Adding a new application in Azure AD using a portal can be done with a few clicks in the ‘App Registration’ blade. Adding API permissions in this application is also not a big deal but when you are using PowerShell cmdlets like I did in this earlier blogpost, you will need to know App IDs, App Role ID and Permission Scope IDs.
These also plays a critical role while using Terraform to deploy Azure AD applications, where the required_resource_access argument in terraform azuread_application resource to set the permissions for the app being created.
While I was writing my earlier post on limiting Azure AD App Permissions to Specific mailboxes, I didn’t know how to get the App ID or the ID of the permissions I wanted to set for the application.
If you would like to check this, you can check any of your existing Azure AD application’s manifest.
Like I said earlier, if you are creating the app via the portal, you may not need all this information but when you are going down the automation route, these values play a vital role in setting up the Azure AD applications properly.
Using the Azure CLI we can get a list of all Azure AD service principals. I used the ImportExcel PowerShell module to export the list of all App IDs,
Install-Module -Name ImportExcel
and this will give the output in a nice excel sheet with all the AppID values,
$spList = az ad sp list --all
$spListObj = $spList | ConvertFrom-Json
$spListObj | Select appId, appDisplayName | Export-Excel -Path "C:\data\AppIDs.xlsx" -WorksheetName "AppIDs" -AutoSize
Below are some of common application IDs for some Microsoft resources. But you can find an extensive list of all the applications in the excel sheet exported with the above lines in Azure CLI.
Resource Name | Application ID |
cfa8b339-82a2-471a-a3c9-0fc0be7a4093 | Azure Key Vault |
c9a559d2-7aab-4f13-a6ed-e7e9c52aec87 | Microsoft Forms |
00000003-0000-0000-c000-000000000000 | Microsoft Graph |
0000000a-0000-0000-c000-000000000000 | Microsoft Intune |
cc15fd57-2c6c-4117-a88c-83b1d56b4bbe | Microsoft Teams Services |
00000002-0000-0ff1-ce00-000000000000 | Office 365 Exchange Online |
00000003-0000-0ff1-ce00-000000000000 | Office 365 SharePoint Online |
2d4d3d8e-2be3-4bef-9f87-7875a61c29de | OneNote |
00000004-0000-0ff1-ce00-000000000000 | Skype for Business Online |
The az ad sp is part of Azure CLI and not a PS cmdlet. You’ll need to have Azure CLI installed and do az login as well before running this.
#This AppID information can be obtained from the earlier script's output
$appid = Read-Host "Enter the App ID for the resource"
# Get Service Principals
$spList = az ad sp list --all
$spListObj = $spList | ConvertFrom-Json
# Get Permissions
$SP = $spListObj | Where-Object {$_.appID -eq $appid} | Select-Object
# List of Application Roles
$appRoles = $SP.appRoles | Select-Object id, value, isEnabled, displayName, description | Export-Excel -Path "C:\Scripts\Get-AppRoles_PermissionScopeIDs\MSPermissions_$appid.xlsx" -WorksheetName "AppRoles" -AutoSize
# List of Application Scopes
$adminScopes = $SP.oauth2Permissions | Where-Object {$_.type -eq 'admin'} | Sort-Object value | Select-Object id, value, isEnabled, type, adminConsentDisplayName, adminConsentDescription | Export-Excel -Path "C:\Scripts\Get-AppRoles_PermissionScopeIDs\MSPermissions_$appid.xlsx" -WorksheetName "ApplicationScopeIDs" -AutoSize
# List of Delegated Scopes
$userScopes = $SP.oauth2Permissions | Where-Object {$_.type -eq 'User'} | Sort-Object value | Select-Object id, value, isEnabled, type, userConsentDisplayName,userConsentDescription | Export-Excel -Path "C:\Scripts\Get-AppRoles_PermissionScopeIDs\MSPermissions_$appid.xlsx" -WorksheetName "DelegatedScopeIDs" -AutoSize
In the Azure AD portal, Role permissions are displayed as Application and scope permissions are displayed as Delegated.
Role permissions are displayed in the AppRoles worksheet. Scope permissions are displayed in the ApplicationScopeIDs and DelegatedScopeIDs worksheets respectively. The worksheet ApplicationScopeIDs contains the API permissions that need admin consent, is indicated by the column type=admin and the DelegatedScopeIDs contains the API permissions that need user consent, is indicated by the column type=user.
I’ve included the output of the script with AppID = 00000003-0000-0000-c000-000000000000 (MS Graph) at the end of this post. It might help you if you are in a hurry and just needed Permissions ID of a single role or permission scope. And hope this post helped you out in one way or another. 😁
Thank you for stopping by. ✌
Addendum – MS Graph Role Permissions and Permission Scope IDs
Role permissions
Role Name | ID | Admin DisplayName |
AccessReview.Read.All | d07a8cc0-3d51-4b77-b3b0-32704d1f69fa | Read all access reviews |
AccessReview.ReadWrite.All | ef5f7d5c-338f-44b0-86c3-351f46c8bb5f | Manage all access reviews |
AccessReview.ReadWrite.Membership | 18228521-a591-40f1-b215-5fad4488c117 | Manage access reviews for group and app memberships |
AdministrativeUnit.Read.All | 134fd756-38ce-4afd-ba33-e9623dbe66c2 | Read all administrative units |
AdministrativeUnit.ReadWrite.All | 5eb59dd3-1da2-4329-8733-9dabdc435916 | Read and write all administrative units |
Agreement.Read.All | 2f3e6f8c-093b-4c57-a58b-ba5ce494a169 | Read all terms of use agreements |
Agreement.ReadWrite.All | c9090d00-6101-42f0-a729-c41074260d47 | Read and write all terms of use agreements |
AgreementAcceptance.Read.All | d8e4ec18-f6c0-4620-8122-c8b1f2bf400e | Read all terms of use acceptance statuses |
APIConnectors.Read.All | b86848a7-d5b1-41eb-a9b4-54a4e6306e97 | Read API connectors for authentication flows |
APIConnectors.ReadWrite.All | 1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171 | Read and write API connectors for authentication flows |
AppCatalog.Read.All | e12dae10-5a57-4817-b79d-dfbec5348930 | Read all app catalogs |
AppCatalog.ReadWrite.All | dc149144-f292-421e-b185-5953f2e98d7f | Read and write to all app catalogs |
Application.Read.All | 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 | Read all applications |
Application.ReadWrite.All | 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 | Read and write all applications |
Application.ReadWrite.OwnedBy | 18a4783c-866b-4cc7-a460-3d5e5662c884 | Manage apps that this app creates or owns |
AppRoleAssignment.ReadWrite.All | 06b708a9-e830-4db3-a914-8e69da51d44f | Manage app permission grants and app role assignments |
AttackSimulation.Read.All | 93283d0a-6322-4fa8-966b-8c121624760d | Read attack simulation data of an organization |
AuditLog.Read.All | b0afded3-3588-46d8-8b3d-9842eff778da | Read all audit log data |
AuthenticationContext.Read.All | 381f742f-e1f8-4309-b4ab-e3d91ae4c5c1 | Read all authentication context information |
AuthenticationContext.ReadWrite.All | a88eef72-fed0-4bf7-a2a9-f19df33f8b83 | Read and write all authentication context information |
Bookings.Read.All | 6e98f277-b046-4193-a4f2-6bf6a78cd491 | Read all Bookings related resources. |
BookingsAppointment.ReadWrite.All | 9769393e-5a9f-4302-9e3d-7e018ecb64a7 | Read and write all Bookings related resources. |
Calendars.Read | 798ee544-9d2d-430c-a058-570e29e34338 | Read calendars in all mailboxes |
Calendars.ReadWrite | ef54d2bf-783f-4e0f-bca1-3210c0444d99 | Read and write calendars in all mailboxes |
CallRecord-PstnCalls.Read.All | a2611786-80b3-417e-adaa-707d4261a5f0 | Read PSTN and direct routing call log data |
CallRecords.Read.All | 45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8 | Read all call records |
Calls.AccessMedia.All | a7a681dc-756e-4909-b988-f160edc6655f | Access media streams in a call as an app |
Calls.Initiate.All | 284383ee-7f6e-4e40-a2a8-e85dcb029101 | Initiate outgoing 1 to 1 calls from the app |
Calls.InitiateGroupCall.All | 4c277553-8a09-487b-8023-29ee378d8324 | Initiate outgoing group calls from the app |
Calls.JoinGroupCall.All | f6b49018-60ab-4f81-83bd-22caeabfed2d | Join group calls and meetings as an app |
Calls.JoinGroupCallAsGuest.All | fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4 | Join group calls and meetings as a guest |
Channel.Create | f3a65bd4-b703-46df-8f7e-0174fea562aa | Create channels |
Channel.Delete.All | 6a118a39-1227-45d4-af0c-ea7b40d210bc | Delete channels |
Channel.ReadBasic.All | 59a6b24b-4225-4393-8165-ebaec5f55d7a | Read the names and descriptions of all channels |
ChannelMember.Read.All | 3b55498e-47ec-484f-8136-9013221c06a9 | Read the members of all channels |
ChannelMember.ReadWrite.All | 35930dcf-aceb-4bd1-b99a-8ffed403c974 | Add and remove members from all channels |
ChannelMessage.Read.All | 7b2449af-6ccd-4f4d-9f78-e550c193f0d1 | Read all channel messages |
ChannelMessage.UpdatePolicyViolation.All | 4d02b0cc-d90b-441f-8d82-4fb55c34d6bb | Flag channel messages for violating policy |
ChannelSettings.Read.All | c97b873f-f59f-49aa-8a0e-52b32d762124 | Read the names, descriptions, and settings of all channels |
ChannelSettings.ReadWrite.All | 243cded2-bd16-4fd6-a953-ff8177894c3d | Read and write the names, descriptions, and settings of all channels |
Chat.Create | d9c48af6-9ad9-47ad-82c3-63757137b9af | Create chats |
Chat.Read.All | 6b7d71aa-70aa-4810-a8d9-5d9fb2830017 | Read all chat messages |
Chat.Read.WhereInstalled | 1c1b4c8e-3cc7-4c58-8470-9b92c9d5848b | Read all chat messages for chats where the associated Teams application is installed. |
Chat.ReadBasic.All | b2e060da-3baf-4687-9611-f4ebc0f0cbde | Read names and members of all chat threads |
Chat.ReadBasic.WhereInstalled | 818ba5bd-5b3e-4fe0-bbe6-aa4686669073 | Read names and members of all chat threads where the associated Teams application is installed. |
