If you’re working with the Microsoft identity platform, you’re probably familiar with the concept of application Scopes or Roles. Scopes or Roles are used to either expose a permission in your application or to grant a permission (defined in another application) to it, e.g. grant Microsoft Graph permissions to read the user profile.
When you’re granting permissions to an application, you need to understand what type of permission to grant: it can be a delegated (scope) permission or an app-only (role) one. If this part is confusing to you, I’ve found this page quite useful, especially the following paragraph:
Delegated permissions, also called scopes, allow the application to act on behalf of the signed-in user. Application permissions, also called app roles, allow the app to access data on its own, without a signed-in user.
On top of understanding the differences between scope and roles, you also need to know the ID of the permission that you are interested in e.g. You want to grant GroupMember.Read.All to your application so you can fetch the members of a given group.
The issue I found working with these IDS is that I’m not able to find a comprehensive list of those, alongside their name and description so I decided to list them in this blog post, mostly to simplify my life when working with it.
Actually while writing this article, I found this page where the same permissions are listed, but I still find the following tables handier since they contains all the data I need.
Besides that, I also wanted to share a tiny az cli command that you can use to fetch all the defined scopes and roles.
az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "{roles: appRoles, scopes: oauth2PermissionScopes}"
The snippet above displays all the roles and scope defined for the Microsoft Graph application, the 00000003-0000-0000-c000-000000000000 is the globally unique ID of the Microsoft Graph Service principal in the Azure Active directory.
Pro tip! If you add -o jsonc at the end of an az cli command, you will get a nice colorized json output. You can find all the output modifiers for az cli in the documentation
Well-known scopes#
Here below you can find the list of all the well-known scopes defined by Microsoft Graph
| Description | Id | Type | Value |
|---|---|---|---|
| Allows the app to read access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization. | ebfcd32b-babb-40f4-a14b-42706e83bd28 | Admin | AccessReview.Read.All |
| Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization. | e4aa47b9-9a69-4109-82ed-36ec70d85ff1 | Admin | AccessReview.ReadWrite.All |
| Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings for group and app memberships that the signed-in user has access to in the organization. | 5af8c3f5-baca-439a-97b0-ea58a435e269 | Admin | AccessReview.ReadWrite.Membership |
| Allows an app to read all acronyms that the signed-in user can access. | 9084c10f-a2d6-4713-8732-348def50fe02 | User | Acronym.Read.All |
| Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user. | 3361d15d-be43-4de6-b441-3c746d05163d | Admin | AdministrativeUnit.Read.All |
| Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. | 7b8a2d34-6b3f-4542-a343-54651608ad81 | Admin | AdministrativeUnit.ReadWrite.All |
| Allows the app to read terms of use agreements on behalf of the signed-in user. | af2819c9-df71-4dd3-ade7-4d7c9dc653b7 | Admin | Agreement.Read.All |
| Allows the app to read and write terms of use agreements on behalf of the signed-in user. | ef4b5d93-3104-4664-9053-a5c49ab44218 | Admin | Agreement.ReadWrite.All |
| Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. | 0b7643bb-5336-476f-80b5-18fbfbc91806 | Admin | AgreementAcceptance.Read |
| Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. | a66a5341-e66e-4897-9d52-c2df58c2bfb9 | Admin | AgreementAcceptance.Read.All |
| Allows the app to read the signed-in user’s activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions. | e03cf23f-8056-446a-8994-7d93dfc8b50e | User | Analytics.Read |
| Allows the app to read the API connectors used in user authentication flows, on behalf of the signed-in user. | 1b6ff35f-31df-4332-8571-d31ea5a4893f | Admin | APIConnectors.Read.All |
| Allows the app to read, create and manage the API connectors used in user authentication flows, on behalf of the signed-in user. | c67b52c5-7c69-48b6-9d48-7b3af3ded914 | Admin | APIConnectors.ReadWrite.All |
| Allows the app to read the apps in the app catalogs. | 88e58d74-d3df-44f3-ad47-e89edf4472e4 | User | AppCatalog.Read.All |
| Allows the app to create, read, update, and delete apps in the app catalogs. | 1ca167d5-1655-44a1-8adf-1414072e1ef9 | Admin | AppCatalog.ReadWrite.All |
| Allows the app to submit application packages to the catalog and cancel submissions that are pending review on behalf of the signed-in user. | 3db89e36-7fa6-4012-b281-85f3d9d9fd2e | User | AppCatalog.Submit |
| Allows the app to read applications and service principals on behalf of the signed-in user. | c79f8feb-a9db-4090-85f9-90d820caa0eb | Admin | Application.Read.All |
| Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Does not allow management of consent grants. | bdfbf15f-ee85-4955-8675-146e8e5296b5 | Admin | Application.ReadWrite.All |
| Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. | 84bccea3-f856-4a8a-967b-dbe0a3d53a64 | Admin | AppRoleAssignment.ReadWrite.All |
| Allows the app to read attack simulation and training data for an organization for the signed-in user. | 104a7a4b-ca76-4677-b7e7-2f4bc482f381 | Admin | AttackSimulation.Read.All |
| Allows the app to read, create, and update attack simulation and training data for an organization for the signed-in user. | 27608d7c-2c66-4cad-a657-951d575f5a60 | User | AttackSimulation.ReadWrite.All |
| Allows the app to read and query your audit log activities, on behalf of the signed-in user. | e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 | Admin | AuditLog.Read.All |
| Allows the app to read all authentication context information in your organization on behalf of the signed-in user. | 57b030f1-8c35-469c-b0d9-e4a077debe70 | Admin | AuthenticationContext.Read.All |
| Allows the app to read and update all authentication context information in your organization on behalf of the signed-in user. | ba6d575a-1344-4516-b777-1404f5593057 | Admin | AuthenticationContext.ReadWrite.All |
| Allows the app to read and write the billing configuration on all applications on behalf of the signed-in user. | 2bf6d319-dfca-4c22-9879-f88dcfaee6be | Admin | BillingConfiguration.ReadWrite.All |
| Allows the app to read BitLocker keys on behalf of the signed-in user, for their owned devices. Allows read of the recovery key. | b27a61ec-b99c-4d6a-b126-c4375d08ae30 | Admin | BitlockerKey.Read.All |
| Allows the app to read basic BitLocker key properties on behalf of the signed-in user, for their owned devices. Does not allow read of the recovery key itself. | 5a107bfc-4f00-4e1a-b67e-66451267bc68 | Admin | BitlockerKey.ReadBasic.All |
| Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | 7f36b48e-542f-4d3b-9bcb-8406f0ab9fdb | User | Bookings.Manage.All |
| Allows an app to read bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | 33b1df99-4b29-4548-9339-7a7b83eaeebc | User | Bookings.Read.All |
| Allows an app to read and write bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete and publish of booking businesses. | 948eb538-f19d-4ec5-9ccc-f059e1ea4c72 | User | Bookings.ReadWrite.All |
| Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on behalf of the signed-in user. | 02a5a114-36a6-46ff-a102-954d89d9ab02 | User | BookingsAppointment.ReadWrite.All |
| Allows an app to read all bookmarks that the signed-in user can access. | 98b17b35-f3b1-4849-a85f-9f13733002f0 | User | Bookmark.Read.All |
| Allows an app to read the browser site lists configured for your organization, on behalf of the signed-in user. | fb9be2b7-a7fc-4182-aec1-eda4597c43d5 | User | BrowserSiteLists.Read.All |
| Allows an app to read and write the browser site lists configured for your organization, on behalf of the signed-in user. | 83b34c85-95bf-497b-a04e-b58eca9d49d0 | User | BrowserSiteLists.ReadWrite.All |
| Allows the app to read the configurations of your organization’s business scenarios, on behalf of the signed-in user. | d16480b2-e469-4118-846b-d3d177327bee | Admin | BusinessScenarioConfig.Read.All |
| Allows the app to read the configurations of business scenarios it owns, on behalf of the signed-in user. | c47e7b6e-d6f1-4be9-9ffd-1e00f3e32892 | Admin | BusinessScenarioConfig.Read.OwnedBy |
| Allows the app to read and write the configurations of your organization’s business scenarios, on behalf of the signed-in user. | 755e785b-b658-446f-bb22-5a46abd029ea | Admin | BusinessScenarioConfig.ReadWrite.All |
| Allows the app to create new business scenarios and fully manage the configurations of scenarios it owns, on behalf of the signed-in user. | b3b7fcff-b4d4-4230-bf6f-90bd91285395 | Admin | BusinessScenarioConfig.ReadWrite.OwnedBy |
| Allows the app to read all data associated with the business scenarios it owns. Data access will be attributed to the signed-in user. | 25b265c4-5d34-4e44-952d-b567f6d3b96d | Admin | BusinessScenarioData.Read.OwnedBy |
| Allows the app to fully manage all data associated with the business scenarios it owns. Data access and changes will be attributed to the signed-in user. | 19932d57-2952-4c60-8634-3655c79fc527 | Admin | BusinessScenarioData.ReadWrite.OwnedBy |
| Allows the app to read events in user calendars . | 465a38f9-76ea-45b9-9f34-9e8b0d4b0b42 | User | Calendars.Read |
| Allows the app to read events in all calendars that the user can access, including delegate and shared calendars. | 2b9c4092-424d-4249-948d-b43879977640 | User | Calendars.Read.Shared |
| Allows the app to read events in user calendars, except for properties such as body, attachments, and extensions. | 662d75ba-a364-42ad-adee-f5f880ea4878 | Admin | Calendars.ReadBasic |
| Allows the app to create, read, update, and delete events in user calendars. | 1ec239c2-d7c9-4623-a91a-a9775856bb36 | User | Calendars.ReadWrite |
| Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars. | 12466101-c9b8-439a-8589-dd09ee67e8e9 | User | Calendars.ReadWrite.Shared |
| Create channels in any team, on behalf of the signed-in user. | 101147cf-4178-4455-9d58-02b5c164e759 | Admin | Channel.Create |
| Delete channels in any team, on behalf of the signed-in user. | cc83893a-e232-4723-b5af-bd0b01bcfe65 | Admin | Channel.Delete.All |
| Read channel names and channel descriptions, on behalf of the signed-in user. | 9d8982ae-4365-4f57-95e9-d6032a4c0b87 | User | Channel.ReadBasic.All |
| Read the members of channels, on behalf of the signed-in user. | 2eadaff8-0bce-4198-a6b9-2cfc35a30075 | Admin | ChannelMember.Read.All |
| Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member’s role, for example from owner to non-owner. | 0c3e411a-ce45-4cd1-8f30-f99a3efa7b11 | Admin | ChannelMember.ReadWrite.All |
| Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user. | 2b61aa8a-6d36-4b2f-ac7b-f29867937c53 | User | ChannelMessage.Edit |
| Allows an app to read a channel’s messages in Microsoft Teams, on behalf of the signed-in user. | 767156cb-16ae-4d10-8f8b-41b657c8c8c8 | Admin | ChannelMessage.Read.All |
| Allows the app to read and write channel messages, on behalf of the signed-in user. This doesn’t allow the app to edit the policyViolation of a channel message. | 5922d31f-46c8-4404-9eaf-2117e390a8a4 | Admin | ChannelMessage.ReadWrite |
| Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. | ebf0f66e-9fb1-49e4-a278-222f76911cf4 | User | ChannelMessage.Send |
| Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user. | 233e0cf1-dd62-48bc-b65b-b38fe87fcf8e | Admin | ChannelSettings.Read.All |
| Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. | d649fb7c-72b4-4eec-b2b4-b15acf79e378 | Admin | ChannelSettings.ReadWrite.All |
| Allows the app to create chats on behalf of the signed-in user. | 38826093-1258-4dea-98f0-00003be2b8d0 | User | Chat.Create |
| Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user. | f501c180-9344-439a-bca0-6cbf209fd270 | User | Chat.Read |
| Allows an app to read the members and descriptions of one-to-one and group chat threads, on behalf of the signed-in user. | 9547fcb5-d03f-419d-9948-5928bbf71b0f | User | Chat.ReadBasic |
| Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user. | 9ff7295e-131b-4d94-90e1-69fde507ac11 | User | Chat.ReadWrite |
| Read the members of chats, on behalf of the signed-in user. | c5a9e2b1-faf6-41d4-8875-d381aa549b24 | Admin | ChatMember.Read |
| Add and remove members from chats, on behalf of the signed-in user. | dea13482-7ea6-488f-8b98-eb5bbecf033d | Admin | ChatMember.ReadWrite |
| Allows an app to read one-to-one and group chat messages, on behalf of the signed-in user. | cdcdac3a-fd45-410d-83ef-554db620e5c7 | User | ChatMessage.Read |
| Allows an app to send one-to-one and group chat messages in Microsoft Teams, on behalf of the signed-in user. | 116b7235-7cc6-461e-b163-8e55691d839e | User | ChatMessage.Send |
| Allows the app to read the properties of Cloud PCs on behalf of the signed-in user. | 5252ec4e-fd40-4d92-8c68-89dd1d3c6110 | User | CloudPC.Read.All |
| Allows the app to read and write the properties of Cloud PCs on behalf of the signed-in user. | 9d77138f-f0e2-47ba-ab33-cd246c8b79d1 | Admin | CloudPC.ReadWrite.All |
| Allows the app to read consent requests and approvals on behalf of the signed-in user. | f3bfad56-966e-4590-a536-82ecf548ac1e | Admin | ConsentRequest.Read.All |
| Allows the app to read app consent requests and approvals, and deny or approve those requests on behalf of the signed-in user. | 497d9dfa-3bd1-481a-baab-90895e54568c | Admin | ConsentRequest.ReadWrite.All |
| Allows the app to read user contacts. | ff74d97f-43af-4b68-9f2a-b77ee6968c5d | User | Contacts.Read |
| Allows the app to read contacts a user has permissions to access, including their own and shared contacts. | 242b9d9e-ed24-4d09-9a52-f43769beb9d4 | User | Contacts.Read.Shared |
| Allows the app to create, read, update, and delete user contacts. | d56682ec-c09e-4743-aaf4-1a3aac4caa21 | User | Contacts.ReadWrite |
| Allows the app to create, read, update, and delete contacts a user has permissions to, including their own and shared contacts. | afb6c84b-06be-49af-80bb-8f3f77004eab | User | Contacts.ReadWrite.Shared |
| Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem on behalf of the signed-in user. | 81594d25-e88e-49cf-ac8c-fecbff49f994 | Admin | CrossTenantInformation.ReadBasic.All |
| Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user. | cb1ba48f-d22b-4325-a07f-74135a62ee41 | Admin | CrossTenantUserProfileSharing.Read |
| Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user. | 759dcd16-3c90-463c-937e-abf89f991c18 | Admin | CrossTenantUserProfileSharing.Read.All |
| Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user. | eed0129d-dc60-4f30-8641-daf337a39ffd | Admin | CrossTenantUserProfileSharing.ReadWrite |
| Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user. | 64dfa325-cbf8-48e3-938d-51224a0cac01 | Admin | CrossTenantUserProfileSharing.ReadWrite.All |
| Allows the app to read your organization’s custom authentication extensions on behalf of the signed-in user. | b2052569-c98c-4f36-a5fb-43e5c111e6d0 | Admin | CustomAuthenticationExtension.Read.All |
| Allows the app to read or write your organization’s custom authentication extensions on behalf of the signed-in user. | 8dfcf82f-15d0-43b3-bc78-a958a13a5792 | Admin | CustomAuthenticationExtension.ReadWrite.All |
| Allows the app to read custom security attribute assignments for all principals in the tenant on behalf of a signed in user. | b46ffa80-fe3d-4822-9a1a-c200932d54d0 | Admin | CustomSecAttributeAssignment.Read.All |
| Allows the app to read and write custom security attribute assignments for all principals in the tenant on behalf of a signed in user. | ca46335e-8453-47cd-a001-8459884efeae | Admin | CustomSecAttributeAssignment.ReadWrite.All |
| Allows the app to read custom security attribute definitions for the tenant on behalf of a signed in user. | ce026878-a0ff-4745-a728-d4fedd086c07 | Admin | CustomSecAttributeDefinition.Read.All |
| Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user. | 8b0160d4-5743-482b-bb27-efc0a485ca4a | Admin | CustomSecAttributeDefinition.ReadWrite.All |
| Allow the app to read the data loss prevention policies applicable to the signed-in user for protecting organizational data, on behalf of the signed-in user. | d8e6b9ca-e874-47e3-8f52-222dc683f5ee | Admin | DataLossPrevention.Read |
| Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups on behalf of the signed-in user. | 0c0064ea-477b-4130-82a5-4c2cc4ff68aa | Admin | DelegatedAdminRelationship.Read.All |
| Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers as well as role assignments to security groups for active Delegated Admin relationships on behalf of the signed-in user. | 885f682f-a990-4bad-a642-36736a74b0c7 | Admin | DelegatedAdminRelationship.ReadWrite.All |
| Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on behalf of the signed in user. | 41ce6ca6-6826-4807-84f1-1c82854f7ee5 | Admin | DelegatedPermissionGrant.ReadWrite.All |
| Allows the app to launch another app or communicate with another app on a user’s device on behalf of the signed-in user. | bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804 | User | Device.Command |
| Allows the app to read a user’s list of devices on behalf of the signed-in user. | 11d4cd79-5ba5-460f-803f-e22c8ab85ccd | User | Device.Read |
| Allows the app to read your organization’s devices’ configuration information on behalf of the signed-in user. | 951183d1-1a61-466f-a6d1-1fde911bfd95 | Admin | Device.Read.All |
| Allows the app to read device local credential properties including passwords, on behalf of the signed-in user. | 280b3b69-0437-44b1-bc20-3b2fca1ee3e9 | Admin | DeviceLocalCredential.Read.All |
| Allows the app to read device local credential properties excluding passwords, on behalf of the signed-in user. | 9917900e-410b-4d15-846e-42a357488545 | Admin | DeviceLocalCredential.ReadBasic.All |
| Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | 4edf5f54-4666-44af-9de9-0144fb4b6e8c | Admin | DeviceManagementApps.Read.All |
| Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | 7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af | Admin | DeviceManagementApps.ReadWrite.All |
| Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | f1493658-876a-4c87-8fa7-edb559b3476a | Admin | DeviceManagementConfiguration.Read.All |
| Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | 0883f392-0a7a-443d-8c76-16a6d39c7b63 | Admin | DeviceManagementConfiguration.ReadWrite.All |
| Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. | 3404d2bf-2b13-457e-a330-c24615765193 | Admin | DeviceManagementManagedDevices.PrivilegedOperations.All |
| Allows the app to read the properties of devices managed by Microsoft Intune. | 314874da-47d6-4978-88dc-cf0d37f0bb82 | Admin | DeviceManagementManagedDevices.Read.All |
| Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the devices owner. | 44642bfe-8385-4adc-8fc6-fe3cb2c375c3 | Admin | DeviceManagementManagedDevices.ReadWrite.All |
| Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | 49f0cc30-024c-4dfd-ab3e-82e137ee5431 | Admin | DeviceManagementRBAC.Read.All |
| Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | 0c5e8a55-87a6-4556-93ab-adc52c4d862d | Admin | DeviceManagementRBAC.ReadWrite.All |
| Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration. | 8696daa5-bce5-4b2e-83f9-51b6defc4e1e | Admin | DeviceManagementServiceConfig.Read.All |
| Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. | 662ed50a-ac44-4eef-ad86-62eed9be2a29 | Admin | DeviceManagementServiceConfig.ReadWrite.All |
| Allows the app to have the same access to information in the directory as the signed-in user. | 0e263e50-5827-48a4-b97c-d940288653c7 | Admin | Directory.AccessAsUser.All |
| Allows the app to read data in your organization’s directory, such as users, groups and apps. | 06da0dbc-49e2-44d2-8312-53f166ab848a | Admin | Directory.Read.All |
| Allows the app to read and write data in your organization’s directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. | c5366453-9fb0-48a5-a156-24f0c49a4b84 | Admin | Directory.ReadWrite.All |
| Allows the app to manage restricted resources based on the other permissions granted to the app, on behalf of the signed-in user. | cba5390f-ed6a-4b7f-b657-0efc2210ed20 | Admin | Directory.Write.Restricted |
| Allows the app to read Azure AD recommendations, on behalf of the signed-in user. | 34d3bd24-f6a6-468c-b67c-0c365c1d6410 | Admin | DirectoryRecommendations.Read.All |
| Allows the app to read and update Azure AD recommendations, on behalf of the signed-in user. | f37235e8-90a0-4189-93e2-e55b53867ccd | Admin | DirectoryRecommendations.ReadWrite.All |
| Allows the app to read all domain properties on behalf of the signed-in user. | 2f9ee017-59c1-4f1d-9472-bd5529a7b311 | Admin | Domain.Read.All |
| Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify and remove domains. | 0b5d694c-a244-4bde-86e6-eb5cd07730fe | Admin | Domain.ReadWrite.All |
| Allows the app to have the same access to mailboxes as the signed-in user via Exchange ActiveSync. | ff91d191-45a0-43fd-b837-bd682c4a0b0f | User | EAS.AccessAsUser.All |
| Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user. | 99201db3-7652-4d5a-809a-bdb94f85fe3c | Admin | eDiscovery.Read.All |
| Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user. | acb8f680-0834-4146-b69e-4ab1b39745ad | Admin | eDiscovery.ReadWrite.All |
| Read the state and settings of all Microsoft education apps on behalf of the user. | 8523895c-6081-45bf-8a5d-f062a2f12c9f | Admin | EduAdministration.Read |
| Manage the state and settings of all Microsoft education apps on behalf of the user. | 63589852-04e3-46b4-bae9-15d5b1050748 | Admin | EduAdministration.ReadWrite |
| Allows the app to read assignments and their grades on behalf of the user. | 091460c9-9c4a-49b2-81ef-1f3d852acce2 | Admin | EduAssignments.Read |
| Allows the app to read assignments without grades on behalf of the user. | c0b0103b-c053-4b2e-9973-9f3a544ec9b8 | Admin | EduAssignments.ReadBasic |
| Allows the app to read and write assignments and their grades on behalf of the user. | 2f233e90-164b-4501-8bce-31af2559a2d3 | Admin | EduAssignments.ReadWrite |
| Allows the app to read and write assignments without grades on behalf of the user. | 2ef770a1-622a-47c4-93ee-28d6adbed3a0 | Admin | EduAssignments.ReadWriteBasic |
| Allows the app to read the structure of schools and classes in an organization’s roster and education-specific information about users to be read on behalf of the user. | a4389601-22d9-4096-ac18-36a927199112 | Admin | EduRoster.Read |
| Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization’s roster and a limited subset of properties about users to be read on behalf of the user.Includes name, status, education role, email address and photo. | 5d186531-d1bf-4f07-8cea-7c42119e1bd9 | Admin | EduRoster.ReadBasic |
| Allows the app to read and write the structure of schools and classes in an organization’s roster and education-specific information about users to be read and written on behalf of the user. | 359e19a6-e3fa-4d7f-bcab-d28ec592b51e | Admin | EduRoster.ReadWrite |
| Allows the app to read your users’ primary email address | 64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0 | User | |
| Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user. | 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2 | Admin | EntitlementManagement.Read.All |
| Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user. | ae7a573d-81d7-432b-ad44-4ed5c9d89038 | Admin | EntitlementManagement.ReadWrite.All |
| Allows the app to manage self-service entitlement management resources on behalf of the signed-in user. This includes operations such as requesting access and approving access of others. | e9fdcbbb-8807-410f-b9ec-8d5468c7c2ac | User | EntitlementMgmt-SubjectAccess.ReadWrite |
| Allows the app to read your organization’s authentication event listeners on behalf of the signed-in user. | f7dd3bed-5eec-48da-bc73-1c0ef50bc9a1 | Admin | EventListener.Read.All |
| Allows the app to read or write your organization’s authentication event listeners on behalf of the signed-in user. | d11625a6-fe21-4fc6-8d3d-063eba5525ad | Admin | EventListener.ReadWrite.All |
| Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services. | 9769c687-087d-48ac-9cb3-c37dde652038 | User | EWS.AccessAsUser.All |
| Allows the app to read all external connections on behalf of a signed-in user. The signed-in user must be an administrator. | a38267a5-26b6-4d76-9493-935b7599116b | Admin | ExternalConnection.Read.All |
| Allows the app to read and write all external connections on behalf of a signed-in user. The signed-in user must be an administrator. | bbbbd9b3-3566-4931-ac37-2b2180d9e334 | Admin | ExternalConnection.ReadWrite.All |
| Allows the app to read and write settings of external connections on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read and write settings of connections that it is authorized to. | 4082ad95-c812-4f02-be92-780c4c4f1830 | Admin | ExternalConnection.ReadWrite.OwnedBy |
| Allow the app to read external datasets and content, on behalf of the signed-in user. | 922f9392-b1b7-483c-a4be-0089be7704fb | Admin | ExternalItem.Read.All |
| Allows the app to read and write all external items on behalf of a signed-in user. The signed-in user must be an administrator. | b02c54f8-eb48-4c50-a9f0-a149e5a2012f | Admin | ExternalItem.ReadWrite.All |
| Allows the app to read and write external items on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read external items of the connection that it is authorized to. | 4367b9d7-cee7-4995-853c-a0bdfe95c1f9 | Admin | ExternalItem.ReadWrite.OwnedBy |
| Allows the app to read your family information, members and their basic profile. | 3a1e4806-a744-4c70-80fc-223bf8582c46 | User | Family.Read |
| Allows the app to read the signed-in user’s files. | 10465720-29dd-4523-a11a-6a75c743c9d9 | User | Files.Read |
| Allows the app to read all files the signed-in user can access. | df85f4d6-205c-4ac5-a5ea-6bf408dba283 | User | Files.Read.All |
| (Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file. | 5447fe39-cb82-4c1a-b977-520e67e724eb | User | Files.Read.Selected |
| Allows the app to read, create, update and delete the signed-in user’s files. | 5c28f0bf-8a70-41f1-8ab2-9032436ddb65 | User | Files.ReadWrite |
| Allows the app to read, create, update and delete all files the signed-in user can access. | 863451e7-0667-486c-a5d6-d135439485f0 | User | Files.ReadWrite.All |
| (Preview) Allows the app to read, create, update and delete files in the application’s folder. | 8019c312-3263-48e6-825e-2b833497195b | User | Files.ReadWrite.AppFolder |
| (Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file. | 17dde5bd-8c17-420f-a486-969730c1b827 | User | Files.ReadWrite.Selected |
| Allows the app to read and write financials data on behalf of the signed-in user. | f534bf13-55d4-45a9-8f3c-c92fe64d6131 | User | Financials.ReadWrite.All |
| Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. | 5f8c59db-677d-491f-a6b8-5f174b11ec1d | Admin | Group.Read.All |
| Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. | 4e46008b-f24c-477d-8fff-7bb4ec7aafe0 | Admin | Group.ReadWrite.All |
| Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. | bc024368-1153-4739-b217-4326f2e966d0 | Admin | GroupMember.Read.All |
| Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted. | f81125ac-d3b7-4573-a3b2-7099cc39df9e | Admin | GroupMember.ReadWrite.All |
| Allows the app to read your organizations identity (authentication) providers properties on behalf of the user. | 43781733-b5a7-4d1b-98f4-e8edff23e1a9 | Admin | IdentityProvider.Read.All |
| Allows the app to read and write your organizations identity (authentication) providers properties on behalf of the user. | f13ce604-1677-429f-90bd-8a10b9f01325 | Admin | IdentityProvider.ReadWrite.All |
| Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. | 8f6a01e7-0391-4ee5-aa22-a3af122cef27 | Admin | IdentityRiskEvent.Read.All |
| Allows the app to read and update identity risk event information for all users in your organization on behalf of the signed-in user.Update operations include confirming risk event detections. | 9e4862a5-b68f-479e-848a-4e07e25c9916 | Admin | IdentityRiskEvent.ReadWrite.All |
| Allows the app to read all identity risky service principal information for your organization, on behalf of the signed-in user. | ea5c4ab0-5a73-4f35-8272-5d5337884e5d | Admin | IdentityRiskyServicePrincipal.Read.All |
| Allows the app to read and update identity risky service principal information for all service principals in your organization, on behalf of the signed-in user. Update operations include dismissing risky service principals. | bb6f654c-d7fd-4ae3-85c3-fc380934f515 | Admin | IdentityRiskyServicePrincipal.ReadWrite.All |
| Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user. | d04bb851-cb7c-4146-97c7-ca3e71baf56c | Admin | IdentityRiskyUser.Read.All |
| Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user.Update operations include dismissing risky users. | e0a7cdbb-08b0-4697-8264-0069786e9674 | Admin | IdentityRiskyUser.ReadWrite.All |
| Allows the app to read your organization’s user flows, on behalf of the signed-in user. | 2903d63d-4611-4d43-99ce-a33f3f52e343 | Admin | IdentityUserFlow.Read.All |
| Allows the app to read or write your organization’s user flows, on behalf of the signed-in user. | 281892cc-4dbf-4e3a-b6cc-b21029bb4e82 | Admin | IdentityUserFlow.ReadWrite.All |
| Allows the app to have the same access to mailboxes as the signed-in user via IMAP protocol. | 652390e4-393a-48de-9484-05f9b1212954 | User | IMAP.AccessAsUser.All |
| Allows the app to read data connectors on behalf of the signed-in user. | d19c0de5-7ecb-4aba-b090-da35ebcd5425 | Admin | IndustryData-DataConnector.Read.All |
| Allows the app to read and write data connectors on behalf of the signed-in user. | 5ce933ac-3997-4280-aed0-cc072e5c062a | Admin | IndustryData-DataConnector.ReadWrite.All |
| Allows the app to upload data files to a data connector on behalf of the signed-in user. | fc47391d-ab2c-410f-9059-5600f7af660d | Admin | IndustryData-DataConnector.Upload |
| Allows the app to read inbound data flows on behalf of the signed-in user. | cb0774da-a605-42af-959c-32f438fb38f4 | Admin | IndustryData-InboundFlow.Read.All |
| Allows the app to read and write inbound data flows on behalf of the signed-in user. | 97044676-2cec-40ee-bd70-38df444c9e70 | Admin | IndustryData-InboundFlow.ReadWrite.All |
| Allows the app to read reference definitions on behalf of the signed-in user. | a3f96ffe-cb84-40a8-ac85-582d7ef97c2a | Admin | IndustryData-ReferenceDefinition.Read.All |
| Allows the app to read current and previous IndustryData runs on behalf of the signed-in user. | 92685235-50c4-4702-b2c8-36043db6fa79 | Admin | IndustryData-Run.Read.All |
| Allows the app to read source system definitions on behalf of the signed-in user. | 49b7016c-89ae-41e7-bd6f-b7170c5490bf | Admin | IndustryData-SourceSystem.Read.All |
| Allows the app to read and write source system definitions on behalf of the signed-in user. | 9599f005-05d6-4ea7-b1b1-4929768af5d0 | Admin | IndustryData-SourceSystem.ReadWrite.All |
| Allows the app to read time period definitions on behalf of the signed-in user. | c9d51f28-8ccd-42b2-a836-fd8fe9ebf2ae | Admin | IndustryData-TimePeriod.Read.All |
| Allows the app to read and write time period definitions on behalf of the signed-in user. | b6d56528-3032-4f9d-830f-5a24a25e6661 | Admin | IndustryData-TimePeriod.ReadWrite.All |
| Allows the app to read basic Industry Data service and resource information on behalf of the signed-in user. | 60382b96-1f5e-46ea-a544-0407e489e588 | User | IndustryData.ReadBasic.All |
| Allows the app to read the configurations applicable to the signed-in user for protecting organizational data, on behalf of the signed-in user. | 12f4bffb-b598-413c-984b-db99728f8b54 | Admin | InformationProtectionConfig.Read |
| Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user. | 4ad84827-5578-4e18-ad7a-86530b12f884 | User | InformationProtectionPolicy.Read |
