#Permissions ## Permissions for Application Policies - **Read all properties (including privileged properties) on application policies** - `microsoft.directory/applicationPolicies/allProperties/read` - **Update all properties (including privileged properties) on application policies** - `microsoft.directory/applicationPolicies/allProperties/update` - **Update standard properties of application policies** - `microsoft.directory/applicationPolicies/basic/update` - **Create application policies** - `microsoft.directory/applicationPolicies/create` - **Create application policies, and creator is added as the first owner** - `microsoft.directory/applicationPolicies/createAsOwner` - **Delete application policies** - `microsoft.directory/applicationPolicies/delete` - **Read owners on application policies** - `microsoft.directory/applicationPolicies/owners/read` - **Update the owner property of application policies** - `microsoft.directory/applicationPolicies/owners/update` - **Read application policies applied to objects list** - `microsoft.directory/applicationPolicies/policyAppliedTo/read` - **Read standard properties of application policies** - `microsoft.directory/applicationPolicies/standard/read` ## Permissions for Single-Directory Applications - **Read all properties (including privileged properties) on single-directory applications** - `microsoft.directory/applications.myOrganization/allProperties/read` - **Update all properties (including privileged properties) on single-directory applications** - `microsoft.directory/applications.myOrganization/allProperties/update` - **Update audience on single-directory applications** - `microsoft.directory/applications.myOrganization/audience/update` - **Update authentication on single-directory applications** - `microsoft.directory/applications.myOrganization/authentication/update` - **Update basic properties on single-directory applications** - `microsoft.directory/applications.myOrganization/basic/update` - **Update credentials on single-directory applications** - `microsoft.directory/applications.myOrganization/credentials/update` - **Delete single-directory applications** - `microsoft.directory/applications.myOrganization/delete` - **Read owners on single-directory applications** - `microsoft.directory/applications.myOrganization/owners/read` - **Update owners on single-directory applications** - `microsoft.directory/applications.myOrganization/owners/update` - **Update exposed permissions and required permissions on single-tenant applications** - `microsoft.directory/applications.myOrganization/permissions/update` - **Read basic properties on single-directory applications** - `microsoft.directory/applications.myOrganization/standard/read` ## Permissions for All Applications - **Read all properties (including privileged properties) on all types of applications** - `microsoft.directory/applications/allProperties/read` - **Update all properties (including privileged properties) on all types of applications** - `microsoft.directory/applications/allProperties/update` - **Read all application proxy properties** - `microsoft.directory/applications/applicationProxy/read` - **Update all application proxy properties** - `microsoft.directory/applications/applicationProxy/update` - **Update authentication on all types of applications** - `microsoft.directory/applications/applicationProxyAuthentication/update` - **Update SSL certificate settings for application proxy** - `microsoft.directory/applications/applicationProxySslCertificate/update` - **Update URL settings for application proxy** - `microsoft.directory/applications/applicationProxyUrlSettings/update` - **Update the appRoles property on all types of applications** - `microsoft.directory/applications/appRoles/update` - **Update the audience property for applications** - `microsoft.directory/applications/audience/update` - **Update authentication on all types of applications** - `microsoft.directory/applications/authentication/update` - **Update basic properties for applications** - `microsoft.directory/applications/basic/update` - **Create all types of applications** - `microsoft.directory/applications/create` - **Create all types of applications, and creator is added as the first owner** - `microsoft.directory/applications/createAsOwner` - **Update application credentials** - `microsoft.directory/applications/credentials/update` - **Delete all types of applications** - `microsoft.directory/applications/delete` - **Read owners of applications** - `microsoft.directory/applications/owners/read` - **Update owners of applications** - `microsoft.directory/applications/owners/update` - **Update exposed permissions and required permissions on all types of applications** - `microsoft.directory/applications/permissions/update` - **Read standard properties of applications** - `microsoft.directory/applications/standard/read` - **Read provisioning settings associated with the application object** - `microsoft.directory/applications/synchronization/standard/read` ## Permissions for Application Templates - **Instantiate gallery applications from application templates** - `microsoft.directory/applicationTemplates/instantiate` ## Permissions for Audit Logs - **Read all properties on audit logs, excluding custom security attributes audit logs** - `microsoft.directory/auditLogs/allProperties/read` ## Permissions for BitLocker Keys - **Read bitlocker metadata and key on devices** - `microsoft.directory/bitlockerKeys/key/read` - **Read bitlocker key metadata on devices** - `microsoft.directory/bitlockerKeys/metadata/read` ## Permissions