Chat.ReadWrite.All | 294ce7c9-31ba-490a-ad7d-97a7d075e4ed | Read and write all chat messages |
Chat.ReadWrite.WhereInstalled | ad73ce80-f3cd-40ce-b325-df12c33df713 | Read and write all chat messages for chats where the associated Teams application is installed. |
Chat.UpdatePolicyViolation.All | 7e847308-e030-4183-9899-5235d7270f58 | Flag chat messages for violating policy |
ChatMember.Read.All | a3410be2-8e48-4f32-8454-c29a7465209d | Read the members of all chats |
ChatMember.Read.WhereInstalled | 93e7c9e4-54c5-4a41-b796-f2a5adaacda7 | Read the members of all chats where the associated Teams application is installed. |
ChatMember.ReadWrite.All | 57257249-34ce-4810-a8a2-a03adf0c5693 | Add and remove members from all chats |
ChatMember.ReadWrite.WhereInstalled | e32c2cd9-0124-4e44-88fc-772cd98afbdb | Add and remove members from all chats where the associated Teams application is installed. |
ChatMessage.Read.All | b9bb2381-47a4-46cd-aafb-00cb12f68504 | Read all chat messages |
CloudPC.Read.All | a9e09520-8ed4-4cde-838e-4fdea192c227 | Read Cloud PCs |
CloudPC.ReadWrite.All | 3b4349e1-8cf5-45a3-95b7-69d1751d3e6a | Read and write Cloud PCs |
ConsentRequest.Read.All | 1260ad83-98fb-4785-abbb-d6cc1806fd41 | Read all consent requests |
ConsentRequest.ReadWrite.All | 9f1b81a7-0223-4428-bfa4-0bcb5535f27d | Read and write all consent requests |
Contacts.Read | 089fe4d0-434a-44c5-8827-41ba8a0b17f5 | Read contacts in all mailboxes |
Contacts.ReadWrite | 6918b873-d17a-4dc1-b314-35f528134491 | Read and write contacts in all mailboxes |
CrossTenantInformation.ReadBasic.All | cac88765-0581-4025-9725-5ebc13f729ee | Read cross-tenant basic information |
CrossTenantUserProfileSharing.Read.All | 8b919d44-6192-4f3d-8a3b-f86f8069ae3c | Read all shared cross-tenant user profiles and export their data |
CrossTenantUserProfileSharing.ReadWrite.All | 306785c5-c09b-4ba0-a4ee-023f3da165cb | Read all shared cross-tenant user profiles and export or delete their data |
CustomAuthenticationExtension.Read.All | 88bb2658-5d9e-454f-aacd-a3933e079526 | Read all custom authentication extensions |
CustomAuthenticationExtension.ReadWrite.All | c2667967-7050-4e7e-b059-4cbbb3811d03 | Read and write all custom authentication extensions |
CustomAuthenticationExtension.Receive.Payload | 214e810f-fda8-4fd7-a475-29461495eb00 | Receive custom authentication extension HTTP requests |
CustomSecAttributeAssignment.Read.All | 3b37c5a4-1226-493d-bec3-5d6c6b866f3f | Read custom security attribute assignments |
CustomSecAttributeAssignment.ReadWrite.All | de89b5e4-5b8f-48eb-8925-29c2b33bd8bd | Read and write custom security attribute assignments |
CustomSecAttributeDefinition.Read.All | b185aa14-d8d2-42c1-a685-0f5596613624 | Read custom security attribute definitions |
CustomSecAttributeDefinition.ReadWrite.All | 12338004-21f4-4896-bf5e-b75dfaf1016d | Read and write custom security attribute definitions |
DelegatedAdminRelationship.Read.All | f6e9e124-4586-492f-adc0-c6f96e4823fd | Read Delegated Admin relationships with customers |
DelegatedAdminRelationship.ReadWrite.All | cc13eba4-8cd8-44c6-b4d4-f93237adce58 | Manage Delegated Admin relationships with customers |
DelegatedPermissionGrant.ReadWrite.All | 8e8e4742-1d95-4f68-9d56-6ee75648c72a | Manage all delegated permission grants |
Device.Read.All | 7438b122-aefc-4978-80ed-43db9fcc7715 | Read all devices |
Device.ReadWrite.All | 1138cb37-bd11-4084-a2b7-9f71582aeddb | Read and write devices |
DeviceManagementApps.Read.All | 7a6ee1e7-141e-4cec-ae74-d9db155731ff | Read Microsoft Intune apps |
DeviceManagementApps.ReadWrite.All | 78145de6-330d-4800-a6ce-494ff2d33d07 | Read and write Microsoft Intune apps |
DeviceManagementConfiguration.Read.All | dc377aa6-52d8-4e23-b271-2a7ae04cedf3 | Read Microsoft Intune device configuration and policies |
DeviceManagementConfiguration.ReadWrite.All | 9241abd9-d0e6-425a-bd4f-47ba86e767a4 | Read and write Microsoft Intune device configuration and policies |
DeviceManagementManagedDevices.PrivilegedOperations.All | 5b07b0dd-2377-4e44-a38d-703f09a0dc3c | Perform user-impacting remote actions on Microsoft Intune devices |
DeviceManagementManagedDevices.Read.All | 2f51be20-0bb4-4fed-bf7b-db946066c75e | Read Microsoft Intune devices |
DeviceManagementManagedDevices.ReadWrite.All | 243333ab-4d21-40cb-a475-36241daa0842 | Read and write Microsoft Intune devices |
DeviceManagementRBAC.Read.All | 58ca0d9a-1575-47e1-a3cb-007ef2e4583b | Read Microsoft Intune RBAC settings |
DeviceManagementRBAC.ReadWrite.All | e330c4f0-4170-414e-a55a-2f022ec2b57b | Read and write Microsoft Intune RBAC settings |
DeviceManagementServiceConfig.Read.All | 06a5fe6d-c49d-46a7-b082-56b1b14103c7 | Read Microsoft Intune configuration |
DeviceManagementServiceConfig.ReadWrite.All | 5ac13192-7ace-4fcf-b828-1a26f28068ee | Read and write Microsoft Intune configuration |
Directory.Read.All | 7ab1d382-f21e-4acd-a863-ba3e13f7da61 | Read directory data |
Directory.ReadWrite.All | 19dbc75e-c2e2-444c-a770-ec69d8559fc7 | Read and write directory data |
Directory.Write.Restricted | f20584af-9290-4153-9280-ff8bb2c0ea7f | Manage restricted resources in the directory |
DirectoryRecommendations.Read.All | ae73097b-cb2a-4447-b064-5d80f6093921 | Read all Azure AD recommendations |
DirectoryRecommendations.ReadWrite.All | 0e9eea12-4f01-45f6-9b8d-3ea4c8144158 | Read and update all Azure AD recommendations |
Domain.Read.All | dbb9058a-0e50-45d7-ae91-66909b5d4664 | Read domains |
Domain.ReadWrite.All | 7e05723c-0bb0-42da-be95-ae9f08a6e53c | Read and write domains |
eDiscovery.Read.All | 50180013-6191-4d1e-a373-e590ff4e66af | Read all eDiscovery objects |
eDiscovery.ReadWrite.All | b2620db1-3bf7-4c5b-9cb9-576d29eac736 | Read and write all eDiscovery objects |
EduAdministration.Read.All | 7c9db06a-ec2d-4e7b-a592-5a1e30992566 | Read Education app settings |
EduAdministration.ReadWrite.All | 9bc431c3-b8bc-4a8d-a219-40f10f92eff6 | Manage education app settings |
EduAssignments.Read.All | 4c37e1b6-35a1-43bf-926a-6f30f2cdf585 | Read class assignments with grades |
EduAssignments.ReadBasic.All | 6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e | Read class assignments without grades |
EduAssignments.ReadWrite.All | 0d22204b-6cad-4dd0-8362-3e3f2ae699d9 | Read and write class assignments with grades |
EduAssignments.ReadWriteBasic.All | f431cc63-a2de-48c4-8054-a34bc093af84 | Read and write class assignments without grades |
EduRoster.Read.All | e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648 | Read the organization’s roster |
EduRoster.ReadBasic.All | 0d412a8c-a06c-439f-b3ec-8abcf54d2f96 | Read a limited subset of the organization’s roster |
EduRoster.ReadWrite.All | d1808e82-ce13-47af-ae0d-f9b254e6d58a | Read and write the organization’s roster |
EntitlementManagement.Read.All | c74fd47d-ed3c-45c3-9a9e-b8676de685d2 | Read all entitlement management resources |
EntitlementManagement.ReadWrite.All | 9acd699f-1e81-4958-b001-93b1d2506e19 | Read and write all entitlement management resources |
EventListener.Read.All | b7f6385c-6ce6-4639-a480-e23c42ed9784 | Read all authentication event listeners |
EventListener.ReadWrite.All | 0edf5e9e-4ce8-468a-8432-d08631d18c43 | Read and write all authentication event listeners |
ExternalConnection.Read.All | 1914711b-a1cb-4793-b019-c2ce0ed21b8c | Read all external connections |
ExternalConnection.ReadWrite.All | 34c37bc0-2b40-4d5e-85e1-2365cd256d79 | Read and write all external connections |
ExternalConnection.ReadWrite.OwnedBy | f431331c-49a6-499f-be1c-62af19c34a9d | Read and write external connections |
ExternalItem.Read.All | 7a7cffad-37d2-4f48-afa4-c6ab129adcc2 | Read all external items |
ExternalItem.ReadWrite.All | 38c3d6ee-69ee-422f-b954-e17819665354 | Read and write items in external datasets |
ExternalItem.ReadWrite.OwnedBy | 8116ae0f-55c2-452d-9944-d18420f5b2c8 | Read and write external items |
Files.Read.All | 01d4889c-1287-42c6-ac1f-5d1e02578ef6 | Read files in all site collections |
Files.ReadWrite.All | 75359482-378d-4052-8f01-80520e7db3cd | Read and write files in all site collections |
Group.Create | bf7b1a76-6e77-406b-b258-bf5c7720e98f | Create groups |
Group.Read.All | 5b567255-7703-4780-807c-7be8301ae99b | Read all groups |
Group.ReadWrite.All | 62a82d76-70ea-41e2-9197-370581804d09 | Read and write all groups |
GroupMember.Read.All | 98830695-27a2-44f7-8c18-0c3ebc9698f6 | Read all group memberships |
GroupMember.ReadWrite.All | dbaae8cf-10b5-4b86-a4a1-f871c94c6695 | Read and write all group memberships |
IdentityProvider.Read.All | e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0 | Read identity providers |
IdentityProvider.ReadWrite.All | 90db2b9a-d928-4d33-a4dd-8442ae3d41e4 | Read and write identity providers |
IdentityRiskEvent.Read.All | 6e472fd1-ad78-48da-a0f0-97ab2c6b769e | Read all identity risk event information |
IdentityRiskEvent.ReadWrite.All | db06fb33-1953-4b7b-a2ac-f1e2c854f7ae | Read and write all risk detection information |
IdentityRiskyServicePrincipal.Read.All | 607c7344-0eed-41e5-823a-9695ebe1b7b0 | Read all identity risky service principal information |
IdentityRiskyServicePrincipal.ReadWrite.All | cb8d6980-6bcb-4507-afec-ed6de3a2d798 | Read and write all identity risky service principal information |
IdentityRiskyUser.Read.All | dc5007c0-2d7d-4c42-879c-2dab87571379 | Read all identity risky user information |
IdentityRiskyUser.ReadWrite.All | 656f6061-f9fe-4807-9708-6a2e0934df76 | Read and write all risky user information |
IdentityUserFlow.Read.All | 1b0c317f-dd31-4305-9932-259a8b6e8099 | Read all identity user flows |
IdentityUserFlow.ReadWrite.All | 65319a09-a2be-469d-8782-f6b07debf789 | Read and write all identity user flows |