| Allows the app to read learning content in the organization’s directory, on behalf of the signed-in user. | ea4c1fd9-6a9f-4432-8e5d-86e06cc0da77 | Admin | LearningContent.Read.All |
| Allowstheapptomanage learningcontentintheorganization’sdirectory, on behalf of the signed-in user. | 53cec1c4-a65f-4981-9dc1-ad75dbf1c077 | Admin | LearningContent.ReadWrite.All |
| Allows the app to read data for the learning provider in the organization’s directory, on behalf of the signed-in user. | dd8ce36f-9245-45ea-a99e-8ac398c22861 | Admin | LearningProvider.Read |
| Allows the app to create, update, read, and delete data for the learning provider in the organization’s directory, on behalf of the signed-in user. | 40c2eb57-abaf-49f5-9331-e90fd01f7130 | Admin | LearningProvider.ReadWrite |
| Allows an app to manage license assignments for users and groups, on behalf of the signed-in user. | f55016cc-149c-447e-8f21-7cf3ec1d6350 | Admin | LicenseAssignment.ReadWrite.All |
| Allows the app to list and read all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user. | 9bcb9916-765a-42af-bf77-02282e26b01a | Admin | LifecycleWorkflows.Read.All |
| Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources on behalf of the signed-in user. | 84b9d731-7db8-4454-8c90-fd9e95350179 | Admin | LifecycleWorkflows.ReadWrite.All |
| Allows the app to read the signed-in user’s mailbox. | 570282fd-fa5c-430d-a7fd-fc8dc98a9dca | User | Mail.Read |
| Allows the app to read mail a user can access, including their own and shared mail. | 7b9103a5-4610-446b-9670-80643382c1fa | User | Mail.Read.Shared |
| Allows the app to read email in the signed-in user’s mailbox except body, previewBody, attachments and any extended properties. | a4b8392a-d8d1-4954-a029-8e668a39a170 | User | Mail.ReadBasic |
| Allows the app to read mail the signed-in user can access, including their own and shared mail, except for body, bodyPreview, uniqueBody, attachments, extensions, and any extended properties. | b11fa0e7-fdb7-4dc9-b1f1-59facd463480 | User | Mail.ReadBasic.Shared |
| Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. | 024d486e-b451-40bb-833d-3e66d98c5c73 | User | Mail.ReadWrite |
| Allows the app to create, read, update, and delete mail a user has permission to access, including their own and shared mail. Does not include permission to send mail. | 5df07973-7d5d-46ed-9847-1271055cbd51 | User | Mail.ReadWrite.Shared |
| Allows the app to send mail as users in the organization. | e383f46e-2787-4529-855e-0e479a3ffac0 | User | Mail.Send |
| Allows the app to send mail as the signed-in user, including sending on-behalf of others. | a367ab51-6b49-43bf-a716-a1fb06d2a174 | User | Mail.Send.Shared |
| Allows the app to the read user’s mailbox settings. Does not include permission to send mail. | 87f447af-9fa4-4c32-9dfa-4a57a73d18ce | User | MailboxSettings.Read |
| Allows the app to create, read, update, and delete user’s mailbox settings. Does not include permission to send mail. | 818c620a-27a9-40bd-a6a5-d96f7d610b4b | User | MailboxSettings.ReadWrite |
| Allows the app to read all managed tenant information on behalf of the signed-in user. | dc34164e-6c4a-41a0-be89-3ae2fbad7cd3 | Admin | ManagedTenants.Read.All |
| Allows the app to read and write all managed tenant information on behalf of the signed-in user. | b31fa710-c9b3-4d9e-8f5e-8036eecddab9 | Admin | ManagedTenants.ReadWrite.All |
| Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. | f6a3db3e-f7e8-4ed2-a414-557c8c9830be | Admin | Member.Read.Hidden |
| Allows the app to read your organization’s branches for network access on behalf of the signed-in user. | 4051c7fc-b429-4804-8d80-8f1f8c24a6f7 | User | NetworkAccessBranch.Read.All |
| Allows the app to read and write your organization’s branches for network access on behalf of the signed-in user. | b8a36cc2-b810-461a-baa4-a7281e50bd5c | Admin | NetworkAccessBranch.ReadWrite.All |
| Allows the app to read your organization’s security and routing network access policies on behalf of the signed-in user. | ba22922b-752c-446f-89d7-a2d92398fceb | User | NetworkAccessPolicy.Read.All |
| Allows the app to read and write your organization’s security and routing network access policies on behalf of the signed-in user. | b1fbad0f-ef6e-42ed-8676-bca7fa3e7291 | Admin | NetworkAccessPolicy.ReadWrite.All |
| Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. | 9d822255-d64d-4b7a-afdb-833b9a97ed02 | User | Notes.Create |
| Allows the app to read OneNote notebooks on behalf of the signed-in user. | 371361e4-b9e2-4a3f-8315-2a301a3b0a3d | User | Notes.Read |
| Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. | dfabfca6-ee36-4db2-8208-7a28381419b3 | User | Notes.Read.All |
| Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user. | 615e26af-c38a-4150-ae3e-c3b0d4cb1d6a | User | Notes.ReadWrite |
| Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. | 64ac0503-b4fa-45d9-b544-71a463f05da0 | User | Notes.ReadWrite.All |
| This is deprecated! Do not use! This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app. | ed68249d-017c-4df5-9113-e684c7f8760b | User | Notes.ReadWrite.CreatedByApp |
| Allows the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user’s notification items for this app. | 89497502-6e42-46a2-8cb2-427fd3df970a | User | Notifications.ReadWrite.CreatedByApp |
| Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. | 7427e0e9-2fba-42fe-b0c0-848c9e6a8182 | User | offline_access |
| Allows the app to read online meeting artifacts on behalf of the signed-in user. | 110e5abb-a10c-4b59-8b55-9b4daa4ef743 | User | OnlineMeetingArtifact.Read.All |
| Allows the app to read all recordings of online meetings, on behalf of the signed-in user. | 190c2bb6-1fdd-4fec-9aa2-7d571b5e1fe3 | Admin | OnlineMeetingRecording.Read.All |
| Allows the app to read online meeting details on behalf of the signed-in user. | 9be106e1-f4e3-4df5-bdff-e4bc531cbe43 | User | OnlineMeetings.Read |
| Allows the app to read and create online meetings on behalf of the signed-in user. | a65f2972-a4f8-4f5e-afd7-69ccb046d5dc | User | OnlineMeetings.ReadWrite |
| Allows the app to read all transcripts of online meetings, on behalf of the signed-in user. | 30b87d18-ebb1-45db-97f8-82ccb1f0190c | Admin | OnlineMeetingTranscript.Read.All |
| Allows the app to read all on-premises directory synchronization information for the organization, on behalf of the signed-in user. | f6609722-4100-44eb-b747-e6ca0536989d | Admin | OnPremDirectorySynchronization.Read.All |
| Allows the app to read and write all on-premises directory synchronization information for the organization, on behalf of the signed-in user. | c2d95988-7604-4ba1-aaed-38a5f82a51c7 | Admin | OnPremDirectorySynchronization.ReadWrite.All |
| Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. | 8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42 | Admin | OnPremisesPublishingProfiles.ReadWrite.All |
| Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. | 37f7f235-527c-4136-accd-4a02d197296e | User | openid |
| Allows the app to read the organization and related resources, on behalf of the signed-in user.Related resources include things like subscribed skus and tenant branding information. | 4908d5b9-3fb2-4b1e-9336-1888b7937185 | Admin | Organization.Read.All |
| Allows the app to read and write the organization and related resources, on behalf of the signed-in user.Related resources include things like subscribed skus and tenant branding information. | 46ca0847-7e6b-426e-9775-ea810a948356 | Admin | Organization.ReadWrite.All |
| Allows the app to read all organizational contacts on behalf of the signed-in user. These contacts are managed by the organization and are different from a user’s personal contacts. | 08432d1b-5911-483c-86df-7980af5cdee0 | Admin | OrgContact.Read.All |
| Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype). | ba47897c-39ec-4d83-8086-ee8256fa737d | User | People.Read |
| Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user’s organization. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype). | b89f9189-71a5-4e70-b041-9887f0bc7e4a | Admin | People.Read.All |
| Allows the app to read your company’s places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user. | cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec | Admin | Place.Read.All |
| Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user. | 4c06a06a-098a-4063-868e-5dfee3827264 | Admin | Place.ReadWrite.All |
| Allows the app to read your organization’s policies on behalf of the signed-in user. | 572fea84-0151-49b2-9301-11cb16974376 | Admin | Policy.Read.All |
| Allows the app to read your organization’s conditional access policies on behalf of the signed-in user. | 633e0fce-8c58-4cfb-9495-12bbd5a24f7c | User | Policy.Read.ConditionalAccess |
| Allows the app to read policies related to consent and permission grants for applications, on behalf of the signed-in user. | 414de6ea-2d92-462f-b120-6e2a809a6d01 | Admin | Policy.Read.PermissionGrant |
| Allows the app to read and write your organization’s directory access review default policy on behalf of the signed-in user. | 4f5bc9c8-ea54-4772-973a-9ca119cb0409 | Admin | Policy.ReadWrite.AccessReview |
| Allows the app to read and write your organization’s application configuration policies on behalf of the signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. | b27add92-efb2-4f16-84f5-8108ba77985c | Admin | Policy.ReadWrite.ApplicationConfiguration |
| Allows the app to read and write the authentication flow policies, on behalf of the signed-in user. | edb72de9-4252-4d03-a925-451deef99db7 | Admin | Policy.ReadWrite.AuthenticationFlows |
| Allows the app to read and write the authentication method policies, on behalf of the signed-in user. | 7e823077-d88e-468f-a337-e18f1f0e6c7c | Admin | Policy.ReadWrite.AuthenticationMethod |
| Allows the app to read and write your organization’s authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. | edd3c878-b384-41fd-95ad-e7407dd775be | Admin | Policy.ReadWrite.Authorization |
| Allows the app to read and write your organization’s conditional access policies on behalf of the signed-in user. | ad902697-1014-4ef5-81ef-2b4301988e8c | Admin | Policy.ReadWrite.ConditionalAccess |
| Allows the app to read and write your organization’s consent requests policy on behalf of the signed-in user. | 4d135e65-66b8-41a8-9f8b-081452c91774 | Admin | Policy.ReadWrite.ConsentRequest |
| Allows the app to read and write your organization’s cross tenant access policies on behalf of the signed-in user. | 014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85 | Admin | Policy.ReadWrite.CrossTenantAccess |
| Allows the app to read and write your organization’s device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks. | 40b534c3-9552-4550-901b-23879c90bcf9 | Admin | Policy.ReadWrite.DeviceConfiguration |
| Allows the application to read and update the organization’s external identities policy on behalf of the signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave. | b5219784-1215-45b5-b3f1-88fe1081f9c0 | Admin | Policy.ReadWrite.ExternalIdentities |
| Allows the app to read and write your organization’s feature rollout policies on behalf of the signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. | 92a38652-f13b-4875-bc77-6e1dbb63e1b2 | Admin | Policy.ReadWrite.FeatureRollout |
| Allows the app to read and write your organization’s mobility management policies on behalf of the signed-in user. For example, a mobility management policy can set the enrollment scope for a given mobility management application. | a8ead177-1889-4546-9387-f25e658e2a79 | Admin | Policy.ReadWrite.MobilityManagement |
| Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user. | 2672f8bb-fd5e-42e0-85e1-ec764dd2614e | Admin | Policy.ReadWrite.PermissionGrant |
| Allows the app to read and write your organization’s security defaults policy on behalf of the signed-in user. | 0b2a744c-2abf-4f1e-ad7e-17a087e2be99 | Admin | Policy.ReadWrite.SecurityDefaults |
| Allows the app to read and write your organization’s trust framework policies on behalf of the signed-in user. | cefba324-1a70-4a6e-9c1d-fd670b7ae392 | Admin | Policy.ReadWrite.TrustFramework |
| Allows the app to have the same access to mailboxes as the signed-in user via POP protocol. | d7b7f2d9-0f45-4ea1-9d42-e50810c06991 | User | POP.AccessAsUser.All |
| Allows the app to read presence information on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | 76bc735e-aecd-4a1d-8b4c-2b915deabb79 | User | Presence.Read |
| Allows the app to read presence information of all users in the directory on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | 9c7a330d-35b3-4aa1-963d-cb2b9f927841 | User | Presence.Read.All |
| Allows the app to read the presence information and write activity and availability on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | 8d3c54a7-cf58-4773-bf81-c0cd6ad522bb | User | Presence.ReadWrite |
| Allows the application to read print connectors on behalf of the signed-in user. | d69c2d6d-4f72-4f99-a6b9-663e32f8cf68 | Admin | PrintConnector.Read.All |
| Allows the application to read and write print connectors on behalf of the signed-in user. | 79ef9967-7d59-4213-9c64-4b10687637d8 | Admin | PrintConnector.ReadWrite.All |
| Allows the application to create (register) printers on behalf of the signed-in user. | 90c30bed-6fd1-4279-bf39-714069619721 | Admin | Printer.Create |
| Allows the application to create (register), read, update, and delete (unregister) printers on behalf of the signed-in user. | 93dae4bd-43a1-4a23-9a1a-92957e1d9121 | Admin | Printer.FullControl.All |
| Allows the application to read printers on behalf of the signed-in user. | 3a736c8a-018e-460a-b60c-863b2683e8bf | Admin | Printer.Read.All |
| Allows the application to read and update printers on behalf of the signed-in user.Does not allow creating (registering) or deleting (unregistering) printers. | 89f66824-725f-4b8f-928e-e1c5258dc565 | Admin | Printer.ReadWrite.All |
| Allows the application to read printer shares on behalf of the signed-in user. | ed11134d-2f3f-440d-a2e1-411efada2502 | User | PrinterShare.Read.All |
| Allows the application to read basic information about printer shares on behalf of the signed-in user. Does not allow reading access control information. | 5fa075e9-b951-4165-947b-c63396ff0a37 | User | PrinterShare.ReadBasic.All |
| Allows the application to read and update printer shares on behalf of the signed-in user. | 06ceea37-85e2-40d7-bec3-91337a46038f | Admin | PrinterShare.ReadWrite.All |
| Allows the application to create print jobs on behalf of the signed-in user and upload document content to print jobs that the signed-in user created. | 21f0d9c0-9f13-48b3-94e0-b6b231c7d320 | User | PrintJob.Create |
| Allows the application to read the metadata and document content of print jobs that the signed-in user created. | 248f5528-65c0-4c88-8326-876c7236df5e | User | PrintJob.Read |
| Allows the application to read the metadata and document content of print jobs on behalf of the signed-in user. | afdd6933-a0d8-40f7-bd1a-b5d778e8624b | Admin | PrintJob.Read.All |
| Allows the application to read the metadata of print jobs that the signed-in user created. Does not allow access to print job document content. | 6a71a747-280f-4670-9ca0-a9cbf882b274 | User | PrintJob.ReadBasic |
| Allows the application to read the metadata of print jobs on behalf of the signed-in user.Does not allow access to print job document content. | 04ce8d60-72ce-4867-85cf-6d82f36922f3 | Admin | PrintJob.ReadBasic.All |
| Allows the application to read and update the metadata and document content of print jobs that the signed-in user created. | b81dd597-8abb-4b3f-a07a-820b0316ed04 | User | PrintJob.ReadWrite |
| Allows the application to read and update the metadata and document content of print jobs on behalf of the signed-in user. | 036b9544-e8c5-46ef-900a-0646cc42b271 | Admin | PrintJob.ReadWrite.All |
| Allows the application to read and update the metadata of print jobs that the signed-in user created. Does not allow access to print job document content. | 6f2d22f2-1cb6-412c-a17c-3336817eaa82 | User | PrintJob.ReadWriteBasic |