for Connector Groups - **Read all properties of application proxy connector groups** - `microsoft.directory/connectorGroups/allProperties/read` - **Update all properties of application proxy connector groups** - `microsoft.directory/connectorGroups/allProperties/update` - **Create application proxy connector groups** - `microsoft.directory/connectorGroups/create` - **Delete application proxy connector groups** - `microsoft.directory/connectorGroups/delete` ## Permissions for Connectors - **Read all properties of application proxy connectors** - `microsoft.directory/connectors/allProperties/read` - **Create application proxy connectors** - `microsoft.directory/connectors/create` ## Permissions for Cross-Tenant Access Policy - **Update allowed cloud endpoints of cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update` - **Update basic settings of cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/basic/update` - **Update Microsoft Entra B2B collaboration settings of the default cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update` - **Update Microsoft Entra B2B direct connect settings of the default cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update` - **Update cross-cloud Teams meeting settings of the default cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update` - **Read basic properties of the default cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/default/standard/read` - **Update tenant restrictions of the default cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update` - **Update Microsoft Entra B2B collaboration settings of cross-tenant access policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update` - **Update Microsoft Entra B2B direct connect settings of cross-tenant access policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update` - **Create cross-tenant access policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/create` - **Update cross-cloud Teams meeting settings of cross-tenant access policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update` - **Delete cross-tenant access policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/delete` - **Update basic settings of cross-tenant sync policy** - `microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update` - **Create cross-tenant sync policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create` - **Read basic properties of cross-tenant sync policy** - `microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read` - **Read basic properties of cross-tenant access policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/standard/read` - **Update tenant restrictions of cross-tenant access policy for partners** - `microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update` - **Read basic properties of cross-tenant access policy** - `microsoft.directory/crossTenantAccessPolicy/standard/read` ## Permissions for Device Local Credentials - **Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password** - `microsoft.directory/deviceLocalCredentials/password/read` - **Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, except the password** - `microsoft.directory/deviceLocalCredentials/standard/read` ## Permissions for Device Management Policies - **Update basic properties on device management application policies** - `microsoft.directory/deviceManagementPolicies/basic/update` - **Read standard properties on device management application policies** - `microsoft.directory/deviceManagementPolicies/standard/read` ## Permissions for Device Registration Policy - **Update basic properties on device registration policies** - `microsoft.directory/deviceRegistrationPolicy/basic/update` - **Read standard properties on device registration policies** - `microsoft.directory/deviceRegistrationPolicy/standard/read` ## Permissions for Devices - **Delete devices from Microsoft Entra ID** - `microsoft.directory/devices/delete` - **Disable devices in Microsoft Entra ID** - `microsoft.directory/devices/disable` - **Enable devices in Microsoft Entra ID** - `microsoft.directory/devices/enable` - **Read registered owners of devices** - `microsoft.directory/devices/registeredOwners/read` - **Update registered owners of devices** - `microsoft.directory/devices/registeredOwners/update` - **Read registered users of devices** - `microsoft.directory/devices/registeredUsers/read` - **Update registered users of devices** - `microsoft.directory/devices/registeredUsers/update` - **Read basic properties on devices** - `microsoft.directory/devices/standard/read` ## Permissions for Security Groups (Assigned Membership Type) - **Update all properties (including privileged properties) on Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/allProperties/update` - **Update basic properties on Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/basic/update` - **Update the classification property on Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/classification/update` - **Create Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/create` - **Create Security groups of assigned membership type, excluding role-assignable groups. Creator is added as the first owner.