InformationProtectionContent.Sign.All | cbe6c7e4-09aa-4b8d-b3c3-2dbb59af4b54 | Sign digests for data |
InformationProtectionContent.Write.All | 287bd98c-e865-4e8c-bade-1a85523195b9 | Create protected content |
InformationProtectionPolicy.Read.All | 19da66cb-0fb0-4390-b071-ebc76a349482 | Read all published labels and label policies for an organization. |
LearningContent.Read.All | 8740813e-d8aa-4204-860e-2a0f8f84dbc8 | Read all learning content |
LearningContent.ReadWrite.All | 444d6fcb-b738-41e5-b103-ac4f2a2628a3 | Manage alllearningcontent |
LicenseAssignment.ReadWrite.All | 5facf0c1-8979-4e95-abcf-ff3d079771c0 | Manage all license assignments |
LifecycleWorkflows.Read.All | 7c67316a-232a-4b84-be22-cea2c0906404 | Read all lifecycle workflows resources |
LifecycleWorkflows.ReadWrite.All | 5c505cf4-8424-4b8e-aa14-ee06e3bb23e3 | Read and write all lifecycle workflows resources |
Mail.Read | 810c84a8-4a9e-49e6-bf7d-12d183f40d01 | Read mail in all mailboxes |
Mail.ReadBasic | 6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a | Read basic mail in all mailboxes |
Mail.ReadBasic.All | 693c5e45-0940-467d-9b8a-1022fb9d42ef | Read basic mail in all mailboxes |
Mail.ReadWrite | e2a3a72e-5f79-4c64-b1b1-878b674786c9 | Read and write mail in all mailboxes |
Mail.Send | b633e1c5-b582-4048-a93e-9f11b44c7e96 | Send mail as any user |
MailboxSettings.Read | 40f97065-369a-49f4-947c-6a255697ae91 | Read all user mailbox settings |
MailboxSettings.ReadWrite | 6931bccd-447a-43d1-b442-00a195474933 | Read and write all user mailbox settings |
Member.Read.Hidden | 658aa5d8-239f-45c4-aa12-864f4fc7e490 | Read all hidden memberships |
Notes.Read.All | 3aeca27b-ee3a-4c2b-8ded-80376e2134a4 | Read all OneNote notebooks |
Notes.ReadWrite.All | 0c458cef-11f3-48c2-a568-c66751c238c0 | Read and write all OneNote notebooks |
OnlineMeetingArtifact.Read.All | df01ed3b-eb61-4eca-9965-6b3d789751b2 | Read online meeting artifacts |
OnlineMeetingRecording.Read.All | a4a08342-c95d-476b-b943-97e100569c8d | Read all recordings of online meetings. |
OnlineMeetings.Read.All | c1684f21-1984-47fa-9d61-2dc8c296bb70 | Read online meeting details |
OnlineMeetings.ReadWrite.All | b8bb2037-6e08-44ac-a4ea-4674e010e2a4 | Read and create online meetings |
OnlineMeetingTranscript.Read.All | a4a80d8d-d283-4bd8-8504-555ec3870630 | Read all transcripts of online meetings. |
OnPremisesPublishingProfiles.ReadWrite.All | 0b57845e-aa49-4e6f-8109-ce654fffa618 | Manage on-premises published resources |
Organization.Read.All | 498476ce-e0fe-48b0-b801-37ba7e2685c6 | Read organization information |
Organization.ReadWrite.All | 292d869f-3427-49a8-9dab-8c70152b74e9 | Read and write organization information |
OrgContact.Read.All | e1a88a34-94c4-4418-be12-c87b00e26bea | Read organizational contacts |
People.Read.All | b528084d-ad10-4598-8b93-929746b4d7d6 | Read all users’ relevant people lists |
Place.Read.All | 913b9306-0ce1-42b8-9137-6a7df690a760 | Read all company places |
Policy.Read.All | 246dd0d5-5bd0-4def-940b-0421030a5b68 | Read your organization’s policies |
Policy.Read.ConditionalAccess | 37730810-e9ba-4e46-b07e-8ca78d182097 | Read your organization’s conditional access policies |
Policy.Read.PermissionGrant | 9e640839-a198-48fb-8b9a-013fd6f6cbcd | Read consent and permission grant policies |
Policy.ReadWrite.AccessReview | 77c863fd-06c0-47ce-a7eb-49773e89d319 | Read and write your organization’s directory access review default policy |
Policy.ReadWrite.ApplicationConfiguration | be74164b-cff1-491c-8741-e671cb536e13 | Read and write your organization’s application configuration policies |
Policy.ReadWrite.AuthenticationFlows | 25f85f3c-f66c-4205-8cd5-de92dd7f0cec | Read and write authentication flow policies |
Policy.ReadWrite.AuthenticationMethod | 29c18626-4985-4dcd-85c0-193eef327366 | Read and write all authentication method policies |
Policy.ReadWrite.Authorization | fb221be6-99f2-473f-bd32-01c6a0e9ca3b | Read and write your organization’s authorization policy |
Policy.ReadWrite.ConditionalAccess | 01c0a623-fc9b-48e9-b794-0756f8e8f067 | Read and write your organization’s conditional access policies |
Policy.ReadWrite.ConsentRequest | 999f8c63-0a38-4f1b-91fd-ed1947bdd1a9 | Read and write your organization’s consent request policy |
Policy.ReadWrite.CrossTenantAccess | 338163d7-f101-4c92-94ba-ca46fe52447c | Read and write your organization’s cross tenant access policies |
Policy.ReadWrite.FeatureRollout | 2044e4f1-e56c-435b-925c-44cd8f6ba89a | Read and write feature rollout policies |
Policy.ReadWrite.PermissionGrant | a402ca1c-2696-4531-972d-6e5ee4aa11ea | Manage consent and permission grant policies |
Policy.ReadWrite.TrustFramework | 79a677f7-b79d-40d0-a36a-3e6f8688dd7a | Read and write your organization’s trust framework policies |
Presence.ReadWrite.All | 83cded22-8297-4ff6-a7fa-e97e9545a259 | Read and write presence information for all users |
Printer.Read.All | 9709bb33-4549-49d4-8ed9-a8f65e45bb0f | Read printers |
Printer.ReadWrite.All | f5b3f73d-6247-44df-a74c-866173fddab0 | Read and update printers |
PrintJob.Manage.All | 58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8 | Perform advanced operations on print jobs |
PrintJob.Read.All | ac6f956c-edea-44e4-bd06-64b1b4b9aec9 | Read print jobs |
PrintJob.ReadBasic.All | fbf67eee-e074-4ef7-b965-ab5ce1c1f689 | Read basic information for print jobs |
PrintJob.ReadWrite.All | 5114b07b-2898-4de7-a541-53b0004e2e13 | Read and write print jobs |
PrintJob.ReadWriteBasic.All | 57878358-37f4-4d3a-8c20-4816e0d457b1 | Read and write basic information for print jobs |
PrintSettings.Read.All | b5991872-94cf-4652-9765-29535087c6d8 | Read tenant-wide print settings |
PrintTaskDefinition.ReadWrite.All | 456b71a7-0ee0-4588-9842-c123fcc8f664 | Read, write and update print task definitions |
PrivilegedAccess.Read.AzureAD | 4cdc2547-9148-4295-8d11-be0db1391d6b | Read privileged access to Azure AD roles |
PrivilegedAccess.Read.AzureADGroup | 01e37dc9-c035-40bd-b438-b2879c4870a6 | Read privileged access to Azure AD groups |
PrivilegedAccess.Read.AzureResources | 5df6fe86-1be0-44eb-b916-7bd443a71236 | Read privileged access to Azure resources |
PrivilegedAccess.ReadWrite.AzureAD | 854d9ab1-6657-4ec8-be45-823027bcd009 | Read and write privileged access to Azure AD roles |
PrivilegedAccess.ReadWrite.AzureADGroup | 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e | Read and write privileged access to Azure AD groups |
PrivilegedAccess.ReadWrite.AzureResources | 6f9d5abc-2db6-400b-a267-7de22a40fb87 | Read and write privileged access to Azure resources |
ProgramControl.Read.All | eedb7fdd-7539-4345-a38b-4839e4a84cbd | Read all programs |
ProgramControl.ReadWrite.All | 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36 | Manage all programs |
RecordsManagement.Read.All | ac3a2b8e-03a3-4da9-9ce0-cbe28bf1accd | Read Records Management configuration,labels and policies |
RecordsManagement.ReadWrite.All | eb158f57-df43-4751-8b21-b8932adb3d34 | Read and write Records Management configuration, labels and policies |
Reports.Read.All | 230c1aed-a721-4c5d-9cb4-a90514e508ef | Read all usage reports |
ReportSettings.Read.All | ee353f83-55ef-4b78-82da-555bfa2b4b95 | Read all admin report settings |
ReportSettings.ReadWrite.All | 2a60023f-3219-47ad-baa4-40e17cd02a1d | Read and write all admin report settings |
RoleManagement.Read.All | c7fbd983-d9aa-4fa7-84b8-17382c103bc4 | Read role management data for all RBAC providers |
RoleManagement.Read.CloudPC | 031a549a-bb80-49b6-8032-2068448c6a3c | Read Cloud PC RBAC settings |
RoleManagement.Read.Directory | 483bed4a-2ad3-4361-a73b-c83ccdbdc53c | Read all directory RBAC settings |
RoleManagement.ReadWrite.CloudPC | 274d0592-d1b6-44bd-af1d-26d259bcb43a | Read and write all Cloud PC RBAC settings |
RoleManagement.ReadWrite.Directory | 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 | Read and write all directory RBAC settings |
Schedule.Read.All | 7b2ebf90-d836-437f-b90d-7b62722c4456 | Read all schedule items |
Schedule.ReadWrite.All | b7760610-0545-4e8a-9ec3-cce9e63db01c | Read and write all schedule items |
SearchConfiguration.Read.All | ada977a5-b8b1-493b-9a91-66c206d76ecf | Read your organization’s search configuration |
SearchConfiguration.ReadWrite.All | 0e778b85-fefa-466d-9eec-750569d92122 | Read and write your organization’s search configuration |
SecurityActions.Read.All | 5e0edab9-c148-49d0-b423-ac253e121825 | Read your organization’s security actions |
SecurityActions.ReadWrite.All | f2bf083f-0179-402a-bedb-b2784de8a49b | Read and update your organization’s security actions |
SecurityAlert.Read.All | 472e4a4d-bb4a-4026-98d1-0b0d74cb74a5 | Read all security alerts |
SecurityAlert.ReadWrite.All | ed4fca05-be46-441f-9803-1873825f8fdb | Read and write to all security alerts |
SecurityEvents.Read.All | bf394140-e372-4bf9-a898-299cfc7564e5 | Read your organizations security events |
SecurityEvents.ReadWrite.All | d903a879-88e0-4c09-b0c9-82f6a1333f84 | Read and update your organizations security events |
SecurityIncident.Read.All | 45cc0394-e837-488b-a098-1918f48d186c | Read all security incidents |
SecurityIncident.ReadWrite.All | 34bf0e97-1971-4929-b999-9e2442d941d7 | Read and write to all security incidents |
ServiceHealth.Read.All | 79c261e0-fe76-4144-aad5-bdc68fbe4037 | Read service health |
ServiceMessage.Read.All | 1b620472-6534-4fe6-9df2-4680e8aa28ec | Read service messages |
ServicePrincipalEndpoint.Read.All | 5256681e-b7f6-40c0-8447-2d9db68797a0 | Read service principal endpoints |
ServicePrincipalEndpoint.ReadWrite.All | 89c8469c-83ad-45f7-8ff2-6e3d4285709e | Read and update service principal endpoints |
