.0 Client credentials grant flow

In this scenario, I have to limit an Azure AD app to only access specific mailboxes and not all mailboxes in the tenant. Below diagram has a high-level overview of the thought process on how I’m planning to implement this.

For sake of explanation, I have a mailbox named ‘U.S – Marketing’ and I have to grant mail.read permission to the SaaS BSM application. I’ll create a new Azure AD application, add mail.read permission. Next, create a mail-enabled security group named ‘US.Marketing.Mailbox.Access’, add ‘U.S – Marketing’ to the group and then apply the application access policy to restrict access to the mail-enabled security group.

First step is to create a new Azure AD application, add mail.read API permissions and grant admin consent. Yes. we can do this in the Azure AD portal in the App registrations blade but where is the fun in that. If you are in a hurry and need to get this done, the Azure AD portal is the best way as there is lot more information you need to determine for the Add-AzADAppPermission cmdlet’s parameters.

Before proceeding further, make sure you are connected to Azure AD PowerShell with a global admin account.

You can use the below lines in PS to achieve this. The az ad app is part of Azure CLI and not a PS cmdlet. You’ll need to have Azure CLI installed and do az login as well before running this.

$appname = Read-Host "Enter your Azure AD Application's Display Name"
$ObjID = New-AzureADApplication -DisplayName $appname | Select ObjectId
Add-AzADAppPermission -ObjectId $ObjID.ObjectId -ApiId 00000002-0000-0ff1-ce00-000000000000 -PermissionId 810c84a8-4a9e-49e6-bf7d-12d183f40d01 -Type Role
Start-Sleep -Seconds 60
az ad app permission admin-consent --id $ObjID.ObjectId

For the Add-AzADAppPermission cmdlet above, How I determined and arrived with the ApiId and PermissionId is covered in a different blogpost here.

Checking the result in Azure AD portal –> App Registration blade,

Second step is to create an ApplicationAccessPolicy with the policy scope set to the mail-enabled security group,

$appname = Read-Host "Enter your Azure AD Application's Display Name"
$mailbox = Read-Host "Enter mail-enabled security group's address"
$Desc = Read-Host "Enter Description"
$id = Get-AzureADApplication -Filter "DisplayName eq '$appname'"
New-ApplicationAccessPolicy -AppId $id.AppId -PolicyScopeGroupId $mailbox -AccessRight RestrictAccess -Description $Desc

To view the list of all application access policies, Get-ApplicationAccessPolicy cmdlet can be used:

Get-ApplicationAccessPolicy | Format-Table -Auto ScopeName, AccessRight, IsValid, Description

What we’ve done so far is, provided an application permissions to read all emails in a specific mailbox. As we applied the scope to a mail-enabled security group, we add this ‘specific mailbox’ I mentioned in my earlier statement to this mail-enabled security group. To test access right of an application to a specific mailbox or a user, Test-ApplicationAccessPolicy cmdlet can be used:

$appname = Read-Host "Enter your Azure AD Application's Display Name"
$mailbox = Read-Host "Enter email address to test access"
$id = Get-AzureADApplication -Filter "DisplayName eq '$appname'"
Test-ApplicationAccessPolicy -AppID $id.AppId -Identity $mailbox

In the below examples with screenshots, the ‘U.S – Marketing’ mailbox is part of the mail-enabled security group named ‘US.Marketing.Mailbox.Access’. Whereas ‘teams-admin’ mailbox is not, you can see the AccessCheckResult output.

While I was experimenting with the application access policies, I noticed that the changes made to it can take some time to show results. So, if you are following the steps and it still didn’t work..give it some time.

Hope this helped you in limiting application permissions to specific mailboxes in your tenant.

Thank you for stopping by. ✌