** - `microsoft.directory/groups.security.assignedMembership/createAsOwner` - **Delete Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/delete` - **Update members of Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/members/update` - **Update owners of Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/owners/update` - **Update the visibility property on Security groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.security.assignedMembership/visibility/update` ## Permissions for Security Groups (All Types) - **Update all properties (including privileged properties) on Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/allProperties/update` - **Update basic properties on Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/basic/update` - **Update the classification property on Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/classification/update` - **Create Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/create` - **Create Security groups, excluding role-assignable groups. Creator is added as the first owner.** - `microsoft.directory/groups.security/createAsOwner` - **Delete Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/delete` - **Update the dynamic membership rule on Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/dynamicMembershipRule/update` - **Update members of Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/members/update` - **Update owners of Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/owners/update` - **Update the visibility property on Security groups, excluding role-assignable groups** - `microsoft.directory/groups.security/visibility/update` ## Permissions for Microsoft 365 Groups (Assigned Membership Type) - **Update all properties (including privileged properties) on Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/allProperties/update` - **Update basic properties on Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/basic/update` - **Update the classification property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/classification/update` - **Create Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/create` - **Create Microsoft 365 groups of assigned membership type, excluding role-assignable groups. Creator is added as the first owner.** - `microsoft.directory/groups.unified.assignedMembership/createAsOwner` - **Delete Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/delete` - **Update members of Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/members/update` - **Update owners of Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/owners/update` - **Update the visibility property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups** - `microsoft.directory/groups.unified.assignedMembership/visibility/update` ## Permissions for Microsoft 365 Groups (All Types) - **Update all properties (including privileged properties) on Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/allProperties/update` - **Update basic properties on Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/basic/update` - **Update the classification property on Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/classification/update` - **Create Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/create` - **Create Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner.** - `microsoft.directory/groups.unified/createAsOwner` - **Delete Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/delete` - **Update the dynamic membership rule on Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/dynamicMembershipRule/update` - **Update members of Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/members/update` - **Update owners of Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/owners/update` - **Update the visibility property on Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups.unified/visibility/update` ## Permissions for All Groups - **Read all properties (including privileged properties) on Security groups and Microsoft 365 groups, including role-assignable groups** - `microsoft.directory/groups/allProperties/read` - **Update all properties (including privileged properties) on Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/allProperties/update` - **Assign product licenses to groups for group-based licensing** - `microsoft.directory/groups/assignLicense` - **Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/basic/update` - **Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/classification/update` - **Create Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/create` - **Create Security groups and Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner.** - `microsoft.directory/groups/createAsOwner` - **Delete Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/delete` - **Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/dynamicMembershipRule/update` - **Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/groupType/update` - **Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups** - `microsoft.directory/groups/memberOf/read` - **Read members of Security groups and Microsoft 365 groups, including role-assignable groups** - `microsoft.directory/groups/members/read` - **Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/members/update` - **Read owners of Security groups and Microsoft 365 groups, including role-assignable groups** - `microsoft.directory/groups/owners/read` - **Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/owners/update` - **Reprocess license assignments for group-based licensing** - `microsoft.directory/groups/reprocessLicenseAssignment` - **Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups** - `microsoft.directory/groups/standard/read` - **Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups** - `microsoft.directory/groups/visibility/update` ## Permissions for Provisioning Logs - **Read all properties of provisioning logs** - `microsoft.directory/provisioningLogs/allProperties/read` ## Permissions for Service Principals - **Read all