SharePointTenantSettings.Read.All | 83d4163d-a2d8-4d3b-9695-4ae3ca98f888 | Read SharePoint and OneDrive tenant settings |
SharePointTenantSettings.ReadWrite.All | 19b94e34-907c-4f43-bde9-38b1909ed408 | Read and change SharePoint and OneDrive tenant settings |
ShortNotes.Read.All | 0c7d31ec-31ca-4f58-b6ec-9950b6b0de69 | Read all users’ short notes |
ShortNotes.ReadWrite.All | 842c284c-763d-4a97-838d-79787d129bab | Read, create, edit, and delete all users’ short notes |
Sites.FullControl.All | a82116e5-55eb-4c41-a434-62fe8a61c773 | Have full control of all site collections |
Sites.Manage.All | 0c0bf378-bf22-4481-8f81-9e89a9b4960a | Create, edit, and delete items and lists in all site collections |
Sites.Read.All | 332a536c-c7ef-4017-ab91-336970924f0d | Read items in all site collections |
Sites.ReadWrite.All | 9492366f-7969-46a4-8d15-ed1a20078fff | Read and write items in all site collections |
Sites.Selected | 883ea226-0bf2-4a8f-9f9d-92c9162a727d | Access selected site collections |
SubjectRightsRequest.Read.All | ee1460f0-368b-4153-870a-4e1ca7e72c42 | Readall subjectrights requests |
SubjectRightsRequest.ReadWrite.All | 8387eaa4-1a3c-41f5-b261-f888138e6041 | Readandwriteall subjectrights requests |
Tasks.Read.All | f10e1f91-74ed-437f-a6fd-d6ae88e26c1f | Read all users tasks and tasklist |
Tasks.ReadWrite.All | 44e666d1-d276-445b-a5fc-8815eeb81d55 | Read and write all users tasks and tasklists |
Team.Create | 23fc2474-f741-46ce-8465-674744c5c361 | Create teams |
Team.ReadBasic.All | 2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e | Get a list of all teams |
TeamMember.Read.All | 660b7406-55f1-41ca-a0ed-0b035e182f3e | Read the members of all teams |
TeamMember.ReadWrite.All | 0121dc95-1b9f-4aed-8bac-58c5ac466691 | Add and remove members from all teams |
TeamMember.ReadWriteNonOwnerRole.All | 4437522e-9a86-4a41-a7da-e380edd4a97d | Add and remove members with non-owner role for all teams |
TeamsActivity.Read.All | 70dec828-f620-4914-aa83-a29117306807 | Read all users’ teamwork activity feed |
TeamsActivity.Send | a267235f-af13-44dc-8385-c1dc93023186 | Send a teamwork activity to any user |
TeamsAppInstallation.ReadForChat.All | cc7e7635-2586-41d6-adaa-a8d3bcad5ee5 | Read installed Teams apps for all chats |
TeamsAppInstallation.ReadForTeam.All | 1f615aea-6bf9-4b05-84bd-46388e138537 | Read installed Teams apps for all teams |
TeamsAppInstallation.ReadForUser.All | 9ce09611-f4f7-4abd-a629-a05450422a97 | Read installed Teams apps for all users |
TeamsAppInstallation.ReadWriteForChat.All | 9e19bae1-2623-4c4f-ab6e-2664615ff9a0 | Manage Teams apps for all chats |
TeamsAppInstallation.ReadWriteForTeam.All | 5dad17ba-f6cc-4954-a5a2-a0dcc95154f0 | Manage Teams apps for all teams |
TeamsAppInstallation.ReadWriteForUser.All | 74ef0291-ca83-4d02-8c7e-d2391e6a444f | Manage Teams apps for all users |
TeamsAppInstallation.ReadWriteSelfForChat.All | 73a45059-f39c-4baf-9182-4954ac0e55cf | Allow the Teams app to manage itself for all chats |
TeamsAppInstallation.ReadWriteSelfForTeam.All | 9f67436c-5415-4e7f-8ac1-3014a7132630 | Allow the Teams app to manage itself for all teams |
TeamsAppInstallation.ReadWriteSelfForUser.All | 908de74d-f8b2-4d6b-a9ed-2a17b3b78179 | Allow the app to manage itself for all users |
TeamSettings.Read.All | 242607bd-1d2c-432c-82eb-bdb27baa23ab | Read all teams’ settings |
TeamSettings.ReadWrite.All | bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f | Read and change all teams’ settings |
TeamsTab.Create | 49981c42-fd7b-4530-be03-e77b21aed25e | Create tabs in Microsoft Teams. |
TeamsTab.Read.All | 46890524-499a-4bb2-ad64-1476b4f3e1cf | Read tabs in Microsoft Teams. |
TeamsTab.ReadWrite.All | a96d855f-016b-47d7-b51c-1218a98d791c | Read and write tabs in Microsoft Teams. |
TeamsTab.ReadWriteForChat.All | fd9ce730-a250-40dc-bd44-8dc8d20f39ea | Allow the Teams app to manage all tabs for all chats |
TeamsTab.ReadWriteForTeam.All | 6163d4f4-fbf8-43da-a7b4-060fe85ed148 | Allow the Teams app to manage all tabs for all teams |
TeamsTab.ReadWriteForUser.All | 425b4b59-d5af-45c8-832f-bb0b7402348a | Allow the app to manage all tabs for all users |
TeamsTab.ReadWriteSelfForChat.All | 9f62e4a2-a2d6-4350-b28b-d244728c4f86 | Allow the Teams app to manage only its own tabs for all chats |
TeamsTab.ReadWriteSelfForTeam.All | 91c32b81-0ef0-453f-a5c7-4ce2e562f449 | Allow the Teams app to manage only its own tabs for all teams |
TeamsTab.ReadWriteSelfForUser.All | 3c42dec6-49e8-4a0a-b469-36cff0d9da93 | Allow the Teams app to manage only its own tabs for all users |
Teamwork.Migrate.All | dfb0dd15-61de-45b2-be36-d6a69fba3c79 | Create chat and channel messages with anyone’s identity and with any timestamp |
TeamworkAppSettings.Read.All | 475ebe88-f071-4bd7-af2b-642952bd4986 | Read Teams app settings |
TeamworkAppSettings.ReadWrite.All | ab5b445e-8f10-45f4-9c79-dd3f8062cc4e | Read and write Teams app settings |
TeamworkDevice.Read.All | 0591bafd-7c1c-4c30-a2a5-2b9aacb1dfe8 | Read Teams devices |
TeamworkDevice.ReadWrite.All | 79c02f5b-bd4f-4713-bc2c-a8a4a66e127b | Read and write Teams devices |
TeamworkTag.Read.All | b74fd6c4-4bde-488e-9695-eeb100e4907f | Read tags in Teams |
TeamworkTag.ReadWrite.All | a3371ca5-911d-46d6-901c-42c8c7a937d8 | Read and write tags in Teams |
TermStore.Read.All | ea047cc2-df29-4f3e-83a3-205de61501ca | Read all term store data |
TermStore.ReadWrite.All | f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95 | Read and write all term store data |
ThreatAssessment.Read.All | f8f035bb-2cce-47fb-8bf5-7baf3ecbee48 | Read threat assessment requests |
ThreatHunting.Read.All | dd98c7f5-2d42-42d3-a0e4-633161547251 | Run hunting queries |
ThreatIndicators.Read.All | 197ee4e9-b993-4066-898f-d6aecc55125b | Read all threat indicators |
ThreatIndicators.ReadWrite.OwnedBy | 21792b6c-c986-4ffc-85de-df9da54b52fa | Manage threat indicators this app creates or owns |
ThreatSubmission.Read.All | 86632667-cd15-4845-ad89-48a88e8412e1 | Read all of the organization’s threat submissions |
ThreatSubmission.ReadWrite.All | d72bdbf4-a59b-405c-8b04-5995895819ac | Read and write all of the organization’s threat submissions |
ThreatSubmissionPolicy.ReadWrite.All | 926a6798-b100-4a20-a22f-a4918f13951d | Read and write all of the organization’s threat submission policies |
TrustFrameworkKeySet.Read.All | fff194f1-7dce-4428-8301-1badb5518201 | Read trust framework key sets |
TrustFrameworkKeySet.ReadWrite.All | 4a771c9a-1cf2-4609-b88e-3d3e02d539cd | Read and write trust framework key sets |
User.Export.All | 405a51b5-8d8d-430b-9842-8be4b0e9f324 | Export user’s data |
User.Invite.All | 09850681-111b-4a89-9bed-3f2cae46d706 | Invite guest users to the organization |
User.ManageIdentities.All | c529cfca-c91b-489c-af2b-d92990b66ce6 | Manage all users’ identities |
User.Read.All | df021288-bdef-4463-88db-98f22de89214 | Read all users’ full profiles |
User.ReadWrite.All | 741f803b-c850-494e-b5df-cde7c675a1ca | Read and write all users’ full profiles |
UserAuthenticationMethod.Read.All | 38d9df27-64da-44fd-b7c5-a6fbac20248f | Read all users’ authentication methods |
UserAuthenticationMethod.ReadWrite.All | 50483e42-d915-4231-9639-7fdb7fd190e5 | Read and write all users’ authentication methods |
UserNotification.ReadWrite.CreatedByApp | 4e774092-a092-48d1-90bd-baad67c7eb47 | Deliver and manage all user’s notifications |
UserShiftPreferences.Read.All | de023814-96df-4f53-9376-1e2891ef5a18 | Read all user shift preferences |
UserShiftPreferences.ReadWrite.All | d1eec298-80f3-49b0-9efb-d90e224798ac | Read and write all user shift preferences |
WindowsUpdates.ReadWrite.All | 7dd1be58-6e76-4401-bf8d-31d1e8180d5b | Read and write all Windows update deployment settings |
WorkforceIntegration.ReadWrite.All | 202bf709-e8e6-478e-bcfd-5d63c50b68e3 | Read and write workforce integrations |
Scope permissions
Scope Name | ID | type | DisplayName |
AccessReview.Read.All | ebfcd32b-babb-40f4-a14b-42706e83bd28 | Admin | Read all access reviews that user can access |
AccessReview.ReadWrite.All | e4aa47b9-9a69-4109-82ed-36ec70d85ff1 | Admin | Manage all access reviews that user can access |
AccessReview.ReadWrite.Membership | 5af8c3f5-baca-439a-97b0-ea58a435e269 | Admin | Manage access reviews for group and app memberships |
AdministrativeUnit.Read.All | 3361d15d-be43-4de6-b441-3c746d05163d | Admin | Read administrative units |
AdministrativeUnit.ReadWrite.All | 7b8a2d34-6b3f-4542-a343-54651608ad81 | Admin | Read and write administrative units |
Agreement.Read.All | af2819c9-df71-4dd3-ade7-4d7c9dc653b7 | Admin | Read all terms of use agreements |
Agreement.ReadWrite.All | ef4b5d93-3104-4664-9053-a5c49ab44218 | Admin | Read and write all terms of use agreements |
AgreementAcceptance.Read | 0b7643bb-5336-476f-80b5-18fbfbc91806 | Admin | Read user terms of use acceptance statuses |
AgreementAcceptance.Read.All | a66a5341-e66e-4897-9d52-c2df58c2bfb9 | Admin | Read terms of use acceptance statuses that user can access |
APIConnectors.Read.All | 1b6ff35f-31df-4332-8571-d31ea5a4893f | Admin | Read API connectors for authentication flows |
APIConnectors.ReadWrite.All | c67b52c5-7c69-48b6-9d48-7b3af3ded914 | Admin | Read and write API connectors for authentication flows |
AppCatalog.ReadWrite.All | 1ca167d5-1655-44a1-8adf-1414072e1ef9 | Admin | Read and write to all app catalogs |
Application.Read.All | c79f8feb-a9db-4090-85f9-90d820caa0eb | Admin | Read applications |
Application.ReadWrite.All | bdfbf15f-ee85-4955-8675-146e8e5296b5 | Admin | Read and write all applications |
AppRoleAssignment.ReadWrite.All | 84bccea3-f856-4a8a-967b-dbe0a3d53a64 | Admin | Manage app permission grants and app role assignments |