| Allows the application to read and update the metadata of print jobs on behalf of the signed-in user.Does not allow access to print job document content. | 3a0db2f6-0d2a-4c19-971b-49109b19ad3d | Admin | PrintJob.ReadWriteBasic.All |
| Allows the application to read tenant-wide print settings on behalf of the signed-in user. | 490f32fd-d90f-4dd7-a601-ff6cdc1a3f6c | Admin | PrintSettings.Read.All |
| Allows the application to read and write tenant-wide print settings on behalf of the signed-in user. | 9ccc526a-c51c-4e5c-a1fd-74726ef50b8f | Admin | PrintSettings.ReadWrite.All |
| Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user. | b3a539c9-59cb-4ad5-825a-041ddbdc2bdb | Admin | PrivilegedAccess.Read.AzureAD |
| Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user. | d329c81c-20ad-4772-abf9-3f6fdb7e5988 | Admin | PrivilegedAccess.Read.AzureADGroup |
| Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on behalf of the signed-in user. | 1d89d70c-dcac-4248-b214-903c457af83a | Admin | PrivilegedAccess.Read.AzureResources |
| Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users. | 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37 | Admin | PrivilegedAccess.ReadWrite.AzureAD |
| Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user. | 32531c59-1f32-461f-b8df-6f8a3b89f73b | Admin | PrivilegedAccess.ReadWrite.AzureADGroup |
| Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users. | a84a9652-ffd3-496e-a991-22ba5529156a | Admin | PrivilegedAccess.ReadWrite.AzureResources |
| Allows the app to see your users’ basic profile (e.g., name, picture, user name, email address) | 14dad69e-099b-42c9-810b-d002981feec1 | User | profile |
| Allows the app to read programs and program controls that the signed-in user has access to in the organization. | c492a2e1-2f8f-4caa-b076-99bbf6e40fe4 | Admin | ProgramControl.Read.All |
| Allows the app to read, update, delete and perform actions on programs and program controls that the signed-in user has access to in the organization. | 50fd364f-9d93-4ae1-b170-300e87cccf84 | Admin | ProgramControl.ReadWrite.All |
| Allows an app to read all question and answer sets that the signed-in user can access. | f73fa04f-b9a5-4df9-8843-993ce928925e | User | QnA.Read.All |
| Allows the application to read any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user. | 07f995eb-fc67-4522-ad66-2b8ca8ea3efd | Admin | RecordsManagement.Read.All |
| Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies on behalf of the signed-in user. | f2833d75-a4e6-40ab-86d4-6dfe73c97605 | Admin | RecordsManagement.ReadWrite.All |
| Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | 02e97553-ed7b-43d0-ab3c-f8bace0d040c | Admin | Reports.Read.All |
| Allows the app to read admin report settings, such as whether to display concealed information in reports, on behalf of the signed-in user | 84fac5f4-33a9-4100-aa38-a20c6d29e5e7 | Admin | ReportSettings.Read.All |
| Allows the app to read and update admin report settings, such as whether to display concealed information in reports, on behalf of the signed-in user. | b955410e-7715-4a88-a940-dfd551018df3 | Admin | ReportSettings.ReadWrite.All |
| Allows the app to read the active role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles. | 344a729c-0285-42c6-9014-f12b9b8d6129 | Admin | RoleAssignmentSchedule.Read.Directory |
| Allows the app to read and manage the active role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships. | 8c026be3-8e26-4774-9372-8d5d6f21daff | Admin | RoleAssignmentSchedule.ReadWrite.Directory |
| Allows the app to read the eligible role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles. | eb0788c2-6d4e-4658-8c9e-c0fb8053f03d | Admin | RoleEligibilitySchedule.Read.Directory |
| Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships. | 62ade113-f8e0-4bf9-a6ba-5acb31db32fd | Admin | RoleEligibilitySchedule.ReadWrite.Directory |
| Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments. | 48fec646-b2ba-4019-8681-8eb31435aded | Admin | RoleManagement.Read.All |
| Allows the app to read the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user. This includes reading Cloud PC role definitions and role assignments. | 9619b88a-8a25-48a7-9571-d23be0337a79 | Admin | RoleManagement.Read.CloudPC |
| Allows the app to read the role-based access control (RBAC) settings for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, directory roles and memberships. | 741c54c3-0c1e-44a1-818b-3f97ab4e8c83 | Admin | RoleManagement.Read.Directory |
| Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user. This includes reading and managing Cloud PC role definitions and role assignments. | 501d06f8-07b8-4f18-b5c6-c191a4af7a82 | Admin | RoleManagement.ReadWrite.CloudPC |
| Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | d01b97e9-cbc0-49fe-810a-750afd5527a3 | Admin | RoleManagement.ReadWrite.Directory |
| Allows the app to read the role-based access control (RBAC) alerts for your company’s directory, on behalf of the signed-in user. This includes reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert. | cce71173-f76d-446e-97ff-efb2d82e11b1 | Admin | RoleManagementAlert.Read.Directory |
| Allows the app to read and manage the role-based access control (RBAC) alerts for your company’s directory, on behalf of the signed-in user. This includes managing alert settings, initiating alert scans, dimissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert. | 435644c6-a5b1-40bf-8f52-fe8e5b53e19c | Admin | RoleManagementAlert.ReadWrite.Directory |
| Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company’s directory, on behalf of the signed-in user. | 3de2cdbe-0ff5-47d5-bdee-7f45b4749ead | Admin | RoleManagementPolicy.Read.Directory |
| Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company’s directory, on behalf of the signed-in user. | 1ff1be21-34eb-448c-9ac9-ce1f506b2a68 | Admin | RoleManagementPolicy.ReadWrite.Directory |
| Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user. | fccf6dd8-5706-49fa-811f-69e2e1b585d0 | Admin | Schedule.Read.All |
| Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user. | 63f27281-c9d9-4f29-94dd-6942f7f1feb0 | Admin | Schedule.ReadWrite.All |
| Allows the app to read search configuration, on behalf of the signed-in user. | 7d307522-aa38-4cd0-bd60-90c6f0ac50bd | Admin | SearchConfiguration.Read.All |
| Allows the app to read and write search configuration, on behalf of the signed-in user. | b1a7d408-cab0-47d2-a2a5-a74a3733600d | Admin | SearchConfiguration.ReadWrite.All |
| Allows the app to read security actions, on behalf of the signed-in user. | 1638cddf-07a4-4de2-8645-69c96cacad73 | Admin | SecurityActions.Read.All |
| Allows the app to read or update security actions, on behalf of the signed-in user. | dc38509c-b87d-4da0-bd92-6bec988bac4a | Admin | SecurityActions.ReadWrite.All |
| Allows the app to read all security alerts, on behalf of the signed-in user. | bc257fb8-46b4-4b15-8713-01e91bfbe4ea | Admin | SecurityAlert.Read.All |
| Allows the app to read and write to all security alerts, on behalf of the signed-in user. | 471f2a7f-2a42-4d45-a2bf-594d0838070d | Admin | SecurityAlert.ReadWrite.All |
| Read email metadata and security detection details on behalf of the signed in user. | 53e6783e-b127-4a35-ab3a-6a52d80a9077 | Admin | SecurityAnalyzedMessage.Read.All |
| Read email metadata, security detection details, and execute remediation actions like deleting an email, on behalf of the signed in user. | 48eb8c83-6e58-46e7-a6d3-8805822f5940 | Admin | SecurityAnalyzedMessage.ReadWrite.All |
| Allows the app to read your organizations security events on behalf of the signed-in user. | 64733abd-851e-478a-bffb-e47a14b18235 | Admin | SecurityEvents.Read.All |
| Allows the app to read your organizations security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user. | 6aedf524-7e1c-45a7-bd76-ded8cab8d0fc | Admin | SecurityEvents.ReadWrite.All |
| Allows the app to read security incidents, on behalf of the signed-in user. | b9abcc4f-94fc-4457-9141-d20ce80ec952 | Admin | SecurityIncident.Read.All |
| Allows the app to read and write security incidents, on behalf of the signed-in user. | 128ca929-1a19-45e6-a3b8-435ec44a36ba | Admin | SecurityIncident.ReadWrite.All |
| Allows the app to read your tenant’s service health information on behalf of the signed-in user. Health information may include service issues or service health overviews. | 55896846-df78-47a7-aa94-8d3d4442ca7f | Admin | ServiceHealth.Read.All |
| Allows the app to read your tenant’s service announcement messages on behalf of the signed-in user. Messages may include information about new or changed features. | eda39fa6-f8cf-4c3c-a909-432c683e4c9b | Admin | ServiceMessage.Read.All |
| Allows the app to update service announcement messages’ user status on behalf of the signed-in user. The message status can be marked as read, archive, or favorite. | 636e1b0b-1cc2-4b1c-9aa9-4eeed9b9761b | Admin | ServiceMessageViewpoint.Write |
| Allows the app to read service principal endpoints | 9f9ce928-e038-4e3b-8faf-7b59049a8ddc | Admin | ServicePrincipalEndpoint.Read.All |
| Allows the app to update service principal endpoints | 7297d82c-9546-4aed-91df-3d4f0a9b3ff0 | Admin | ServicePrincipalEndpoint.ReadWrite.All |
| Allows the application to read the tenant-level settings in SharePoint and OneDrive on behalf of the signed-in user. | 2ef70e10-5bfd-4ede-a5f6-67720500b258 | Admin | SharePointTenantSettings.Read.All |
| Allows the application to read and change the tenant-level settings of SharePoint and OneDrive on behalf of the signed-in user. | aa07f155-3612-49b8-a147-6c590df35536 | Admin | SharePointTenantSettings.ReadWrite.All |
| Allows the app to read all the short notes a sign-in user has access to. | 50f66e47-eb56-45b7-aaa2-75057d9afe08 | User | ShortNotes.Read |
| Allows the app to read, create, edit, and delete short notes of a signed-in user. | 328438b7-4c01-4c07-a840-e625a749bb89 | User | ShortNotes.ReadWrite |
| Allows the application to have full control of all site collections on behalf of the signed-in user. | 5a54b8b3-347c-476d-8f8e-42d5c7424d29 | Admin | Sites.FullControl.All |
| Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user. | 65e50fdc-43b7-4915-933e-e8138f11f40a | User | Sites.Manage.All |
| Allows the application to read documents and list items in all site collections on behalf of the signed-in user | 205e70e5-aba6-4c52-a976-6d2d46c48043 | User | Sites.Read.All |
| Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. | 89fe6a52-be36-487e-b7d8-d061c450a026 | User | Sites.ReadWrite.All |
| Allows the app to be able to send emails from the users mailbox using the SMTP AUTH client submission protocol. | 258f6531-6087-4cc4-bb90-092c5fb3ed3f | User | SMTP.Send |
| Allows the app to read subject rights requests on behalf of the signed-in user | 9c3af74c-fd0f-4db4-b17a-71939e2a9d77 | Admin | SubjectRightsRequest.Read.All |
| Allows the app to read and write subject rights requests on behalf of the signed-in user | 2b8fcc74-bce1-4ae3-a0e8-60c53739299d | Admin | SubjectRightsRequest.ReadWrite.All |
| Allows the app to read all webhook subscriptions on behalf of the signed-in user. | 5f88184c-80bb-4d52-9ff2-757288b2e9b7 | Admin | Subscription.Read.All |
| Allows the app to read Azure AD synchronization information, on behalf of the signed-in user. | 7aa02aeb-824f-4fbe-a3f7-611f751f5b55 | Admin | Synchronization.Read.All |
| Allows the app to configure the Azure AD synchronization service, on behalf of the signed-in user. | 7bb27fa3-ea8f-4d67-a916-87715b6188bd | Admin | Synchronization.ReadWrite.All |
| Allows the app to read the signed-in users tasks and task lists, including any shared with the user. Doesn’t include permission to create, delete, or update anything. | f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb | User | Tasks.Read |
| Allows the app to read tasks a user has permissions to access, including their own and shared tasks. | 88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72 | User | Tasks.Read.Shared |
| Allows the app to create, read, update, and delete the signed-in user’s tasks and task lists, including any shared with the user. | 2219042f-cab5-40cc-b0d2-16b1540b4c5f | User | Tasks.ReadWrite |
| Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks. | c5ddf11b-c114-4886-8558-8a4e557cd52b | User | Tasks.ReadWrite.Shared |
| Allows the app to create teams on behalf of the signed-in user. | 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 | User | Team.Create |
| Read the names and descriptions of teams, on behalf of the signed-in user. | 485be79e-c497-4b35-9400-0e3fa7f2a5d4 | User | Team.ReadBasic.All |
| Read the members of teams, on behalf of the signed-in user. | 2497278c-d82d-46a2-b1ce-39d4cdde5570 | Admin | TeamMember.Read.All |
| Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member’s role, for example from owner to non-owner. | 4a06efd2-f825-4e34-813e-82a57b03d1ee | Admin | TeamMember.ReadWrite.All |
| Add and remove members from all teams, on behalf of the signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role. | 2104a4db-3a2f-4ea0-9dba-143d457dc666 | Admin | TeamMember.ReadWriteNonOwnerRole.All |
| Allows the app to read the signed-in user’s teamwork activity feed. | 0e755559-83fb-4b44-91d0-4cc721b9323e | User | TeamsActivity.Read |
| Allows the app to create new notifications in users’ teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies. | 7ab1d787-bae7-4d5d-8db6-37ea32df9186 | User | TeamsActivity.Send |
| Allows the app to read the Teams apps that are installed in chats the signed-in user can access. Does not give the ability to read application-specific settings. | bf3fbf03-f35f-4e93-963e-47e4d874c37a | User | TeamsAppInstallation.ReadForChat |
| Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings. | 5248dcb1-f83b-4ec3-9f4d-a4428a961a72 | Admin | TeamsAppInstallation.ReadForTeam |
| Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings. | c395395c-ff9a-4dba-bc1f-8372ba9dca84 | User | TeamsAppInstallation.ReadForUser |
| Allows the app to read, install, upgrade, and uninstall Teams apps in chats the signed-in user can access. Gives the ability to manage permission grants for accessing those specific chats’ data. | e1408a66-8f82-451b-a2f3-3c3e38f7413f | Admin | TeamsAppInstallation.ReadWriteAndConsentForChat |
| Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Gives the ability to manage permission grants for accessing those specific teams’ data. | 946349d5-2a9d-4535-abc0-7beeacaedd1d | Admin | TeamsAppInstallation.ReadWriteAndConsentForTeam |
| Allows a Teams app to read, install, upgrade, and uninstall itself in chats the signed-in user can access, and manage its permission grants for accessing those specific chats’ data. | a0e0e18b-8fb2-458f-8130-da2d7cab9c75 | Admin | TeamsAppInstallation.ReadWriteAndConsentSelfForChat |
| Allows a Teams app to read, install, upgrade, and uninstall itself in teams the signed-in user can access, and manage its permission grants for accessing those specific teams’ data. | 4a6bbf29-a0e1-4a4d-a7d1-cef17f772975 | Admin | TeamsAppInstallation.ReadWriteAndConsentSelfForTeam |
| Allows the app to read, install, upgrade, and uninstall Teams apps in chats the signed-in user can access. Does not give the ability to read application-specific settings. | aa85bf13-d771-4d5d-a9e6-bca04ce44edf | Admin | TeamsAppInstallation.ReadWriteForChat |
| Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings. | 2e25a044-2580-450d-8859-42eeb6e996c0 | Admin | TeamsAppInstallation.ReadWriteForTeam |
| Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed-in user. Does not give the ability to read application-specific settings. | 093f8818-d05f-49b8-95bc-9d2a73e9a43c | Admin | TeamsAppInstallation.ReadWriteForUser |
| Allows a Teams app to read, install, upgrade, and uninstall itself in chats the signed-in user can access. | 0ce33576-30e8-43b7-99e5-62f8569a4002 | Admin | TeamsAppInstallation.ReadWriteSelfForChat |
| Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | 0f4595f7-64b1-4e13-81bc-11a249df07a9 | Admin | TeamsAppInstallation.ReadWriteSelfForTeam |