properties (including privileged properties) on service principals** - `microsoft.directory/servicePrincipals/allProperties/read` - **Update all properties (including privileged properties) on service principals** - `microsoft.directory/servicePrincipals/allProperties/update` - **Read service principal role assignments** - `microsoft.directory/servicePrincipals/appRoleAssignedTo/read` - **Update service principal role assignments** - `microsoft.directory/servicePrincipals/appRoleAssignedTo/update` - **Read role assignments assigned to service principals** - `microsoft.directory/servicePrincipals/appRoleAssignments/read` - **Update audience properties on service principals** - `microsoft.directory/servicePrincipals/audience/update` - **Update authentication properties on service principals** - `microsoft.directory/servicePrincipals/authentication/update` - **Update basic properties on service principals** - `microsoft.directory/servicePrincipals/basic/update` - **Create service principals** - `microsoft.directory/servicePrincipals/create` - **Create service principals, with creator as the first owner** - `microsoft.directory/servicePrincipals/createAsOwner` - **Update credentials of service principals** - `microsoft.directory/servicePrincipals/credentials/update` - **Delete service principals** - `microsoft.directory/servicePrincipals/delete` - **Disable service principals** - `microsoft.directory/servicePrincipals/disable` - **Enable service principals** - `microsoft.directory/servicePrincipals/enable` - **Manage password single sign-on credentials on service principals** - `microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials` - **Read password single sign-on credentials on service principals** - `microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials` - **Read delegated permission grants on service principals** - `microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read` - **Read owners of service principals** - `microsoft.directory/servicePrincipals/owners/read` - **Update owners of service principals** - `microsoft.directory/servicePrincipals/owners/update` - **Update permissions of service principals** - `microsoft.directory/servicePrincipals/permissions/update` - **Read policies of service principals** - `microsoft.directory/servicePrincipals/policies/read` - **Update policies of service principals** - `microsoft.directory/servicePrincipals/policies/update` - **Read basic properties of service principals** - `microsoft.directory/servicePrincipals/standard/read` - **Read provisioning settings associated with your service principal** - `microsoft.directory/servicePrincipals/synchronization/standard/read` - **Manage application provisioning secrets and credentials** - `microsoft.directory/servicePrincipals/synchronizationCredentials/manage` - **Start, restart, and pause application provisioning synchronization jobs** - `microsoft.directory/servicePrincipals/synchronizationJobs/manage` - **Create and manage application provisioning synchronization jobs and schema** - `microsoft.directory/servicePrincipals/synchronizationSchema/manage` - **Update the tag property for service principals** - `microsoft.directory/servicePrincipals/tag/update` ## Permissions for Sign-In Reports - **Read all properties on sign-in reports, including privileged properties** - `microsoft.directory/signInReports/allProperties/read` ## Permissions for Tenant Relationships - **Read standard tenant relationship information** - `microsoft.directory/tenantRelationships/standard/read` ## Permissions for User Properties - **Read application role assignments for users** - `microsoft.directory/users/appRoleAssignments/read` - **Manage user licenses** - `microsoft.directory/users/assignLicense` - **Update basic properties on users** - `microsoft.directory/users/basic/update` - **Update contact properties on users** - `microsoft.directory/users/contactInfo/update` - **Read deviceForResourceAccount of users** - `microsoft.directory/users/deviceForResourceAccount/read` - **Read the direct reports for users** - `microsoft.directory/users/directReports/read` - **Update extension properties of users** - `microsoft.directory/users/extensionProperties/update` - **Read identities of users** - `microsoft.directory/users/identities/read` - **Update job information of users** - `microsoft.directory/users/jobInfo/update` - **Read license details of users** - `microsoft.directory/users/licenseDetails/read` - **Read manager of users** - `microsoft.directory/users/manager/read` - **Update manager for users** - `microsoft.directory/users/manager/update` - **Read the group memberships of users** - `microsoft.directory/users/memberOf/read` - **Read owned devices of users** - `microsoft.directory/users/ownedDevices/read` - **Update parental controls of users** - `microsoft.directory/users/parentalControls/update` - **Update password policies of users** - `microsoft.directory/users/passwordPolicies/update` - **Read registered devices of users** - `microsoft.directory/users/registeredDevices/read` - **Reprocess license assignments for users** - `microsoft.directory/users/reprocessLicenseAssignment` - **Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit** - `microsoft.directory/users/scopedRoleMemberOf/read` - **Read sponsors of users** - `microsoft.directory/users/sponsors/read` - **Update sponsors of users** - `microsoft.directory/users/sponsors/update` - **Read basic properties on users** - `microsoft.directory/users/standard/read` - **Update usage location of users** - `microsoft.directory/users/usageLocation/update`