Approval.Read.All | 1196552e-b226-4363-b01e-b8901fe10a11 | Admin | Read approvals |
Approval.ReadWrite.All | 1d3d0bc7-4b3a-427a-ae9f-6de4e1edc95f | Admin | Read and write approvals |
AttackSimulation.Read.All | 104a7a4b-ca76-4677-b7e7-2f4bc482f381 | Admin | Read attack simulation data of an organization |
AuditLog.Read.All | e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 | Admin | Read audit log data |
AuthenticationContext.Read.All | 57b030f1-8c35-469c-b0d9-e4a077debe70 | Admin | Read all authentication context information |
AuthenticationContext.ReadWrite.All | ba6d575a-1344-4516-b777-1404f5593057 | Admin | Read and write all authentication context information |
BitlockerKey.Read.All | b27a61ec-b99c-4d6a-b126-c4375d08ae30 | Admin | Read BitLocker keys |
BitlockerKey.ReadBasic.All | 5a107bfc-4f00-4e1a-b67e-66451267bc68 | Admin | Read BitLocker keys basic information |
Channel.Create | 101147cf-4178-4455-9d58-02b5c164e759 | Admin | Create channels |
Channel.Delete.All | cc83893a-e232-4723-b5af-bd0b01bcfe65 | Admin | Delete channels |
ChannelMember.Read.All | 2eadaff8-0bce-4198-a6b9-2cfc35a30075 | Admin | Read the members of channels |
ChannelMember.ReadWrite.All | 0c3e411a-ce45-4cd1-8f30-f99a3efa7b11 | Admin | Add and remove members from channels |
ChannelMessage.Read.All | 767156cb-16ae-4d10-8f8b-41b657c8c8c8 | Admin | Read user channel messages |
ChannelMessage.ReadWrite | 5922d31f-46c8-4404-9eaf-2117e390a8a4 | Admin | Read and write user channel messages |
ChannelSettings.Read.All | 233e0cf1-dd62-48bc-b65b-b38fe87fcf8e | Admin | Read the names, descriptions, and settings of channels |
ChannelSettings.ReadWrite.All | d649fb7c-72b4-4eec-b2b4-b15acf79e378 | Admin | Read and write the names, descriptions, and settings of channels |
ChatMember.Read | c5a9e2b1-faf6-41d4-8875-d381aa549b24 | Admin | Read the members of chats |
ChatMember.ReadWrite | dea13482-7ea6-488f-8b98-eb5bbecf033d | Admin | Add and remove members from chats |
CloudPC.ReadWrite.All | 9d77138f-f0e2-47ba-ab33-cd246c8b79d1 | Admin | Read and write Cloud PCs |
ConsentRequest.Read.All | f3bfad56-966e-4590-a536-82ecf548ac1e | Admin | Read consent requests |
ConsentRequest.ReadWrite.All | 497d9dfa-3bd1-481a-baab-90895e54568c | Admin | Read and write consent requests |
CrossTenantInformation.ReadBasic.All | 81594d25-e88e-49cf-ac8c-fecbff49f994 | Admin | Read cross-tenant basic information |
CrossTenantUserProfileSharing.Read | cb1ba48f-d22b-4325-a07f-74135a62ee41 | Admin | Read shared cross-tenant user profile and export data |
CrossTenantUserProfileSharing.Read.All | 759dcd16-3c90-463c-937e-abf89f991c18 | Admin | Read all shared cross-tenant user profiles and export their data |
CrossTenantUserProfileSharing.ReadWrite | eed0129d-dc60-4f30-8641-daf337a39ffd | Admin | Read shared cross-tenant user profile and export or delete data |
CrossTenantUserProfileSharing.ReadWrite.All | 64dfa325-cbf8-48e3-938d-51224a0cac01 | Admin | Read all shared cross-tenant user profiles and export or delete their data |
CustomAuthenticationExtension.Read.All | b2052569-c98c-4f36-a5fb-43e5c111e6d0 | Admin | Read your oganization’s custom authentication extensions |
CustomAuthenticationExtension.ReadWrite.All | 8dfcf82f-15d0-43b3-bc78-a958a13a5792 | Admin | Read and write your organization’s custom authentication extensions |
CustomSecAttributeAssignment.Read.All | b46ffa80-fe3d-4822-9a1a-c200932d54d0 | Admin | Read custom security attribute assignments |
CustomSecAttributeAssignment.ReadWrite.All | ca46335e-8453-47cd-a001-8459884efeae | Admin | Read and write custom security attribute assignments |
CustomSecAttributeDefinition.Read.All | ce026878-a0ff-4745-a728-d4fedd086c07 | Admin | Read custom security attribute definitions |
CustomSecAttributeDefinition.ReadWrite.All | 8b0160d4-5743-482b-bb27-efc0a485ca4a | Admin | Read and write custom security attribute definitions |
DelegatedAdminRelationship.Read.All | 0c0064ea-477b-4130-82a5-4c2cc4ff68aa | Admin | Read Delegated Admin relationships with customers |
DelegatedAdminRelationship.ReadWrite.All | 885f682f-a990-4bad-a642-36736a74b0c7 | Admin | Manage Delegated Admin relationships with customers |
DelegatedPermissionGrant.ReadWrite.All | 41ce6ca6-6826-4807-84f1-1c82854f7ee5 | Admin | Manage all delegated permission grants |
Device.Read.All | 951183d1-1a61-466f-a6d1-1fde911bfd95 | Admin | Read all devices |
DeviceManagementApps.Read.All | 4edf5f54-4666-44af-9de9-0144fb4b6e8c | Admin | Read Microsoft Intune apps |
DeviceManagementApps.ReadWrite.All | 7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af | Admin | Read and write Microsoft Intune apps |
DeviceManagementConfiguration.Read.All | f1493658-876a-4c87-8fa7-edb559b3476a | Admin | Read Microsoft Intune Device Configuration and Policies |
DeviceManagementConfiguration.ReadWrite.All | 0883f392-0a7a-443d-8c76-16a6d39c7b63 | Admin | Read and write Microsoft Intune Device Configuration and Policies |
DeviceManagementManagedDevices.PrivilegedOperations.All | 3404d2bf-2b13-457e-a330-c24615765193 | Admin | Perform user-impacting remote actions on Microsoft Intune devices |
DeviceManagementManagedDevices.Read.All | 314874da-47d6-4978-88dc-cf0d37f0bb82 | Admin | Read Microsoft Intune devices |
DeviceManagementManagedDevices.ReadWrite.All | 44642bfe-8385-4adc-8fc6-fe3cb2c375c3 | Admin | Read and write Microsoft Intune devices |
DeviceManagementRBAC.Read.All | 49f0cc30-024c-4dfd-ab3e-82e137ee5431 | Admin | Read Microsoft Intune RBAC settings |
DeviceManagementRBAC.ReadWrite.All | 0c5e8a55-87a6-4556-93ab-adc52c4d862d | Admin | Read and write Microsoft Intune RBAC settings |
DeviceManagementServiceConfig.Read.All | 8696daa5-bce5-4b2e-83f9-51b6defc4e1e | Admin | Read Microsoft Intune configuration |
DeviceManagementServiceConfig.ReadWrite.All | 662ed50a-ac44-4eef-ad86-62eed9be2a29 | Admin | Read and write Microsoft Intune configuration |
Directory.AccessAsUser.All | 0e263e50-5827-48a4-b97c-d940288653c7 | Admin | Access directory as the signed in user |
Directory.Read.All | 06da0dbc-49e2-44d2-8312-53f166ab848a | Admin | Read directory data |
Directory.ReadWrite.All | c5366453-9fb0-48a5-a156-24f0c49a4b84 | Admin | Read and write directory data |
Directory.Write.Restricted | cba5390f-ed6a-4b7f-b657-0efc2210ed20 | Admin | Manage restricted resources in the directory |
DirectoryRecommendations.Read.All | 34d3bd24-f6a6-468c-b67c-0c365c1d6410 | Admin | Read Azure AD recommendations |
DirectoryRecommendations.ReadWrite.All | f37235e8-90a0-4189-93e2-e55b53867ccd | Admin | Read and update Azure AD recommendations |
Domain.Read.All | 2f9ee017-59c1-4f1d-9472-bd5529a7b311 | Admin | Read domains. |
Domain.ReadWrite.All | 0b5d694c-a244-4bde-86e6-eb5cd07730fe | Admin | Read and write domains |
eDiscovery.Read.All | 99201db3-7652-4d5a-809a-bdb94f85fe3c | Admin | Read all eDiscovery objects |
eDiscovery.ReadWrite.All | acb8f680-0834-4146-b69e-4ab1b39745ad | Admin | Read and write all eDiscovery objects |
EduAdministration.Read | 8523895c-6081-45bf-8a5d-f062a2f12c9f | Admin | Read education app settings |
EduAdministration.ReadWrite | 63589852-04e3-46b4-bae9-15d5b1050748 | Admin | Manage education app settings |
EduAssignments.Read | 091460c9-9c4a-49b2-81ef-1f3d852acce2 | Admin | Read users’ class assignments and their grades |
EduAssignments.ReadBasic | c0b0103b-c053-4b2e-9973-9f3a544ec9b8 | Admin | Read users’ class assignments without grades |
EduAssignments.ReadWrite | 2f233e90-164b-4501-8bce-31af2559a2d3 | Admin | Read and write users’ class assignments and their grades |
EduAssignments.ReadWriteBasic | 2ef770a1-622a-47c4-93ee-28d6adbed3a0 | Admin | Read and write users’ class assignments without grades |
EduRoster.Read | a4389601-22d9-4096-ac18-36a927199112 | Admin | Read users’ view of the roster |
EduRoster.ReadBasic | 5d186531-d1bf-4f07-8cea-7c42119e1bd9 | Admin | Read a limited subset of users’ view of the roster |
EduRoster.ReadWrite | 359e19a6-e3fa-4d7f-bcab-d28ec592b51e | Admin | Read and write users’ view of the roster |
EntitlementManagement.Read.All | 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2 | Admin | Read all entitlement management resources |
EntitlementManagement.ReadWrite.All | ae7a573d-81d7-432b-ad44-4ed5c9d89038 | Admin | Read and write entitlement management resources |
EventListener.Read.All | f7dd3bed-5eec-48da-bc73-1c0ef50bc9a1 | Admin | Read your organization’s authentication event listeners |
EventListener.ReadWrite.All | d11625a6-fe21-4fc6-8d3d-063eba5525ad | Admin | Read and write your organization’s authentication event listeners |
ExternalConnection.Read.All | a38267a5-26b6-4d76-9493-935b7599116b | Admin | Read all external connections |
ExternalConnection.ReadWrite.All | bbbbd9b3-3566-4931-ac37-2b2180d9e334 | Admin | Read and write all external connections |
ExternalConnection.ReadWrite.OwnedBy | 4082ad95-c812-4f02-be92-780c4c4f1830 | Admin | Read and write external connections |
ExternalItem.Read.All | 922f9392-b1b7-483c-a4be-0089be7704fb | Admin | Read items in external datasets |
ExternalItem.ReadWrite.All | b02c54f8-eb48-4c50-a9f0-a149e5a2012f | Admin | Read and write all external items |
ExternalItem.ReadWrite.OwnedBy | 4367b9d7-cee7-4995-853c-a0bdfe95c1f9 | Admin | Read and write external items |
Group.Read.All | 5f8c59db-677d-491f-a6b8-5f174b11ec1d | Admin | Read all groups |
Group.ReadWrite.All | 4e46008b-f24c-477d-8fff-7bb4ec7aafe0 | Admin | Read and write all groups |
GroupMember.Read.All | bc024368-1153-4739-b217-4326f2e966d0 | Admin | Read group memberships |
GroupMember.ReadWrite.All | f81125ac-d3b7-4573-a3b2-7099cc39df9e | Admin | Read and write group memberships |