| Allows a Teams app to read, install, upgrade, and uninstall itself for the signed-in user. | 207e0cb1-3ce7-4922-b991-5a760c346ebc | User | TeamsAppInstallation.ReadWriteSelfForUser |
| Read all teams’ settings, on behalf of the signed-in user. | 48638b3c-ad68-4383-8ac4-e6880ee6ca57 | Admin | TeamSettings.Read.All |
| Read and change all teams’ settings, on behalf of the signed-in user. | 39d65650-9d3e-4223-80db-a335590d027e | Admin | TeamSettings.ReadWrite.All |
| Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. | a9ff19c2-f369-4a95-9a25-ba9d460efc8e | Admin | TeamsTab.Create |
| Read the names and settings of tabs inside any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs. | 59dacb05-e88d-4c13-a684-59f1afc8cc98 | Admin | TeamsTab.Read.All |
| Read and write tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs. | b98bfd41-87c6-45cc-b104-e2de4f0dafb9 | Admin | TeamsTab.ReadWrite.All |
| Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats the signed-in user can access. | ee928332-e9c2-4747-b4a0-f8c164b68de6 | Admin | TeamsTab.ReadWriteForChat |
| Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams the signed-in user can access. | c975dd04-a06e-4fbb-9704-62daad77bb49 | Admin | TeamsTab.ReadWriteForTeam |
| Allows a Teams app to read, install, upgrade, and uninstall all tabs for the signed-in user. | c37c9b61-7762-4bff-a156-afc0005847a0 | User | TeamsTab.ReadWriteForUser |
| Allows a Teams app to read, install, upgrade, and uninstall its own tabs in chats the signed-in user can access. | 0c219d04-3abf-47f7-912d-5cca239e90e6 | Admin | TeamsTab.ReadWriteSelfForChat |
| Allows a Teams app to read, install, upgrade, and uninstall its own tabs to teams the signed-in user can access. | f266662f-120a-4314-b26a-99b08617c7ef | Admin | TeamsTab.ReadWriteSelfForTeam |
| Allows a Teams app to read, install, upgrade, and uninstall its own tabs for the signed-in user. | 395dfec1-a0b9-465f-a783-8250a430cb8c | User | TeamsTab.ReadWriteSelfForUser |
| Allows the app to read the available Teams templates, on behalf of the signed-in user. | cd87405c-5792-4f15-92f7-debc0db6d1d6 | User | TeamTemplates.Read |
| Allows the app to read the Teams app settings on behalf of the signed-in user. | 44e060c4-bbdc-4256-a0b9-dcc0396db368 | User | TeamworkAppSettings.Read.All |
| Allows the app to read and write the Teams app settings on behalf of the signed-in user. | 87c556f0-2bd9-4eed-bd74-5dd8af6eaf7e | Admin | TeamworkAppSettings.ReadWrite.All |
| Allow the app to read the management data for Teams devices on behalf of the signed-in user. | b659488b-9d28-4208-b2be-1c6652b3c970 | Admin | TeamworkDevice.Read.All |
| Allow the app to read and write the management data for Teams devices on behalf of the signed-in user. | ddd97ecb-5c31-43db-a235-0ee20e635c40 | Admin | TeamworkDevice.ReadWrite.All |
| Allows the app to read tags in Teams, on behalf of the signed-in user. | 57587d0b-8399-45be-b207-8050cec54575 | Admin | TeamworkTag.Read |
| Allows the app to read and write tags in Teams, on behalf of the signed-in user. | 539dabd7-b5b6-4117-b164-d60cd15a8671 | Admin | TeamworkTag.ReadWrite |
| Allows the app to read the term store data that the signed-in user has access to. This includes all sets, groups and terms in the term store. | 297f747b-0005-475b-8fef-c890f5152b38 | Admin | TermStore.Read.All |
| Allows the app to read or modify data that the signed-in user has access to.This includes all sets, groups and terms in the term store. | 6c37c71d-f50f-4bff-8fd3-8a41da390140 | Admin | TermStore.ReadWrite.All |
| Allows an app to read your organization’s threat assessment requests on behalf of the signed-in user. Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user. | cac97e40-6730-457d-ad8d-4852fddab7ad | Admin | ThreatAssessment.ReadWrite.All |
| Allows the app to run hunting queries, on behalf of the signed-in user. | b152eca8-ea73-4a48-8c98-1a6742673d99 | Admin | ThreatHunting.Read.All |
| Allows the app to read all the indicators for your organization, on behalf of the signed-in user. | 9cc427b4-2004-41c5-aa22-757b755e9796 | Admin | ThreatIndicators.Read.All |
| Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on behalf of the signed-in user. It cannot update any threat indicators it does not own. | 91e7d36d-022a-490f-a748-f8e011357b42 | Admin | ThreatIndicators.ReadWrite.OwnedBy |
| Allows the app to read the threat submissions and threat submission policies owned by the signed-in user. | fd5353c6-26dd-449f-a565-c4e16b9fce78 | User | ThreatSubmission.Read |
| Allows the app to read your organization’s threat submissions and threat submission policies on behalf of the signed-in user. | 7083913a-4966-44b6-9886-c5822a5fd910 | Admin | ThreatSubmission.Read.All |
| Allows the app to read the threat submissions and threat submission policies owned by the signed-in user. Also allows the app to create new threat submissions on behalf of the signed-in user. | 68a3156e-46c9-443c-b85c-921397f082b5 | User | ThreatSubmission.ReadWrite |
| Allows the app to read your organization’s threat submissions and threat submission policies on behalf of the signed-in user. Also allows the app to create new threat submissions on behalf of the signed-in user. | 8458e264-4eb9-4922-abe9-768d58f13c7f | Admin | ThreatSubmission.ReadWrite.All |
| Allows the app to read your organization’s threat submission policies on behalf of the signed-in user. Also allows the app to create new threat submission policies on behalf of the signed-in user. | 059e5840-5353-4c68-b1da-666a033fc5e8 | Admin | ThreatSubmissionPolicy.ReadWrite.All |
| Allows the app to read trust framework key set properties on behalf of the signed-in user. | 7ad34336-f5b1-44ce-8682-31d7dfcd9ab9 | Admin | TrustFrameworkKeySet.Read.All |
| Allows the app to read and write trust framework key set properties on behalf of the signed-in user. | 39244520-1e7d-4b4a-aee0-57c65826e427 | Admin | TrustFrameworkKeySet.ReadWrite.All |
| Allows the app to read basic unified group properties, memberships and owners of the group the signed-in guest is a member of. | 73e75199-7c3e-41bb-9357-167164dbb415 | Admin | UnifiedGroupMember.Read.AsGuest |
| Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user. | ed8d2a04-0374-41f1-aefe-da8ac87ccc87 | Admin | User-LifeCycleInfo.Read.All |
| Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, on behalf of the signed-in user. | 7ee7473e-bd4b-4c9f-987c-bd58481f5fa2 | Admin | User-LifeCycleInfo.ReadWrite.All |
| Allows the app to enable and disable users’ accounts, on behalf of the signed-in user. | f92e74e7-2563-467f-9dd0-902688cb5863 | Admin | User.EnableDisableAccount.All |
| Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator). | 405a51b5-8d8d-430b-9842-8be4b0e9f324 | Admin | User.Export.All |
| Allows the app to invite guest users to the organization, on behalf of the signed-in user. | 63dd7cd9-b489-4adf-a28c-ac38b9a0f962 | Admin | User.Invite.All |
| Allows the app to read, update and delete identities that are associated with a user’s account that the signed-in user has access to. This controls the identities users can sign-in with. | 637d7bec-b31e-4deb-acc9-24275642a2c9 | Admin | User.ManageIdentities.All |
| Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | e1fe6dd8-ba31-4d61-89e7-88639da4683d | User | User.Read |
| Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | a154be20-db9c-4678-8ab7-66f6cc099a59 | Admin | User.Read.All |
| Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo. | b340eb25-3456-403f-be2f-af7a0d370277 | User | User.ReadBasic.All |
| Allows the app to read your profile. It also allows the app to update your profile information on your behalf. | b4e74841-8e56-480b-be8b-910348b18b4c | User | User.ReadWrite |
| Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | 204e0828-b5ca-4ad8-b9f3-f32a958e7cc4 | Admin | User.ReadWrite.All |
| Allows the app to read and report the signed-in user’s activity in the app. | 47607519-5fb1-47d9-99c7-da4b48f369b1 | User | UserActivity.ReadWrite.CreatedByApp |
| Allows the app to read the signed-in user’s authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user’s passwords, or to sign-in or otherwise use the signed-in user’s authentication methods. | 1f6b61c5-2f65-4135-9c9f-31c0f8d32b52 | Admin | UserAuthenticationMethod.Read |
| Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | aec28ec7-4d02-4e8c-b864-50163aea77eb | Admin | UserAuthenticationMethod.Read.All |
| Allows the app to read and write the signed-in user’s authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user’s passwords, or to sign-in or otherwise use the signed-in user’s authentication methods. | 48971fc1-70d7-4245-af77-0beb29b53ee2 | Admin | UserAuthenticationMethod.ReadWrite |
| Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | b7887744-6746-4312-813d-72daeaee7e2d | Admin | UserAuthenticationMethod.ReadWrite.All |
| Allows the app to send, read, update and delete users notifications. | 26e2f3e8-b2a1-47fc-9620-89bb5b042024 | User | UserNotification.ReadWrite.CreatedByApp |
| Allows the app to report the signed-in user’s app activity information to Microsoft Timeline. | 367492fc-594d-4972-a9b5-0d58c622c91c | User | UserTimelineActivity.Write.CreatedByApp |
| Allows an application to read virtual appointments for the signed-in user. Only an organizer or participant user can read their virtual appointments. | 27470298-d3b8-4b9c-aad4-6334312a3eac | Admin | VirtualAppointment.Read |
| Allows an application to read and write virtual appointments for the signed-in user. Only an organizer or participant user can read and write their virtual appointments. | 2ccc2926-a528-4b17-b8bb-860eed29d64c | Admin | VirtualAppointment.ReadWrite |
| Allows the app to read and write all Windows update deployment settings for the organization on behalf of the signed-in user. | 11776c0c-6138-4db3-a668-ee621bea2555 | Admin | WindowsUpdates.ReadWrite.All |
| Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user. | f1ccd5a7-6383-466a-8db8-1a656f7d06fa | Admin | WorkforceIntegration.Read.All |
| Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user. | 08c4b377-0d23-4a8b-be2a-23c1c1d88545 | Admin | WorkforceIntegration.ReadWrite.All |
Well-known roles#
Here below you can find the list of all the well-known roles defined by Microsoft Graph
| Description | Id | Allowed Member Types | Value |
|---|---|---|---|
| Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user. | d07a8cc0-3d51-4b77-b3b0-32704d1f69fa | Application | AccessReview.Read.All |
| Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user. | ef5f7d5c-338f-44b0-86c3-351f46c8bb5f | Application | AccessReview.ReadWrite.All |
| Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization for group and app memberships, without a signed-in user. | 18228521-a591-40f1-b215-5fad4488c117 | Application | AccessReview.ReadWrite.Membership |
| Allows an app to read all acronyms without a signed-in user. | 8c0aed2c-0c61-433d-b63c-6370ddc73248 | Application | Acronym.Read.All |
| Allows the app to read administrative units and administrative unit membership without a signed-in user. | 134fd756-38ce-4afd-ba33-e9623dbe66c2 | Application | AdministrativeUnit.Read.All |
| Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. | 5eb59dd3-1da2-4329-8733-9dabdc435916 | Application | AdministrativeUnit.ReadWrite.All |
| Allows the app to read terms of use agreements, without a signed in user. | 2f3e6f8c-093b-4c57-a58b-ba5ce494a169 | Application | Agreement.Read.All |
| Allows the app to read and write terms of use agreements, without a signed in user. | c9090d00-6101-42f0-a729-c41074260d47 | Application | Agreement.ReadWrite.All |
| Allows the app to read terms of use acceptance statuses, without a signed in user. | d8e4ec18-f6c0-4620-8122-c8b1f2bf400e | Application | AgreementAcceptance.Read.All |
| Allows the app to read the API connectors used in user authentication flows, without a signed-in user. | b86848a7-d5b1-41eb-a9b4-54a4e6306e97 | Application | APIConnectors.Read.All |
| Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user. | 1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171 | Application | APIConnectors.ReadWrite.All |
| Allows the app to read apps in the app catalogs without a signed-in user. | e12dae10-5a57-4817-b79d-dfbec5348930 | Application | AppCatalog.Read.All |
| Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user. | dc149144-f292-421e-b185-5953f2e98d7f | Application | AppCatalog.ReadWrite.All |
| Allows the app to read all applications and service principals without a signed-in user. | 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 | Application | Application.Read.All |
| Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. | 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 | Application | Application.ReadWrite.All |
| Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of. | 18a4783c-866b-4cc7-a460-3d5e5662c884 | Application | Application.ReadWrite.OwnedBy |
| Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. | 06b708a9-e830-4db3-a914-8e69da51d44f | Application | AppRoleAssignment.ReadWrite.All |
| Allows the app to read attack simulation and training data for an organization without a signed-in user. | 93283d0a-6322-4fa8-966b-8c121624760d | Application | AttackSimulation.Read.All |
| Allows the app to read, create, and update attack simulation and training data for an organization without a signed-in user. | e125258e-8c8a-42a8-8f55-ab502afa52f3 | Application | AttackSimulation.ReadWrite.All |
| Allows the app to read and query your audit log activities, without a signed-in user. | b0afded3-3588-46d8-8b3d-9842eff778da | Application | AuditLog.Read.All |
| Allows the app to read the authentication context information in your organization without a signed-in user. | 381f742f-e1f8-4309-b4ab-e3d91ae4c5c1 | Application | AuthenticationContext.Read.All |
| Allows the app to read and update the authentication context information in your organization without a signed-in user. | a88eef72-fed0-4bf7-a2a9-f19df33f8b83 | Application | AuthenticationContext.ReadWrite.All |
| Allows the app to read and write the billing configuration on all applications without a signed-in user. | 9e8be751-7eee-4c09-bcfd-d64f6b087fd8 | Application | BillingConfiguration.ReadWrite.All |
| Allows an app to read Bookings appointments, businesses, customers, services, and staff without a signed-in user. | 6e98f277-b046-4193-a4f2-6bf6a78cd491 | Application | Bookings.Read.All |
| Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff without a signed-in user. | 9769393e-5a9f-4302-9e3d-7e018ecb64a7 | Application | BookingsAppointment.ReadWrite.All |
| Allows an app to read all bookmarks without a signed-in user. | be95e614-8ef3-49eb-8464-1c9503433b86 | Application | Bookmark.Read.All |
| Allows an app to read all browser site lists configured for your organization, without a signed-in user. | c5ee1f21-fc7f-4937-9af0-c91648ff9597 | Application | BrowserSiteLists.Read.All |
| Allows an app to read and write all browser site lists configured for your organization, without a signed-in user. | 8349ca94-3061-44d5-9bfb-33774ea5e4f9 | Application | BrowserSiteLists.ReadWrite.All |
| Allows the app to read the configurations of business scenarios it owns, without a signed-in user. | acc0fc4d-2cd6-4194-8700-1768d8423d86 | Application | BusinessScenarioConfig.Read.OwnedBy |
| Allows the app to create new business scenarios and fully manage the configurations of scenarios it owns, without a signed-in user. | bbea195a-4c47-4a4f-bff2-cba399e11698 | Application | BusinessScenarioConfig.ReadWrite.OwnedBy |
| Allows the app to read the data associated with the business scenarios it owns, without a signed-in user. | 6c0257fd-cffe-415b-8239-2d0d70fdaa9c | Application | BusinessScenarioData.Read.OwnedBy |
| Allows the app to fully manage the data associated with the business scenarios it owns, without a signed-in user. | f2d21f22-5d80-499e-91cc-0a8a4ce16f54 | Application | BusinessScenarioData.ReadWrite.OwnedBy |
| Allows the app to read events of all calendars without a signed-in user. | 798ee544-9d2d-430c-a058-570e29e34338 | Application | Calendars.Read |
| Allows the app to read events of all calendars, except for properties such as body, attachments, and extensions, without a signed-in user. | 8ba4a692-bc31-4128-9094-475872af8a53 | Application | Calendars.ReadBasic.All |
| Allows the app to create, read, update, and delete events of all calendars without a signed-in user. | ef54d2bf-783f-4e0f-bca1-3210c0444d99 | Application | Calendars.ReadWrite |
| Allows the app to read all PSTN and direct routing call log data without a signed-in user. | a2611786-80b3-417e-adaa-707d4261a5f0 | Application | CallRecord-PstnCalls.Read.All |
| Allows the app to read call records for all calls and online meetings without a signed-in user. | 45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8 | Application | CallRecords.Read.All |
| Allows the app to get direct access to media streams in a call, without a signed-in user. | a7a681dc-756e-4909-b988-f160edc6655f | Application | Calls.AccessMedia.All |
| Allows the app to place outbound calls to a single user and transfer calls to users in your organizations directory, without a signed-in user. | 284383ee-7f6e-4e40-a2a8-e85dcb029101 | Application | Calls.Initiate.All |
| Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. | 4c277553-8a09-487b-8023-29ee378d8324 | Application | Calls.InitiateGroupCall.All |
| Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your organization. | f6b49018-60ab-4f81-83bd-22caeabfed2d | Application | Calls.JoinGroupCall.All |
| Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined as a guest to meetings in your organization. | fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4 | Application | Calls.JoinGroupCallAsGuest.All |
| Create channels in any team, without a signed-in user. | f3a65bd4-b703-46df-8f7e-0174fea562aa | Application | Channel.Create |
| Delete channels in any team, without a signed-in user. | 6a118a39-1227-45d4-af0c-ea7b40d210bc | Application | Channel.Delete.All |
| Read all channel names and channel descriptions, without a signed-in user. | 59a6b24b-4225-4393-8165-ebaec5f55d7a | Application | Channel.ReadBasic.All |
| Read the members of all channels, without a signed-in user. | 3b55498e-47ec-484f-8136-9013221c06a9 | Application | ChannelMember.Read.All |
| Add and remove members from all channels, without a signed-in user. Also allows changing a member’s role, for example from owner to non-owner. | 35930dcf-aceb-4bd1-b99a-8ffed403c974 | Application | ChannelMember.ReadWrite.All |
| Allows the app to read all channel messages in Microsoft Teams | 7b2449af-6ccd-4f4d-9f78-e550c193f0d1 | Application | ChannelMessage.Read.All |
| Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. | 4d02b0cc-d90b-441f-8d82-4fb55c34d6bb | Application | ChannelMessage.UpdatePolicyViolation.All |
| Read all channel names, channel descriptions, and channel settings, without a signed-in user. | c97b873f-f59f-49aa-8a0e-52b32d762124 | Application | ChannelSettings.Read.All |
| Read and write the names, descriptions, and settings of all channels, without a signed-in user. | 243cded2-bd16-4fd6-a953-ff8177894c3d | Application | ChannelSettings.ReadWrite.All |
| Allows the app to create chats without a signed-in user. | d9c48af6-9ad9-47ad-82c3-63757137b9af | Application | Chat.Create |
| Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams. | 6b7d71aa-70aa-4810-a8d9-5d9fb2830017 | Application | Chat.Read.All |
| Allows the app to read all one-to-one or group chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user. | 1c1b4c8e-3cc7-4c58-8470-9b92c9d5848b | Application | Chat.Read.WhereInstalled |
| Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user. | b2e060da-3baf-4687-9611-f4ebc0f0cbde | Application | Chat.ReadBasic.All |
| Allows the app to read names and members of all one-to-one and group chats in Microsoft Teams where the associated Teams application is installed, without a signed-in user. | 818ba5bd-5b3e-4fe0-bbe6-aa4686669073 | Application | Chat.ReadBasic.WhereInstalled |
| Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user. | 294ce7c9-31ba-490a-ad7d-97a7d075e4ed | Application | Chat.ReadWrite.All |
| Allows the app to read and write all chat messages in Microsoft Teams for chats where the associated Teams application is installed, without a signed-in user. | ad73ce80-f3cd-40ce-b325-df12c33df713 | Application | Chat.ReadWrite.WhereInstalled |
| Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. | 7e847308-e030-4183-9899-5235d7270f58 | Application | Chat.UpdatePolicyViolation.All |
| Read the members of all chats, without a signed-in user. | a3410be2-8e48-4f32-8454-c29a7465209d | Application | ChatMember.Read.All |
| Allows the app to read the members of all chats where the associated Teams application is installed, without a signed-in user. | 93e7c9e4-54c5-4a41-b796-f2a5adaacda7 | Application | ChatMember.Read.WhereInstalled |
| Add and remove members from all chats, without a signed-in user. | 57257249-34ce-4810-a8a2-a03adf0c5693 | Application | ChatMember.ReadWrite.All |
| Allows the app to add and remove members from all chats where the associated Teams application is installed, without a signed-in user. | e32c2cd9-0124-4e44-88fc-772cd98afbdb | Application | ChatMember.ReadWrite.WhereInstalled |
| Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user. | b9bb2381-47a4-46cd-aafb-00cb12f68504 | Application | ChatMessage.Read.All |
| Allows the app to read the properties of Cloud PCs, without a signed-in user. | a9e09520-8ed4-4cde-838e-4fdea192c227 | Application | CloudPC.Read.All |
| Allows the app to read and write the properties of Cloud PCs, without a signed-in user. | 3b4349e1-8cf5-45a3-95b7-69d1751d3e6a | Application | CloudPC.ReadWrite.All |
| Allows the app to read consent requests and approvals without a signed-in user. | 1260ad83-98fb-4785-abbb-d6cc1806fd41 | Application | ConsentRequest.Read.All |
| Allows the app to read app consent requests and approvals, and deny or approve those requests without a signed-in user. | 9f1b81a7-0223-4428-bfa4-0bcb5535f27d | Application | ConsentRequest.ReadWrite.All |
| Allows the app to read all contacts in all mailboxes without a signed-in user. | 089fe4d0-434a-44c5-8827-41ba8a0b17f5 | Application | Contacts.Read |
| Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. | 6918b873-d17a-4dc1-b314-35f528134491 | Application | Contacts.ReadWrite |
| Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem without a signed-in user. | cac88765-0581-4025-9725-5ebc13f729ee | Application | CrossTenantInformation.ReadBasic.All |
| Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user. | 8b919d44-6192-4f3d-8a3b-f86f8069ae3c | Application | CrossTenantUserProfileSharing.Read.All |
| Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user. | 306785c5-c09b-4ba0-a4ee-023f3da165cb | Application | CrossTenantUserProfileSharing.ReadWrite.All |
| Allows the app to read your organization’s custom authentication extensions without a signed-in user. | 88bb2658-5d9e-454f-aacd-a3933e079526 | Application | CustomAuthenticationExtension.Read.All |
| Allows the app to read or write your organization’s custom authentication extensions without a signed-in user. | c2667967-7050-4e7e-b059-4cbbb3811d03 | Application | CustomAuthenticationExtension.ReadWrite.All |
| Allows custom authentication extensions associated with the app to receive HTTP requests triggered by an authentication event. The request can include information about a user, client and resource service principals, and other information about the authentication. | 214e810f-fda8-4fd7-a475-29461495eb00 | Application | CustomAuthenticationExtension.Receive.Payload |
| Allows the app to read custom security attribute assignments for all principals in the tenant without a signed in user. | 3b37c5a4-1226-493d-bec3-5d6c6b866f3f | Application | CustomSecAttributeAssignment.Read.All |
| Allows the app to read and write custom security attribute assignments for all principals in the tenant without a signed in user. | de89b5e4-5b8f-48eb-8925-29c2b33bd8bd | Application | CustomSecAttributeAssignment.ReadWrite.All |
| Allows the app to read custom security attribute definitions for the tenant without a signed in user. | b185aa14-d8d2-42c1-a685-0f5596613624 | Application | CustomSecAttributeDefinition.Read.All |
| Allows the app to read and write custom security attribute definitions for the tenant without a signed in user. | 12338004-21f4-4896-bf5e-b75dfaf1016d | Application | CustomSecAttributeDefinition.ReadWrite.All |
| Allows the app to read all data loss prevention policies applicable to users for protecting organizational data, without a signed-in user. | aee50e06-5c4f-4494-ab8d-2e65636a2949 | Application | DataLossPrevention.Read.All |
| Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups without a signed-in user. | f6e9e124-4586-492f-adc0-c6f96e4823fd | Application | DelegatedAdminRelationship.Read.All |
| Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user. | cc13eba4-8cd8-44c6-b4d4-f93237adce58 | Application | DelegatedAdminRelationship.ReadWrite.All |
| Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user. | 8e8e4742-1d95-4f68-9d56-6ee75648c72a | Application | DelegatedPermissionGrant.ReadWrite.All |
| Allows the app to read your organization’s devices’ configuration information without a signed-in user. | 7438b122-aefc-4978-80ed-43db9fcc7715 | Application | Device.Read.All |
| Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers. | 1138cb37-bd11-4084-a2b7-9f71582aeddb | Application | Device.ReadWrite.All |
| Allows the app to read device local credential properties including passwords, without a signed-in user. | 884b599e-4d48-43a5-ba94-15c414d00588 | Application | DeviceLocalCredential.Read.All |
| Allows the app to read device local credential properties excluding passwords, without a signed-in user. | db51be59-e728-414b-b800-e0f010df1a79 | Application | DeviceLocalCredential.ReadBasic.All |
| Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | 7a6ee1e7-141e-4cec-ae74-d9db155731ff | Application | DeviceManagementApps.Read.All |
| Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | 78145de6-330d-4800-a6ce-494ff2d33d07 | Application | DeviceManagementApps.ReadWrite.All |
| Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. | dc377aa6-52d8-4e23-b271-2a7ae04cedf3 | Application | DeviceManagementConfiguration.Read.All |
| Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. | 9241abd9-d0e6-425a-bd4f-47ba86e767a4 | Application | DeviceManagementConfiguration.ReadWrite.All |
| Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. | 5b07b0dd-2377-4e44-a38d-703f09a0dc3c | Application | DeviceManagementManagedDevices.PrivilegedOperations.All |
| Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. | 2f51be20-0bb4-4fed-bf7b-db946066c75e | Application | DeviceManagementManagedDevices.Read.All |
| Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the devices owner | 243333ab-4d21-40cb-a475-36241daa0842 | Application | DeviceManagementManagedDevices.ReadWrite.All |
| Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. | 58ca0d9a-1575-47e1-a3cb-007ef2e4583b | Application | DeviceManagementRBAC.Read.All |
| Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. | e330c4f0-4170-414e-a55a-2f022ec2b57b | Application | DeviceManagementRBAC.ReadWrite.All |
| Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. | 06a5fe6d-c49d-46a7-b082-56b1b14103c7 | Application | DeviceManagementServiceConfig.Read.All |
| Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. | 5ac13192-7ace-4fcf-b828-1a26f28068ee | Application | DeviceManagementServiceConfig.ReadWrite.All |
| Allows the app to read data in your organization’s directory, such as users, groups and apps, without a signed-in user. | 7ab1d382-f21e-4acd-a863-ba3e13f7da61 | Application | Directory.Read.All |
| Allows the app to read and write data in your organization’s directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | 19dbc75e-c2e2-444c-a770-ec69d8559fc7 | Application | Directory.ReadWrite.All |
| Allows the app to manage restricted resources based on the other permissions granted to the app, without a signed-in user. | f20584af-9290-4153-9280-ff8bb2c0ea7f | Application | Directory.Write.Restricted |
| Allows the app to read all Azure AD recommendations, without a signed-in user. | ae73097b-cb2a-4447-b064-5d80f6093921 | Application | DirectoryRecommendations.Read.All |
| Allows the app to read and update all Azure AD recommendations, without a signed-in user. | 0e9eea12-4f01-45f6-9b8d-3ea4c8144158 | Application | DirectoryRecommendations.ReadWrite.All |
| Allows the app to read all domain properties without a signed-in user. | dbb9058a-0e50-45d7-ae91-66909b5d4664 | Application | Domain.Read.All |
| Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains. | 7e05723c-0bb0-42da-be95-ae9f08a6e53c | Application | Domain.ReadWrite.All |
| Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user. | 50180013-6191-4d1e-a373-e590ff4e66af | Application | eDiscovery.Read.All |
| Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user. | b2620db1-3bf7-4c5b-9cb9-576d29eac736 | Application | eDiscovery.ReadWrite.All |
| Read the state and settings of all Microsoft education apps. | 7c9db06a-ec2d-4e7b-a592-5a1e30992566 | Application | EduAdministration.Read.All |
| Manage the state and settings of all Microsoft education apps. | 9bc431c3-b8bc-4a8d-a219-40f10f92eff6 | Application | EduAdministration.ReadWrite.All |
| Allows the app to read allclass assignments with grades for all users without a signed-in user. | 4c37e1b6-35a1-43bf-926a-6f30f2cdf585 | Application | EduAssignments.Read.All |
| Allows the app to read allclass assignments without grades for all users without a signed-in user. | 6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e | Application | EduAssignments.ReadBasic.All |
| Allows the app to create, read, update and delete allclass assignments with grades for all users without a signed-in user. | 0d22204b-6cad-4dd0-8362-3e3f2ae699d9 | Application | EduAssignments.ReadWrite.All |
| Allows the app to create, read, update and delete allclass assignments without grades for all users without a signed-in user. | f431cc63-a2de-48c4-8054-a34bc093af84 | Application | EduAssignments.ReadWriteBasic.All |
| Allows the app to read the structure of schools and classes in the organization’s roster and education-specific information about all users to be read. | e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648 | Application | EduRoster.Read.All |
| Allows the app to read a limited subset of properties from both the structure of schools and classes in the organization’s roster and education-specific information about all users. Includes name, status, role, email address and photo. | 0d412a8c-a06c-439f-b3ec-8abcf54d2f96 | Application | EduRoster.ReadBasic.All |
| Allows the app to read and write the structure of schools and classes in the organization’s roster and education-specific information about all users to be read and written. | d1808e82-ce13-47af-ae0d-f9b254e6d58a | Application | EduRoster.ReadWrite.All |
| Allows the app to read access packages and related entitlement management resources without a signed-in user. | c74fd47d-ed3c-45c3-9a9e-b8676de685d2 | Application | EntitlementManagement.Read.All |
| Allows the app to read and write access packages and related entitlement management resources without a signed-in user. | 9acd699f-1e81-4958-b001-93b1d2506e19 | Application | EntitlementManagement.ReadWrite.All |
| Allows the app to read your organization’s authentication event listeners without a signed-in user. | b7f6385c-6ce6-4639-a480-e23c42ed9784 | Application | EventListener.Read.All |
| Allows the app to read or write your organization’s authentication event listeners without a signed-in user. | 0edf5e9e-4ce8-468a-8432-d08631d18c43 | Application | EventListener.ReadWrite.All |
| Allows the app to read all external connections without a signed-in user. | 1914711b-a1cb-4793-b019-c2ce0ed21b8c | Application | ExternalConnection.Read.All |
| Allows the app to read and write all external connections without a signed-in user. | 34c37bc0-2b40-4d5e-85e1-2365cd256d79 | Application | ExternalConnection.ReadWrite.All |