IdentityProvider.Read.All | 43781733-b5a7-4d1b-98f4-e8edff23e1a9 | Admin | Read identity providers |
IdentityProvider.ReadWrite.All | f13ce604-1677-429f-90bd-8a10b9f01325 | Admin | Read and write identity providers |
IdentityRiskEvent.Read.All | 8f6a01e7-0391-4ee5-aa22-a3af122cef27 | Admin | Read identity risk event information |
IdentityRiskEvent.ReadWrite.All | 9e4862a5-b68f-479e-848a-4e07e25c9916 | Admin | Read and write risk event information |
IdentityRiskyServicePrincipal.Read.All | ea5c4ab0-5a73-4f35-8272-5d5337884e5d | Admin | Read all identity risky service principal information |
IdentityRiskyServicePrincipal.ReadWrite.All | bb6f654c-d7fd-4ae3-85c3-fc380934f515 | Admin | Read and write all identity risky service principal information |
IdentityRiskyUser.Read.All | d04bb851-cb7c-4146-97c7-ca3e71baf56c | Admin | Read identity risky user information |
IdentityRiskyUser.ReadWrite.All | e0a7cdbb-08b0-4697-8264-0069786e9674 | Admin | Read and write risky user information |
IdentityUserFlow.Read.All | 2903d63d-4611-4d43-99ce-a33f3f52e343 | Admin | Read all identity user flows |
IdentityUserFlow.ReadWrite.All | 281892cc-4dbf-4e3a-b6cc-b21029bb4e82 | Admin | Read and write all identity user flows |
LearningContent.Read.All | ea4c1fd9-6a9f-4432-8e5d-86e06cc0da77 | Admin | Read learning content |
LearningContent.ReadWrite.All | 53cec1c4-a65f-4981-9dc1-ad75dbf1c077 | Admin | Managelearningcontent |
LearningProvider.Read | dd8ce36f-9245-45ea-a99e-8ac398c22861 | Admin | Read learning provider |
LearningProvider.ReadWrite | 40c2eb57-abaf-49f5-9331-e90fd01f7130 | Admin | Managelearningprovider |
LicenseAssignment.ReadWrite.All | f55016cc-149c-447e-8f21-7cf3ec1d6350 | Admin | Manage all license assignments |
LifecycleWorkflows.Read.All | 9bcb9916-765a-42af-bf77-02282e26b01a | Admin | Read all lifecycle workflows resources |
LifecycleWorkflows.ReadWrite.All | 84b9d731-7db8-4454-8c90-fd9e95350179 | Admin | Read and write all lifecycle workflows resources |
ManagedTenants.Read.All | dc34164e-6c4a-41a0-be89-3ae2fbad7cd3 | Admin | Read all managed tenant information |
ManagedTenants.ReadWrite.All | b31fa710-c9b3-4d9e-8f5e-8036eecddab9 | Admin | Read and write all managed tenant information |
Member.Read.Hidden | f6a3db3e-f7e8-4ed2-a414-557c8c9830be | Admin | Read hidden memberships |
OnlineMeetingRecording.Read.All | 190c2bb6-1fdd-4fec-9aa2-7d571b5e1fe3 | Admin | Read all recordings of online meetings. |
OnlineMeetingTranscript.Read.All | 30b87d18-ebb1-45db-97f8-82ccb1f0190c | Admin | Read all transcripts of online meetings. |
OnPremisesPublishingProfiles.ReadWrite.All | 8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42 | Admin | Manage on-premises published resources |
Organization.Read.All | 4908d5b9-3fb2-4b1e-9336-1888b7937185 | Admin | Read organization information |
Organization.ReadWrite.All | 46ca0847-7e6b-426e-9775-ea810a948356 | Admin | Read and write organization information |
OrgContact.Read.All | 08432d1b-5911-483c-86df-7980af5cdee0 | Admin | Read organizational contacts |
People.Read.All | b89f9189-71a5-4e70-b041-9887f0bc7e4a | Admin | Read all users’ relevant people lists |
Place.Read.All | cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec | Admin | Read all company places |
Place.ReadWrite.All | 4c06a06a-098a-4063-868e-5dfee3827264 | Admin | Read and write organization places |
Policy.Read.All | 572fea84-0151-49b2-9301-11cb16974376 | Admin | Read your organization’s policies |
Policy.Read.PermissionGrant | 414de6ea-2d92-462f-b120-6e2a809a6d01 | Admin | Read consent and permission grant policies |
Policy.ReadWrite.AccessReview | 4f5bc9c8-ea54-4772-973a-9ca119cb0409 | Admin | Read and write your organization’s directory access review default policy |
Policy.ReadWrite.ApplicationConfiguration | b27add92-efb2-4f16-84f5-8108ba77985c | Admin | Read and write your organization’s application configuration policies |
Policy.ReadWrite.AuthenticationFlows | edb72de9-4252-4d03-a925-451deef99db7 | Admin | Read and write authentication flow policies |
Policy.ReadWrite.AuthenticationMethod | 7e823077-d88e-468f-a337-e18f1f0e6c7c | Admin | Read and write authentication method policies |
Policy.ReadWrite.Authorization | edd3c878-b384-41fd-95ad-e7407dd775be | Admin | Read and write your organization’s authorization policy |
Policy.ReadWrite.ConditionalAccess | ad902697-1014-4ef5-81ef-2b4301988e8c | Admin | Read and write your organization’s conditional access policies |
Policy.ReadWrite.ConsentRequest | 4d135e65-66b8-41a8-9f8b-081452c91774 | Admin | Read and write consent request policy |
Policy.ReadWrite.CrossTenantAccess | 014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85 | Admin | Read and write your organization’s cross tenant access policies |
Policy.ReadWrite.DeviceConfiguration | 40b534c3-9552-4550-901b-23879c90bcf9 | Admin | Read and write your organization’s device configuration policies |
Policy.ReadWrite.FeatureRollout | 92a38652-f13b-4875-bc77-6e1dbb63e1b2 | Admin | Read and write your organization’s feature rollout policies |
Policy.ReadWrite.MobilityManagement | a8ead177-1889-4546-9387-f25e658e2a79 | Admin | Read and write your organization’s mobility management policies |
Policy.ReadWrite.PermissionGrant | 2672f8bb-fd5e-42e0-85e1-ec764dd2614e | Admin | Manage consent and permission grant policies |
Policy.ReadWrite.TrustFramework | cefba324-1a70-4a6e-9c1d-fd670b7ae392 | Admin | Read and write your organization’s trust framework policies |
PrintConnector.Read.All | d69c2d6d-4f72-4f99-a6b9-663e32f8cf68 | Admin | Read print connectors |
PrintConnector.ReadWrite.All | 79ef9967-7d59-4213-9c64-4b10687637d8 | Admin | Read and write print connectors |
Printer.Create | 90c30bed-6fd1-4279-bf39-714069619721 | Admin | Register printers |
Printer.FullControl.All | 93dae4bd-43a1-4a23-9a1a-92957e1d9121 | Admin | Register, read, update, and unregister printers |
Printer.Read.All | 3a736c8a-018e-460a-b60c-863b2683e8bf | Admin | Read printers |
Printer.ReadWrite.All | 89f66824-725f-4b8f-928e-e1c5258dc565 | Admin | Read and update printers |
PrinterShare.ReadWrite.All | 06ceea37-85e2-40d7-bec3-91337a46038f | Admin | Read and write printer shares |
PrintJob.Read.All | afdd6933-a0d8-40f7-bd1a-b5d778e8624b | Admin | Read print jobs |
PrintJob.ReadBasic.All | 04ce8d60-72ce-4867-85cf-6d82f36922f3 | Admin | Read basic information of print jobs |
PrintJob.ReadWrite.All | 036b9544-e8c5-46ef-900a-0646cc42b271 | Admin | Read and write print jobs |
PrintJob.ReadWriteBasic.All | 3a0db2f6-0d2a-4c19-971b-49109b19ad3d | Admin | Read and write basic information of print jobs |
PrintSettings.Read.All | 490f32fd-d90f-4dd7-a601-ff6cdc1a3f6c | Admin | Read tenant-wide print settings |
PrintSettings.ReadWrite.All | 9ccc526a-c51c-4e5c-a1fd-74726ef50b8f | Admin | Read and write tenant-wide print settings |
PrivilegedAccess.Read.AzureAD | b3a539c9-59cb-4ad5-825a-041ddbdc2bdb | Admin | Read privileged access to Azure AD |
PrivilegedAccess.Read.AzureADGroup | d329c81c-20ad-4772-abf9-3f6fdb7e5988 | Admin | Read privileged access to Azure AD groups |
PrivilegedAccess.Read.AzureResources | 1d89d70c-dcac-4248-b214-903c457af83a | Admin | Read privileged access to Azure resources |
PrivilegedAccess.ReadWrite.AzureAD | 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37 | Admin | Read and write privileged access to Azure AD |
PrivilegedAccess.ReadWrite.AzureADGroup | 32531c59-1f32-461f-b8df-6f8a3b89f73b | Admin | Read and write privileged access to Azure AD groups |
PrivilegedAccess.ReadWrite.AzureResources | a84a9652-ffd3-496e-a991-22ba5529156a | Admin | Read and write privileged access to Azure resources |
ProgramControl.Read.All | c492a2e1-2f8f-4caa-b076-99bbf6e40fe4 | Admin | Read all programs that user can access |
ProgramControl.ReadWrite.All | 50fd364f-9d93-4ae1-b170-300e87cccf84 | Admin | Manage all programs that user can access |
RecordsManagement.Read.All | 07f995eb-fc67-4522-ad66-2b8ca8ea3efd | Admin | Read Records Management configuration,labels, and policies |
RecordsManagement.ReadWrite.All | f2833d75-a4e6-40ab-86d4-6dfe73c97605 | Admin | Read and write Records Management configuration, labels, and policies |
Reports.Read.All | 02e97553-ed7b-43d0-ab3c-f8bace0d040c | Admin | Read all usage reports |
ReportSettings.Read.All | 84fac5f4-33a9-4100-aa38-a20c6d29e5e7 | Admin | Read admin report settings |
ReportSettings.ReadWrite.All | b955410e-7715-4a88-a940-dfd551018df3 | Admin | Read and write admin report settings |
RoleAssignmentSchedule.Read.Directory | 344a729c-0285-42c6-9014-f12b9b8d6129 | Admin | Read all active role assignments for your company’s directory |
RoleAssignmentSchedule.ReadWrite.Directory | 8c026be3-8e26-4774-9372-8d5d6f21daff | Admin | Read, update, and delete all active role assignments for your company’s directory |
RoleEligibilitySchedule.Read.Directory | eb0788c2-6d4e-4658-8c9e-c0fb8053f03d | Admin | Read all eligible role assignments for your company’s directory |
RoleEligibilitySchedule.ReadWrite.Directory | 62ade113-f8e0-4bf9-a6ba-5acb31db32fd | Admin | Read, update, and delete all eligible role assignments for your company’s directory |
RoleManagement.Read.All | 48fec646-b2ba-4019-8681-8eb31435aded | Admin | Read role management data for all RBAC providers |
RoleManagement.Read.CloudPC | 9619b88a-8a25-48a7-9571-d23be0337a79 | Admin | Read Cloud PC RBAC settings |
RoleManagement.Read.Directory | 741c54c3-0c1e-44a1-818b-3f97ab4e8c83 | Admin | Read directory RBAC settings |
RoleManagement.ReadWrite.CloudPC | 501d06f8-07b8-4f18-b5c6-c191a4af7a82 | Admin | Read and write Cloud PC RBAC settings |
RoleManagement.ReadWrite.Directory | d01b97e9-cbc0-49fe-810a-750afd5527a3 | Admin | Read and write directory RBAC settings |
RoleManagementPolicy.Read.Directory | 3de2cdbe-0ff5-47d5-bdee-7f45b4749ead | Admin | Read all policies for privileged role assignments of your company’s directory |
RoleManagementPolicy.ReadWrite.Directory | 1ff1be21-34eb-448c-9ac9-ce1f506b2a68 | Admin | Read, update, and delete all policies for privileged role assignments of your company’s directory |
Schedule.Read.All | fccf6dd8-5706-49fa-811f-69e2e1b585d0 | Admin | Read user schedule items |
Schedule.ReadWrite.All | 63f27281-c9d9-4f29-94dd-6942f7f1feb0 | Admin | Read and write user schedule items |
SearchConfiguration.Read.All | 7d307522-aa38-4cd0-bd60-90c6f0ac50bd | Admin | Read your organization’s search configuration |
SearchConfiguration.ReadWrite.All | b1a7d408-cab0-47d2-a2a5-a74a3733600d | Admin | Read and write your organization’s search configuration |
SecurityActions.Read.All | 1638cddf-07a4-4de2-8645-69c96cacad73 | Admin | Read your organization’s security actions |
SecurityActions.ReadWrite.All | dc38509c-b87d-4da0-bd92-6bec988bac4a | Admin | Read and update your organization’s security actions |
SecurityAlert.Read.All | bc257fb8-46b4-4b15-8713-01e91bfbe4ea | Admin | Read all security alerts |
SecurityAlert.ReadWrite.All | 471f2a7f-2a42-4d45-a2bf-594d0838070d | Admin | Read and write to all security alerts |
SecurityEvents.Read.All | 64733abd-851e-478a-bffb-e47a14b18235 | Admin | Read your organizations security events |
SecurityEvents.ReadWrite.All | 6aedf524-7e1c-45a7-bd76-ded8cab8d0fc | Admin | Read and update your organizations security events |
SecurityIncident.Read.All | b9abcc4f-94fc-4457-9141-d20ce80ec952 | Admin | Read incidents |
SecurityIncident.ReadWrite.All | 128ca929-1a19-45e6-a3b8-435ec44a36ba | Admin | Read and write to incidents |
ServiceHealth.Read.All | 55896846-df78-47a7-aa94-8d3d4442ca7f | Admin | Read service health |
ServiceMessage.Read.All | eda39fa6-f8cf-4c3c-a909-432c683e4c9b | Admin | Read service announcement messages |
ServiceMessageViewpoint.Write | 636e1b0b-1cc2-4b1c-9aa9-4eeed9b9761b | Admin | Update user status on service announcement messages |
ServicePrincipalEndpoint.Read.All | 9f9ce928-e038-4e3b-8faf-7b59049a8ddc | Admin | Read service principal endpoints |
ServicePrincipalEndpoint.ReadWrite.All | 7297d82c-9546-4aed-91df-3d4f0a9b3ff0 | Admin | Read and update service principal endpoints |
SharePointTenantSettings.Read.All | 2ef70e10-5bfd-4ede-a5f6-67720500b258 | Admin | Read SharePoint and OneDrive tenant settings |
SharePointTenantSettings.ReadWrite.All | aa07f155-3612-49b8-a147-6c590df35536 | Admin | Read and change SharePoint and OneDrive tenant settings |
Sites.FullControl.All | 5a54b8b3-347c-476d-8f8e-42d5c7424d29 | Admin | Have full control of all site collections |
SubjectRightsRequest.Read.All | 9c3af74c-fd0f-4db4-b17a-71939e2a9d77 | Admin | Read subject rights requests |
SubjectRightsRequest.ReadWrite.All | 2b8fcc74-bce1-4ae3-a0e8-60c53739299d | Admin | Read and write subject rights requests |
Subscription.Read.All | 5f88184c-80bb-4d52-9ff2-757288b2e9b7 | Admin | Read all webhook subscriptions |
TeamMember.Read.All | 2497278c-d82d-46a2-b1ce-39d4cdde5570 | Admin | Read the members of teams |
TeamMember.ReadWrite.All | 4a06efd2-f825-4e34-813e-82a57b03d1ee | Admin | Add and remove members from teams |
TeamMember.ReadWriteNonOwnerRole.All | 2104a4db-3a2f-4ea0-9dba-143d457dc666 | Admin | Add and remove members with non-owner role for all teams |
TeamsAppInstallation.ReadForTeam | 5248dcb1-f83b-4ec3-9f4d-a4428a961a72 | Admin | Read installed Teams apps in teams |
TeamsAppInstallation.ReadWriteForChat | aa85bf13-d771-4d5d-a9e6-bca04ce44edf | Admin | Manage installed Teams apps in chats |
TeamsAppInstallation.ReadWriteForTeam | 2e25a044-2580-450d-8859-42eeb6e996c0 | Admin | Manage installed Teams apps in teams |
TeamsAppInstallation.ReadWriteForUser | 093f8818-d05f-49b8-95bc-9d2a73e9a43c | Admin | Manage user’s installed Teams apps |
TeamsAppInstallation.ReadWriteSelfForChat | 0ce33576-30e8-43b7-99e5-62f8569a4002 | Admin | Allow the Teams app to manage itself in chats |
TeamsAppInstallation.ReadWriteSelfForTeam | 0f4595f7-64b1-4e13-81bc-11a249df07a9 | Admin | Allow the app to manage itself in teams |
TeamSettings.Read.All | 48638b3c-ad68-4383-8ac4-e6880ee6ca57 | Admin | Read teams’ settings |
TeamSettings.ReadWrite.All | 39d65650-9d3e-4223-80db-a335590d027e | Admin | Read and change teams’ settings |
TeamsTab.Create | a9ff19c2-f369-4a95-9a25-ba9d460efc8e | Admin | Create tabs in Microsoft Teams. |
TeamsTab.Read.All | 59dacb05-e88d-4c13-a684-59f1afc8cc98 | Admin | Read tabs in Microsoft Teams. |
TeamsTab.ReadWrite.All | b98bfd41-87c6-45cc-b104-e2de4f0dafb9 | Admin | Read and write tabs in Microsoft Teams. |
TeamsTab.ReadWriteForChat | ee928332-e9c2-4747-b4a0-f8c164b68de6 | Admin | Allow the Teams app to manage all tabs in chats |
TeamsTab.ReadWriteForTeam | c975dd04-a06e-4fbb-9704-62daad77bb49 | Admin | Allow the Teams app to manage all tabs in teams |
TeamsTab.ReadWriteSelfForChat | 0c219d04-3abf-47f7-912d-5cca239e90e6 | Admin | Allow the Teams app to manage only its own tabs in chats |
TeamsTab.ReadWriteSelfForTeam | f266662f-120a-4314-b26a-99b08617c7ef | Admin | Allow the Teams app to manage only its own tabs in teams |
TeamworkDevice.Read.All | b659488b-9d28-4208-b2be-1c6652b3c970 | Admin | Read Teams devices |
TeamworkDevice.ReadWrite.All | ddd97ecb-5c31-43db-a235-0ee20e635c40 | Admin | Read and write Teams devices |
TeamworkTag.Read | 57587d0b-8399-45be-b207-8050cec54575 | Admin | Read tags in Teams |
TeamworkTag.ReadWrite | 539dabd7-b5b6-4117-b164-d60cd15a8671 | Admin | Read and write tags in Teams |
TermStore.Read.All | 297f747b-0005-475b-8fef-c890f5152b38 | Admin | Read term store data |
TermStore.ReadWrite.All | 6c37c71d-f50f-4bff-8fd3-8a41da390140 | Admin | Read and write term store data |
ThreatAssessment.ReadWrite.All | cac97e40-6730-457d-ad8d-4852fddab7ad | Admin | Read and write threat assessment requests |
ThreatHunting.Read.All | b152eca8-ea73-4a48-8c98-1a6742673d99 | Admin | Run hunting queries |
ThreatIndicators.Read.All | 9cc427b4-2004-41c5-aa22-757b755e9796 | Admin | Read all threat indicators |
ThreatIndicators.ReadWrite.OwnedBy | 91e7d36d-022a-490f-a748-f8e011357b42 | Admin | Manage threat indicators this app creates or owns |
ThreatSubmission.Read.All | 7083913a-4966-44b6-9886-c5822a5fd910 | Admin | Read all threat submissions |
ThreatSubmission.ReadWrite.All | 8458e264-4eb9-4922-abe9-768d58f13c7f | Admin | Read and write all threat submissions |
ThreatSubmissionPolicy.ReadWrite.All | 059e5840-5353-4c68-b1da-666a033fc5e8 | Admin | Read and write all threat submission policies |
TrustFrameworkKeySet.Read.All | 7ad34336-f5b1-44ce-8682-31d7dfcd9ab9 | Admin | Read trust framework key sets |
TrustFrameworkKeySet.ReadWrite.All | 39244520-1e7d-4b4a-aee0-57c65826e427 | Admin | Read and write trust framework key sets |
UnifiedGroupMember.Read.AsGuest | 73e75199-7c3e-41bb-9357-167164dbb415 | Admin | Read unified group memberships as guest |
User.Export.All | 405a51b5-8d8d-430b-9842-8be4b0e9f324 | Admin | Export user’s data |
User.Invite.All | 63dd7cd9-b489-4adf-a28c-ac38b9a0f962 | Admin | Invite guest users to the organization |
User.ManageIdentities.All | 637d7bec-b31e-4deb-acc9-24275642a2c9 | Admin | Manage user identities |
User.Read.All | a154be20-db9c-4678-8ab7-66f6cc099a59 | Admin | Read all users’ full profiles |
User.ReadWrite.All | 204e0828-b5ca-4ad8-b9f3-f32a958e7cc4 | Admin | Read and write all users’ full profiles |
UserAuthenticationMethod.Read | 1f6b61c5-2f65-4135-9c9f-31c0f8d32b52 | Admin | Read user authentication methods. |
UserAuthenticationMethod.Read.All | aec28ec7-4d02-4e8c-b864-50163aea77eb | Admin | Read all users’ authentication methods |
UserAuthenticationMethod.ReadWrite | 48971fc1-70d7-4245-af77-0beb29b53ee2 | Admin | Read and write user authentication methods |
UserAuthenticationMethod.ReadWrite.All | b7887744-6746-4312-813d-72daeaee7e2d | Admin | Read and write all users’ authentication methods. |
WindowsUpdates.ReadWrite.All | 11776c0c-6138-4db3-a668-ee621bea2555 | Admin | Read and write all Windows update deployment settings |
WorkforceIntegration.Read.All | f1ccd5a7-6383-466a-8db8-1a656f7d06fa | Admin | Read workforce integrations |
WorkforceIntegration.ReadWrite.All | 08c4b377-0d23-4a8b-be2a-23c1c1d88545 | Admin | Read and write workforce integrations |
Analytics.Read | e03cf23f-8056-446a-8994-7d93dfc8b50e | User | Read your activity statistics |
AppCatalog.Read.All | 88e58d74-d3df-44f3-ad47-e89edf4472e4 | User | Read all app catalogs |
AppCatalog.Submit | 3db89e36-7fa6-4012-b281-85f3d9d9fd2e | User | Submit application packages to your organization’s catalog and cancel pending submissions |
Bookings.Manage.All | 7f36b48e-542f-4d3b-9bcb-8406f0ab9fdb | User | Manage bookings information |
Bookings.Read.All | 33b1df99-4b29-4548-9339-7a7b83eaeebc | User | Read bookings information |
Bookings.ReadWrite.All | 948eb538-f19d-4ec5-9ccc-f059e1ea4c72 | User | Read and write bookings information |
BookingsAppointment.ReadWrite.All | 02a5a114-36a6-46ff-a102-954d89d9ab02 | User | Read and write booking appointments |
Calendars.Read | 465a38f9-76ea-45b9-9f34-9e8b0d4b0b42 | User | Read your calendars |
Calendars.Read.Shared | 2b9c4092-424d-4249-948d-b43879977640 | User | Read calendarsyou can access |
Calendars.ReadWrite | 1ec239c2-d7c9-4623-a91a-a9775856bb36 | User | Have full access to your calendars |
Calendars.ReadWrite.Shared | 12466101-c9b8-439a-8589-dd09ee67e8e9 | User | Read and write to your and shared calendars |