| Allows the app to read and write external connections without a signed-in user. The app can only read and write external connections that it is authorized to, or it can create new external connections. | f431331c-49a6-499f-be1c-62af19c34a9d | Application | ExternalConnection.ReadWrite.OwnedBy |
| Allows the app to read all external items without a signed-in user. | 7a7cffad-37d2-4f48-afa4-c6ab129adcc2 | Application | ExternalItem.Read.All |
| Allow the app to read or write items in all external datasets that the app is authorized to access | 38c3d6ee-69ee-422f-b954-e17819665354 | Application | ExternalItem.ReadWrite.All |
| Allows the app to read and write external items without a signed-in user. The app can only read external items of the connection that it is authorized to. | 8116ae0f-55c2-452d-9944-d18420f5b2c8 | Application | ExternalItem.ReadWrite.OwnedBy |
| Allows the app to read all files in all site collections without a signed in user. | 01d4889c-1287-42c6-ac1f-5d1e02578ef6 | Application | Files.Read.All |
| Allows the app to read, create, update and delete all files in all site collections without a signed in user. | 75359482-378d-4052-8f01-80520e7db3cd | Application | Files.ReadWrite.All |
| Allows the app to create groups without a signed-in user. | bf7b1a76-6e77-406b-b258-bf5c7720e98f | Application | Group.Create |
| Allows the app to read group properties and memberships, and readconversations for all groups, without a signed-in user. | 5b567255-7703-4780-807c-7be8301ae99b | Application | Group.Read.All |
| Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | 62a82d76-70ea-41e2-9197-370581804d09 | Application | Group.ReadWrite.All |
| Allows the app to read memberships and basic group properties for all groups without a signed-in user. | 98830695-27a2-44f7-8c18-0c3ebc9698f6 | Application | GroupMember.Read.All |
| Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. | dbaae8cf-10b5-4b86-a4a1-f871c94c6695 | Application | GroupMember.ReadWrite.All |
| Allows the app to read your organizations identity (authentication) providers properties without a signed in user. | e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0 | Application | IdentityProvider.Read.All |
| Allows the app to read and write your organizations identity (authentication) providers properties without a signed in user. | 90db2b9a-d928-4d33-a4dd-8442ae3d41e4 | Application | IdentityProvider.ReadWrite.All |
| Allows the app to read the identity risk event information for your organization without a signed in user. | 6e472fd1-ad78-48da-a0f0-97ab2c6b769e | Application | IdentityRiskEvent.Read.All |
| Allows the app to read and update identity risk detection information for your organization without a signed-in user. Update operations include confirming risk event detections. | db06fb33-1953-4b7b-a2ac-f1e2c854f7ae | Application | IdentityRiskEvent.ReadWrite.All |
| Allows the app to read all risky service principal information for your organization, without a signed-in user. | 607c7344-0eed-41e5-823a-9695ebe1b7b0 | Application | IdentityRiskyServicePrincipal.Read.All |
| Allows the app to read and update identity risky service principal for your organization, without a signed-in user. | cb8d6980-6bcb-4507-afec-ed6de3a2d798 | Application | IdentityRiskyServicePrincipal.ReadWrite.All |
| Allows the app to read the identity risky user information for your organization without a signed in user. | dc5007c0-2d7d-4c42-879c-2dab87571379 | Application | IdentityRiskyUser.Read.All |
| Allows the app to read and update identity risky user information for your organization without a signed-in user. Update operations include dismissing risky users. | 656f6061-f9fe-4807-9708-6a2e0934df76 | Application | IdentityRiskyUser.ReadWrite.All |
| Allows the app to read your organization’s user flows, without a signed-in user. | 1b0c317f-dd31-4305-9932-259a8b6e8099 | Application | IdentityUserFlow.Read.All |
| Allows the app to read or write your organization’s user flows, without a signed-in user. | 65319a09-a2be-469d-8782-f6b07debf789 | Application | IdentityUserFlow.ReadWrite.All |
| Allows the app to read data connectors without a signed-in user. | 7ab52c2f-a2ee-4d98-9ebc-725e3934aae2 | Application | IndustryData-DataConnector.Read.All |
| Allows the app to read and write data connectors without a signed-in user. | eda0971c-482e-4345-b28f-69c309cb8a34 | Application | IndustryData-DataConnector.ReadWrite.All |
| Allows the app to upload data files to a data connector without a signed-in user. | 9334c44b-a7c6-4350-8036-6bf8e02b4c1f | Application | IndustryData-DataConnector.Upload |
| Allows the app to read inbound data flows without a signed-in user. | 305f6ba2-049a-4b1b-88bb-fe7e08758a00 | Application | IndustryData-InboundFlow.Read.All |
| Allows the app to read and write inbound data flows without a signed-in user. | e688c61f-d4c6-4d64-a197-3bcf6ba1d6ad | Application | IndustryData-InboundFlow.ReadWrite.All |
| Allows the app to read reference definitions without a signed-in user. | 6ee891c3-74a4-4148-8463-0c834375dfaf | Application | IndustryData-ReferenceDefinition.Read.All |
| Allows the app to read current and previous IndustryData runs without a signed-in user. | f6f5d10b-3024-4d1d-b674-aae4df4a1a73 | Application | IndustryData-Run.Read.All |
| Allows the app to read source system definitions without a signed-in user. | bc167a60-39fe-4865-8b44-78400fc6ed03 | Application | IndustryData-SourceSystem.Read.All |
| Allows the app to read and write source system definitions without a signed-in user. | 7d866958-e06e-4dd6-91c6-a086b3f5cfeb | Application | IndustryData-SourceSystem.ReadWrite.All |
| Allows the app to read time period definitions without a signed-in user. | 7c55c952-b095-4c23-a522-022bce4cc1e3 | Application | IndustryData-TimePeriod.Read.All |
| Allows the app to read and write time period definitions without a signed-in user. | 7afa7744-a782-4a32-b8c2-e3db637e8de7 | Application | IndustryData-TimePeriod.ReadWrite.All |
| Allows the app to read basic service and resource information without a signed-in user. | 4f5ac95f-62fd-472c-b60f-125d24ca0bc5 | Application | IndustryData.ReadBasic.All |
| Allows the app to read all configurations applicable to users for protecting organizational data, without a signed-in user. | 14f49b9f-4bf2-4d24-b80e-b27ec58409bd | Application | InformationProtectionConfig.Read.All |
| Allows an app to sign digests for data without a signed-in user. | cbe6c7e4-09aa-4b8d-b3c3-2dbb59af4b54 | Application | InformationProtectionContent.Sign.All |
| Allows the app to create protected content without a signed-in user. | 287bd98c-e865-4e8c-bade-1a85523195b9 | Application | InformationProtectionContent.Write.All |
| Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user. | 19da66cb-0fb0-4390-b071-ebc76a349482 | Application | InformationProtectionPolicy.Read.All |
| Allows the app to read all learning content in the organization’s directory, without a signed-in user. | 8740813e-d8aa-4204-860e-2a0f8f84dbc8 | Application | LearningContent.Read.All |
| Allowstheapptomanage all learningcontentintheorganization’sdirectory, without a signed-in user. | 444d6fcb-b738-41e5-b103-ac4f2a2628a3 | Application | LearningContent.ReadWrite.All |
| Allows an app to manage license assignments for users and groups, without a signed-in user. | 5facf0c1-8979-4e95-abcf-ff3d079771c0 | Application | LicenseAssignment.ReadWrite.All |
| Allows the app to list and read all workflows, tasks and related lifecycle workflows resources without a signed-in user. | 7c67316a-232a-4b84-be22-cea2c0906404 | Application | LifecycleWorkflows.Read.All |
| Allows the app to create, update, list, read and delete all workflows, tasks and related lifecycle workflows resources without a signed-in user. | 5c505cf4-8424-4b8e-aa14-ee06e3bb23e3 | Application | LifecycleWorkflows.ReadWrite.All |
| Allows the app to read mail in all mailboxes without a signed-in user. | 810c84a8-4a9e-49e6-bf7d-12d183f40d01 | Application | Mail.Read |
| Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties. | 6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a | Application | Mail.ReadBasic |
| Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties. | 693c5e45-0940-467d-9b8a-1022fb9d42ef | Application | Mail.ReadBasic.All |
| Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. | e2a3a72e-5f79-4c64-b1b1-878b674786c9 | Application | Mail.ReadWrite |
| Allows the app to send mail as any user without a signed-in user. | b633e1c5-b582-4048-a93e-9f11b44c7e96 | Application | Mail.Send |
| Allows the app to read user’s mailbox settings without a signed-in user. Does not include permission to send mail. | 40f97065-369a-49f4-947c-6a255697ae91 | Application | MailboxSettings.Read |
| Allows the app to create, read, update, and delete user’s mailbox settings without a signed-in user. Does not include permission to send mail. | 6931bccd-447a-43d1-b442-00a195474933 | Application | MailboxSettings.ReadWrite |
| Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. | 658aa5d8-239f-45c4-aa12-864f4fc7e490 | Application | Member.Read.Hidden |
| Allows the app to read your organization’s network access braches, without a signed-in user. | 39ae4a24-1ef0-49e8-9d63-2a66f5c39edd | Application | NetworkAccessBranch.Read.All |
| Allows the app to read and write your organization’s network access braches, without a signed-in user. | 8137102d-ec16-4191-aaf8-7aeda8026183 | Application | NetworkAccessBranch.ReadWrite.All |
| Allows the app to read your organization’s network access policies, without a signed-in user. | 8a3d36bf-cb46-4bcc-bec9-8d92829dab84 | Application | NetworkAccessPolicy.Read.All |
| Allows the app to read and write your organization’s network access policies, without a signed-in user. | f0c341be-8348-4989-8e43-660324294538 | Application | NetworkAccessPolicy.ReadWrite.All |
| Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. | 3aeca27b-ee3a-4c2b-8ded-80376e2134a4 | Application | Notes.Read.All |
| Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. | 0c458cef-11f3-48c2-a568-c66751c238c0 | Application | Notes.ReadWrite.All |
| Allows the app to read online meeting artifacts in your organization, without a signed-in user. | df01ed3b-eb61-4eca-9965-6b3d789751b2 | Application | OnlineMeetingArtifact.Read.All |
| Allows the app to read all recordings of all online meetings, without a signed-in user. | a4a08342-c95d-476b-b943-97e100569c8d | Application | OnlineMeetingRecording.Read.All |
| Allows the app to read online meeting details in your organization, without a signed-in user. | c1684f21-1984-47fa-9d61-2dc8c296bb70 | Application | OnlineMeetings.Read.All |
| Allows the app to read and create online meetings as an application in your organization. | b8bb2037-6e08-44ac-a4ea-4674e010e2a4 | Application | OnlineMeetings.ReadWrite.All |
| Allows the app to read all transcripts of all online meetings, without a signed-in user. | a4a80d8d-d283-4bd8-8504-555ec3870630 | Application | OnlineMeetingTranscript.Read.All |
| Allows the app to create, view, update and delete on-premises published resources, on-premises agents and agent groups, as part of a hybrid identity configuration, without a signed in user. | 0b57845e-aa49-4e6f-8109-ce654fffa618 | Application | OnPremisesPublishingProfiles.ReadWrite.All |
| Allows the app to read the organization and related resources, without a signed-in user.Related resources include things like subscribed skus and tenant branding information. | 498476ce-e0fe-48b0-b801-37ba7e2685c6 | Application | Organization.Read.All |
| Allows the app to read and write the organization and related resources, without a signed-in user.Related resources include things like subscribed skus and tenant branding information. | 292d869f-3427-49a8-9dab-8c70152b74e9 | Application | Organization.ReadWrite.All |
| Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user’s personal contacts. | e1a88a34-94c4-4418-be12-c87b00e26bea | Application | OrgContact.Read.All |
| Allows the app to read any user’s scored list of relevant people, without a signed-in user. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype). | b528084d-ad10-4598-8b93-929746b4d7d6 | Application | People.Read.All |
| Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user. | 913b9306-0ce1-42b8-9137-6a7df690a760 | Application | Place.Read.All |
| Allows the app to read all your organization’s policies without a signed in user. | 246dd0d5-5bd0-4def-940b-0421030a5b68 | Application | Policy.Read.All |
| Allows the app to read your organization’s conditional access policies, without a signed-in user. | 37730810-e9ba-4e46-b07e-8ca78d182097 | Application | Policy.Read.ConditionalAccess |
| Allows the app to read policies related to consent and permission grants for applications, without a signed-in user. | 9e640839-a198-48fb-8b9a-013fd6f6cbcd | Application | Policy.Read.PermissionGrant |
| Allows the app to read and write your organization’s directory access review default policy without a signed-in user. | 77c863fd-06c0-47ce-a7eb-49773e89d319 | Application | Policy.ReadWrite.AccessReview |
| Allows the app to read and write your organization’s application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. | be74164b-cff1-491c-8741-e671cb536e13 | Application | Policy.ReadWrite.ApplicationConfiguration |
| Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user. | 25f85f3c-f66c-4205-8cd5-de92dd7f0cec | Application | Policy.ReadWrite.AuthenticationFlows |
| Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. | 29c18626-4985-4dcd-85c0-193eef327366 | Application | Policy.ReadWrite.AuthenticationMethod |
| Allows the app to read and write your organization’s authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. | fb221be6-99f2-473f-bd32-01c6a0e9ca3b | Application | Policy.ReadWrite.Authorization |
| Allows the app to read and write your organization’s conditional access policies, without a signed-in user. | 01c0a623-fc9b-48e9-b794-0756f8e8f067 | Application | Policy.ReadWrite.ConditionalAccess |
| Allows the app to read and write your organization’s consent requests policy without a signed-in user. | 999f8c63-0a38-4f1b-91fd-ed1947bdd1a9 | Application | Policy.ReadWrite.ConsentRequest |
| Allows the app to read and write your organization’s cross tenant access policies without a signed-in user. | 338163d7-f101-4c92-94ba-ca46fe52447c | Application | Policy.ReadWrite.CrossTenantAccess |
| Allows the application to read and update the organization’s external identities policy without a signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave. | 03cc4f92-788e-4ede-b93f-199424d144a5 | Application | Policy.ReadWrite.ExternalIdentities |
| Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. | 2044e4f1-e56c-435b-925c-44cd8f6ba89a | Application | Policy.ReadWrite.FeatureRollout |
| Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user. | a402ca1c-2696-4531-972d-6e5ee4aa11ea | Application | Policy.ReadWrite.PermissionGrant |
| Allows the app to read and write your organization’s security defaults policy, without a signed-in user. | 1c6e93a6-28e2-4cbb-9f64-1a46a821124d | Application | Policy.ReadWrite.SecurityDefaults |
| Allows the app to read and write your organization’s trust framework policies without a signed in user. | 79a677f7-b79d-40d0-a36a-3e6f8688dd7a | Application | Policy.ReadWrite.TrustFramework |
| Allows the app to read all presence information and write activity and availability of all users in the directory without a signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, time zone and location. | 83cded22-8297-4ff6-a7fa-e97e9545a259 | Application | Presence.ReadWrite.All |
| Allows the application to read printers without a signed-in user. | 9709bb33-4549-49d4-8ed9-a8f65e45bb0f | Application | Printer.Read.All |
| Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting (unregistering) printers. | f5b3f73d-6247-44df-a74c-866173fddab0 | Application | Printer.ReadWrite.All |
| Allows the application to perform advanced operations like redirecting a print job to another printer without a signed-in user. Also allows the application to read and update the metadata of print jobs. | 58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8 | Application | PrintJob.Manage.All |