Channel.ReadBasic.All | 9d8982ae-4365-4f57-95e9-d6032a4c0b87 | User | Read the names and descriptions of channels |
ChannelMessage.Edit | 2b61aa8a-6d36-4b2f-ac7b-f29867937c53 | User | Edit your channel messages |
ChannelMessage.Send | ebf0f66e-9fb1-49e4-a278-222f76911cf4 | User | Send channel messages |
Chat.Create | 38826093-1258-4dea-98f0-00003be2b8d0 | User | Create chats |
Chat.Read | f501c180-9344-439a-bca0-6cbf209fd270 | User | Read your chat messages |
Chat.ReadBasic | 9547fcb5-d03f-419d-9948-5928bbf71b0f | User | Read names and members of your chat threads |
Chat.ReadWrite | 9ff7295e-131b-4d94-90e1-69fde507ac11 | User | Read and write your chat messages |
ChatMessage.Read | cdcdac3a-fd45-410d-83ef-554db620e5c7 | User | Read user chat messages |
ChatMessage.Send | 116b7235-7cc6-461e-b163-8e55691d839e | User | Send chat messages |
CloudPC.Read.All | 5252ec4e-fd40-4d92-8c68-89dd1d3c6110 | User | Read Cloud PCs |
Contacts.Read | ff74d97f-43af-4b68-9f2a-b77ee6968c5d | User | Read your contacts |
Contacts.Read.Shared | 242b9d9e-ed24-4d09-9a52-f43769beb9d4 | User | Read your and shared contacts |
Contacts.ReadWrite | d56682ec-c09e-4743-aaf4-1a3aac4caa21 | User | Have full access of your contacts |
Contacts.ReadWrite.Shared | afb6c84b-06be-49af-80bb-8f3f77004eab | User | Read and write to your and shared contacts |
Device.Command | bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804 | User | Communicate with your other devices |
Device.Read | 11d4cd79-5ba5-460f-803f-e22c8ab85ccd | User | View your list of devices |
EAS.AccessAsUser.All | ff91d191-45a0-43fd-b837-bd682c4a0b0f | User | Access your mailboxes |
64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0 | User | View your email address | |
EWS.AccessAsUser.All | 9769c687-087d-48ac-9cb3-c37dde652038 | User | Access your mailboxes |
Family.Read | 3a1e4806-a744-4c70-80fc-223bf8582c46 | User | Read your family info |
Files.Read | 10465720-29dd-4523-a11a-6a75c743c9d9 | User | Read your files |
Files.Read.All | df85f4d6-205c-4ac5-a5ea-6bf408dba283 | User | Read all files that you have access to |
Files.Read.Selected | 5447fe39-cb82-4c1a-b977-520e67e724eb | User | Read selected files |
Files.ReadWrite | 5c28f0bf-8a70-41f1-8ab2-9032436ddb65 | User | Have full access to your files |
Files.ReadWrite.All | 863451e7-0667-486c-a5d6-d135439485f0 | User | Have full access to all files you have access to |
Files.ReadWrite.AppFolder | 8019c312-3263-48e6-825e-2b833497195b | User | Have full access to the application’s folder |
Files.ReadWrite.Selected | 17dde5bd-8c17-420f-a486-969730c1b827 | User | Read and write selected files |
Financials.ReadWrite.All | f534bf13-55d4-45a9-8f3c-c92fe64d6131 | User | Read and write financials data |
IMAP.AccessAsUser.All | 652390e4-393a-48de-9484-05f9b1212954 | User | Read and write access to your mail. |
InformationProtectionPolicy.Read | 4ad84827-5578-4e18-ad7a-86530b12f884 | User | Read user sensitivity labels and label policies. |
Mail.Read | 570282fd-fa5c-430d-a7fd-fc8dc98a9dca | User | Read your mail |
Mail.Read.Shared | 7b9103a5-4610-446b-9670-80643382c1fa | User | Read mail you can access |
Mail.ReadBasic | a4b8392a-d8d1-4954-a029-8e668a39a170 | User | Read user basic mail |
Mail.ReadWrite | 024d486e-b451-40bb-833d-3e66d98c5c73 | User | Read and write access to your mail |
Mail.ReadWrite.Shared | 5df07973-7d5d-46ed-9847-1271055cbd51 | User | Read and write mailyou can access |
Mail.Send | e383f46e-2787-4529-855e-0e479a3ffac0 | User | Send mail as you |
Mail.Send.Shared | a367ab51-6b49-43bf-a716-a1fb06d2a174 | User | Send mail on behalf of others or yourself |
MailboxSettings.Read | 87f447af-9fa4-4c32-9dfa-4a57a73d18ce | User | Read your mailbox settings |
MailboxSettings.ReadWrite | 818c620a-27a9-40bd-a6a5-d96f7d610b4b | User | Read and write to your mailbox settings |
Notes.Create | 9d822255-d64d-4b7a-afdb-833b9a97ed02 | User | Create your OneNote notebooks |
Notes.Read | 371361e4-b9e2-4a3f-8315-2a301a3b0a3d | User | Read your OneNote notebooks |
Notes.Read.All | dfabfca6-ee36-4db2-8208-7a28381419b3 | User | Read all OneNote notebooks that you can access |
Notes.ReadWrite | 615e26af-c38a-4150-ae3e-c3b0d4cb1d6a | User | Read and write your OneNote notebooks |
Notes.ReadWrite.All | 64ac0503-b4fa-45d9-b544-71a463f05da0 | User | Read and write all OneNote notebooks that you can access |
Notes.ReadWrite.CreatedByApp | ed68249d-017c-4df5-9113-e684c7f8760b | User | Limited access to your OneNote notebooks for this app (preview) |
Notifications.ReadWrite.CreatedByApp | 89497502-6e42-46a2-8cb2-427fd3df970a | User | Deliver and manage your notifications for this app |
offline_access | 7427e0e9-2fba-42fe-b0c0-848c9e6a8182 | User | Maintain access to data you have given it access to |
OnlineMeetingArtifact.Read.All | 110e5abb-a10c-4b59-8b55-9b4daa4ef743 | User | Read user’s online meeting artifacts |
OnlineMeetings.Read | 9be106e1-f4e3-4df5-bdff-e4bc531cbe43 | User | Read your online meetings |
OnlineMeetings.ReadWrite | a65f2972-a4f8-4f5e-afd7-69ccb046d5dc | User | Read and create your online meetings |
openid | 37f7f235-527c-4136-accd-4a02d197296e | User | Sign in as you |
People.Read | ba47897c-39ec-4d83-8086-ee8256fa737d | User | Read your relevant people list |
Policy.Read.ConditionalAccess | 633e0fce-8c58-4cfb-9495-12bbd5a24f7c | User | Read your organization’s conditional access policies |
POP.AccessAsUser.All | d7b7f2d9-0f45-4ea1-9d42-e50810c06991 | User | Read and write access to your mail. |
Presence.Read | 76bc735e-aecd-4a1d-8b4c-2b915deabb79 | User | Read your presence information |
Presence.Read.All | 9c7a330d-35b3-4aa1-963d-cb2b9f927841 | User | Read presence information of all users in your organization |
Presence.ReadWrite | 8d3c54a7-cf58-4773-bf81-c0cd6ad522bb | User | Read and write your presence information |
PrinterShare.Read.All | ed11134d-2f3f-440d-a2e1-411efada2502 | User | Read printer shares |
PrinterShare.ReadBasic.All | 5fa075e9-b951-4165-947b-c63396ff0a37 | User | Read basic information about printer shares |
PrintJob.Create | 21f0d9c0-9f13-48b3-94e0-b6b231c7d320 | User | Create your print jobs |
PrintJob.Read | 248f5528-65c0-4c88-8326-876c7236df5e | User | Read your print jobs |
PrintJob.ReadBasic | 6a71a747-280f-4670-9ca0-a9cbf882b274 | User | Read basic information of your print jobs |
PrintJob.ReadWrite | b81dd597-8abb-4b3f-a07a-820b0316ed04 | User | Read and update your print jobs |
PrintJob.ReadWriteBasic | 6f2d22f2-1cb6-412c-a17c-3336817eaa82 | User | Read and write basic information of your print jobs |
profile | 14dad69e-099b-42c9-810b-d002981feec1 | User | View your basic profile |
ShortNotes.Read | 50f66e47-eb56-45b7-aaa2-75057d9afe08 | User | Read your short notes |
ShortNotes.ReadWrite | 328438b7-4c01-4c07-a840-e625a749bb89 | User | Read, create, edit, and delete your short notes |
Sites.Manage.All | 65e50fdc-43b7-4915-933e-e8138f11f40a | User | Create, edit, and delete items and lists in all your site collections |
Sites.Read.All | 205e70e5-aba6-4c52-a976-6d2d46c48043 | User | Read items in all site collections |
Sites.ReadWrite.All | 89fe6a52-be36-487e-b7d8-d061c450a026 | User | Edit or delete items in all site collections |
SMTP.Send | 258f6531-6087-4cc4-bb90-092c5fb3ed3f | User | Access to sending emails from your mailbox. |
Tasks.Read | f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb | User | Read your tasks and task lists |
Tasks.Read.Shared | 88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72 | User | Read your and shared tasks |
Tasks.ReadWrite | 2219042f-cab5-40cc-b0d2-16b1540b4c5f | User | Create, read, update, and delete your tasks and task lists |
Tasks.ReadWrite.Shared | c5ddf11b-c114-4886-8558-8a4e557cd52b | User | Read and write to your and shared tasks |
Team.Create | 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 | User | Create teams |
Team.ReadBasic.All | 485be79e-c497-4b35-9400-0e3fa7f2a5d4 | User | Read the names and descriptions of teams |
TeamsActivity.Read | 0e755559-83fb-4b44-91d0-4cc721b9323e | User | Read your teamwork activity feed |
TeamsActivity.Send | 7ab1d787-bae7-4d5d-8db6-37ea32df9186 | User | Send a teamwork activity |
TeamsAppInstallation.ReadForChat | bf3fbf03-f35f-4e93-963e-47e4d874c37a | User | Read installed Teams apps in chats |
TeamsAppInstallation.ReadForUser | c395395c-ff9a-4dba-bc1f-8372ba9dca84 | User | Read your installed Teams apps |
TeamsAppInstallation.ReadWriteSelfForUser | 207e0cb1-3ce7-4922-b991-5a760c346ebc | User | Allow the Teams app to manage itself for you |
TeamsTab.ReadWriteForUser | c37c9b61-7762-4bff-a156-afc0005847a0 | User | Allow the Teams app to manage all tabs for you |
TeamsTab.ReadWriteSelfForUser | 395dfec1-a0b9-465f-a783-8250a430cb8c | User | Allow the Teams app to manage only its own tabs for you |
ThreatSubmission.Read | fd5353c6-26dd-449f-a565-c4e16b9fce78 | User | Read threat submissions |
ThreatSubmission.ReadWrite | 68a3156e-46c9-443c-b85c-921397f082b5 | User | Read and write threat submissions |
User.Read | e1fe6dd8-ba31-4d61-89e7-88639da4683d | User | Sign you in and read your profile |
User.ReadBasic.All | b340eb25-3456-403f-be2f-af7a0d370277 | User | Read all users’ basic profiles |
User.ReadWrite | b4e74841-8e56-480b-be8b-910348b18b4c | User | Read and update your profile |
UserActivity.ReadWrite.CreatedByApp | 47607519-5fb1-47d9-99c7-da4b48f369b1 | User | Read and write app activity to your activity feed |
UserNotification.ReadWrite.CreatedByApp | 26e2f3e8-b2a1-47fc-9620-89bb5b042024 | User | Deliver and manage your notifications |
UserTimelineActivity.Write.CreatedByApp | 367492fc-594d-4972-a9b5-0d58c622c91c | User | Write app activity to your timeline |