| Allows the application to read the metadata and document content of print jobs without a signed-in user. | ac6f956c-edea-44e4-bd06-64b1b4b9aec9 | Application | PrintJob.Read.All |
| Allows the application to read the metadata of print jobs without a signed-in user.Does not allow access to print job document content. | fbf67eee-e074-4ef7-b965-ab5ce1c1f689 | Application | PrintJob.ReadBasic.All |
| Allows the application to read and update the metadata and document content of print jobs without a signed-in user. | 5114b07b-2898-4de7-a541-53b0004e2e13 | Application | PrintJob.ReadWrite.All |
| Allows the application to read and update the metadata of print jobs without a signed-in user.Does not allow access to print job document content. | 57878358-37f4-4d3a-8c20-4816e0d457b1 | Application | PrintJob.ReadWriteBasic.All |
| Allows the application to read tenant-wide print settings without a signed-in user. | b5991872-94cf-4652-9765-29535087c6d8 | Application | PrintSettings.Read.All |
| Allows the application to read and update print task definitions without a signed-in user. | 456b71a7-0ee0-4588-9842-c123fcc8f664 | Application | PrintTaskDefinition.ReadWrite.All |
| Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. | 4cdc2547-9148-4295-8d11-be0db1391d6b | Application | PrivilegedAccess.Read.AzureAD |
| Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user. | 01e37dc9-c035-40bd-b438-b2879c4870a6 | Application | PrivilegedAccess.Read.AzureADGroup |
| Allows the app to read time-based assignment and just-in-time elevation of user privileges to audit Azure resources in your organization, without a signed-in user. | 5df6fe86-1be0-44eb-b916-7bd443a71236 | Application | PrivilegedAccess.Read.AzureResources |
| Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. | 854d9ab1-6657-4ec8-be45-823027bcd009 | Application | PrivilegedAccess.ReadWrite.AzureAD |
| Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user. | 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e | Application | PrivilegedAccess.ReadWrite.AzureADGroup |
| Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) in your organization, without a signed-in user. | 6f9d5abc-2db6-400b-a267-7de22a40fb87 | Application | PrivilegedAccess.ReadWrite.AzureResources |
| Allows the app to read programs and program controls in the organization, without a signed-in user. | eedb7fdd-7539-4345-a38b-4839e4a84cbd | Application | ProgramControl.Read.All |
| Allows the app to read, update, delete and perform actions on programs and program controls in the organization, without a signed-in user. | 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36 | Application | ProgramControl.ReadWrite.All |
| Allows an app to read all question and answers, without a signed-in user. | ee49e170-1dd1-4030-b44c-61ad6e98f743 | Application | QnA.Read.All |
| Allows the application to read any data from Records Management, such as configuration, labels, and policies without the signed in user. | ac3a2b8e-03a3-4da9-9ce0-cbe28bf1accd | Application | RecordsManagement.Read.All |
| Allow the application to create, update and delete any data from Records Management, such as configuration, labels, and policies without the signed in user. | eb158f57-df43-4751-8b21-b8932adb3d34 | Application | RecordsManagement.ReadWrite.All |
| Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | 230c1aed-a721-4c5d-9cb4-a90514e508ef | Application | Reports.Read.All |
| Allows the app to read all admin report settings, such as whether to display concealed information in reports, without a signed-in user. | ee353f83-55ef-4b78-82da-555bfa2b4b95 | Application | ReportSettings.Read.All |
| Allows the app to read and update all admin report settings, such as whether to display concealed information in reports, without a signed-in user. | 2a60023f-3219-47ad-baa4-40e17cd02a1d | Application | ReportSettings.ReadWrite.All |
| Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes reading role definitions and role assignments. | c7fbd983-d9aa-4fa7-84b8-17382c103bc4 | Application | RoleManagement.Read.All |
| Allows the app to read the Cloud PC role-based access control (RBAC) settings, without a signed-in user. | 031a549a-bb80-49b6-8032-2068448c6a3c | Application | RoleManagement.Read.CloudPC |
| Allows the app to read the role-based access control (RBAC) settings for your company’s directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships. | 483bed4a-2ad3-4361-a73b-c83ccdbdc53c | Application | RoleManagement.Read.Directory |
| Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, without a signed-in user. This includes reading and managing Cloud PC role definitions and memberships. | 274d0592-d1b6-44bd-af1d-26d259bcb43a | Application | RoleManagement.ReadWrite.CloudPC |
| Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 | Application | RoleManagement.ReadWrite.Directory |
| Allows the app to read all role-based access control (RBAC) alerts for your company’s directory, without a signed-in user. This includes reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert. | ef31918f-2d50-4755-8943-b8638c0a077e | Application | RoleManagementAlert.Read.Directory |
| Allows the app to read and manage all role-based access control (RBAC) alerts for your company’s directory, without a signed-in user. This includes managing alert settings, initiating alert scans, dimissing alerts, remediating alert incidents, and reading alert statuses, alert definitions, alert configurations and incidents that lead to an alert. | 11059518-d6a6-4851-98ed-509268489c4a | Application | RoleManagementAlert.ReadWrite.Directory |
| Allows the app to read all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user. | 7b2ebf90-d836-437f-b90d-7b62722c4456 | Application | Schedule.Read.All |
| Allows the app to manage all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user. | b7760610-0545-4e8a-9ec3-cce9e63db01c | Application | Schedule.ReadWrite.All |
| Allows the app to read search configurations, without a signed-in user. | ada977a5-b8b1-493b-9a91-66c206d76ecf | Application | SearchConfiguration.Read.All |
| Allows the app to read and write search configurations, without a signed-in user. | 0e778b85-fefa-466d-9eec-750569d92122 | Application | SearchConfiguration.ReadWrite.All |
| Allows the app to read security actions, without a signed-in user. | 5e0edab9-c148-49d0-b423-ac253e121825 | Application | SecurityActions.Read.All |
| Allows the app to read or update security actions, without a signed-in user. | f2bf083f-0179-402a-bedb-b2784de8a49b | Application | SecurityActions.ReadWrite.All |
| Allows the app to read all security alerts, without a signed-in user. | 472e4a4d-bb4a-4026-98d1-0b0d74cb74a5 | Application | SecurityAlert.Read.All |
| Allows the app to read and write to all security alerts, without a signed-in user. | ed4fca05-be46-441f-9803-1873825f8fdb | Application | SecurityAlert.ReadWrite.All |
| Read email metadata and security detection details, without a signed-in user. | b48f7ac2-044d-4281-b02f-75db744d6f5f | Application | SecurityAnalyzedMessage.Read.All |
| Read email metadata and security detection details, and execute remediation actions like deleting an email, without a signed-in user. | 04c55753-2244-4c25-87fc-704ab82a4f69 | Application | SecurityAnalyzedMessage.ReadWrite.All |
| Allows the app to read your organizations security events without a signed-in user. | bf394140-e372-4bf9-a898-299cfc7564e5 | Application | SecurityEvents.Read.All |
| Allows the app to read your organizations security events without a signed-in user. Also allows the app to update editable properties in security events. | d903a879-88e0-4c09-b0c9-82f6a1333f84 | Application | SecurityEvents.ReadWrite.All |
| Allows the app to read all security incidents, without a signed-in user. | 45cc0394-e837-488b-a098-1918f48d186c | Application | SecurityIncident.Read.All |
| Allows the app to read and write to all security incidents, without a signed-in user. | 34bf0e97-1971-4929-b999-9e2442d941d7 | Application | SecurityIncident.ReadWrite.All |
| Allows the app to read your tenant’s service health information, without a signed-in user. Health information may include service issues or service health overviews. | 79c261e0-fe76-4144-aad5-bdc68fbe4037 | Application | ServiceHealth.Read.All |
| Allows the app to read your tenant’s service announcement messages, without a signed-in user. Messages may include information about new or changed features. | 1b620472-6534-4fe6-9df2-4680e8aa28ec | Application | ServiceMessage.Read.All |
| Allows the app to read service principal endpoints | 5256681e-b7f6-40c0-8447-2d9db68797a0 | Application | ServicePrincipalEndpoint.Read.All |
| Allows the app to update service principal endpoints | 89c8469c-83ad-45f7-8ff2-6e3d4285709e | Application | ServicePrincipalEndpoint.ReadWrite.All |
| Allows the application to read the tenant-level settings of SharePoint and OneDrive, without a signed-in user. | 83d4163d-a2d8-4d3b-9695-4ae3ca98f888 | Application | SharePointTenantSettings.Read.All |
| Allows the application to read and change the tenant-level settings of SharePoint and OneDrive, without a signed-in user. | 19b94e34-907c-4f43-bde9-38b1909ed408 | Application | SharePointTenantSettings.ReadWrite.All |
| Allows the app to read all the short notes without a signed-in user. | 0c7d31ec-31ca-4f58-b6ec-9950b6b0de69 | Application | ShortNotes.Read.All |
| Allows the app to read, create, edit, and delete all the short notes without a signed-in user. | 842c284c-763d-4a97-838d-79787d129bab | Application | ShortNotes.ReadWrite.All |
| Allows the app to have full control of all site collections without a signed in user. | a82116e5-55eb-4c41-a434-62fe8a61c773 | Application | Sites.FullControl.All |
| Allows the app to create or delete document libraries and lists in all site collections without a signed in user. | 0c0bf378-bf22-4481-8f81-9e89a9b4960a | Application | Sites.Manage.All |
| Allows the app to read documents and list items in all site collections without a signed in user. | 332a536c-c7ef-4017-ab91-336970924f0d | Application | Sites.Read.All |
| Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. | 9492366f-7969-46a4-8d15-ed1a20078fff | Application | Sites.ReadWrite.All |
| Allow the application to access a subset of site collections without a signed in user.The specific site collections and the permissions granted will be configured in SharePoint Online. | 883ea226-0bf2-4a8f-9f9d-92c9162a727d | Application | Sites.Selected |
| Allowstheapptoreadsubjectrights requestswithout asigned-inuser. | ee1460f0-368b-4153-870a-4e1ca7e72c42 | Application | SubjectRightsRequest.Read.All |
| Allowstheapptoreadandwrite subjectrights requestswithout a signed in user. | 8387eaa4-1a3c-41f5-b261-f888138e6041 | Application | SubjectRightsRequest.ReadWrite.All |
| Allows the application to read Azure AD synchronization information, without a signed-in user. | 5ba43d2f-fa88-4db2-bd1c-a67c5f0fb1ce | Application | Synchronization.Read.All |
| Allows the application to configure the Azure AD synchronization service, without a signed-in user. | 9b50c33d-700f-43b1-b2eb-87e89b703581 | Application | Synchronization.ReadWrite.All |
| Allows the app to read all users tasks and task lists in your organization, without a signed-in user. | f10e1f91-74ed-437f-a6fd-d6ae88e26c1f | Application | Tasks.Read.All |
| Allows the app to create, read, update and delete all users tasks and task lists in your organization, without a signed-in user | 44e666d1-d276-445b-a5fc-8815eeb81d55 | Application | Tasks.ReadWrite.All |
| Allows the app to create teams without a signed-in user. | 23fc2474-f741-46ce-8465-674744c5c361 | Application | Team.Create |
| Get a list of all teams, without a signed-in user. | 2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e | Application | Team.ReadBasic.All |
| Read the members of all teams, without a signed-in user. | 660b7406-55f1-41ca-a0ed-0b035e182f3e | Application | TeamMember.Read.All |
| Add and remove members from all teams, without a signed-in user. Also allows changing a team member’s role, for example from owner to non-owner. | 0121dc95-1b9f-4aed-8bac-58c5ac466691 | Application | TeamMember.ReadWrite.All |
| Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role. | 4437522e-9a86-4a41-a7da-e380edd4a97d | Application | TeamMember.ReadWriteNonOwnerRole.All |
| Allows the app to read all users’ teamwork activity feed, without a signed-in user. | 70dec828-f620-4914-aa83-a29117306807 | Application | TeamsActivity.Read.All |
| Allows the app to create new notifications in users’ teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies. | a267235f-af13-44dc-8385-c1dc93023186 | Application | TeamsActivity.Send |
| Allows the app to read the Teams apps that are installed in any chat, without a signed-in user. Does not give the ability to read application-specific settings. | cc7e7635-2586-41d6-adaa-a8d3bcad5ee5 | Application | TeamsAppInstallation.ReadForChat.All |
| Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings. | 1f615aea-6bf9-4b05-84bd-46388e138537 | Application | TeamsAppInstallation.ReadForTeam.All |
| Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. | 9ce09611-f4f7-4abd-a629-a05450422a97 | Application | TeamsAppInstallation.ReadForUser.All |
| Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Gives the ability to manage permission grants for accessing those specific chats’ data. | 6e74eff9-4a21-45d6-bc03-3a20f61f8281 | Application | TeamsAppInstallation.ReadWriteAndConsentForChat.All |
| Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Gives the ability to manage permission grants for accessing those specific teams’ data. | b0c13be0-8e20-4bc5-8c55-963c23a39ce9 | Application | TeamsAppInstallation.ReadWriteAndConsentForTeam.All |
| Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user, and manage its permission grants for accessing those specific chats’ data. | ba1ba90b-2d8f-487e-9f16-80728d85bb5c | Application | TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All |
| Allows a Teams app to read, install, upgrade, and uninstall itself for any team, without a signed-in user, and manage its permission grants for accessing those specific teams’ data. | 1e4be56c-312e-42b8-a2c9-009600d732c0 | Application | TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All |
| Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings. | 9e19bae1-2623-4c4f-ab6e-2664615ff9a0 | Application | TeamsAppInstallation.ReadWriteForChat.All |
| Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. | 5dad17ba-f6cc-4954-a5a2-a0dcc95154f0 | Application | TeamsAppInstallation.ReadWriteForTeam.All |
| Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. | 74ef0291-ca83-4d02-8c7e-d2391e6a444f | Application | TeamsAppInstallation.ReadWriteForUser.All |
| Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user. | 73a45059-f39c-4baf-9182-4954ac0e55cf | Application | TeamsAppInstallation.ReadWriteSelfForChat.All |
| Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. | 9f67436c-5415-4e7f-8ac1-3014a7132630 | Application | TeamsAppInstallation.ReadWriteSelfForTeam.All |
| Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. | 908de74d-f8b2-4d6b-a9ed-2a17b3b78179 | Application | TeamsAppInstallation.ReadWriteSelfForUser.All |
| Read all team’s settings, without a signed-in user. | 242607bd-1d2c-432c-82eb-bdb27baa23ab | Application | TeamSettings.Read.All |
| Read and change all teams’ settings, without a signed-in user. | bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f | Application | TeamSettings.ReadWrite.All |
| Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. | 49981c42-fd7b-4530-be03-e77b21aed25e | Application | TeamsTab.Create |
| Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. | 46890524-499a-4bb2-ad64-1476b4f3e1cf | Application | TeamsTab.Read.All |
| Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. | a96d855f-016b-47d7-b51c-1218a98d791c | Application | TeamsTab.ReadWrite.All |
| Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user. | fd9ce730-a250-40dc-bd44-8dc8d20f39ea | Application | TeamsTab.ReadWriteForChat.All |
| Allows a Teams app to read, install, upgrade, and uninstall all tabs in any team, without a signed-in user. | 6163d4f4-fbf8-43da-a7b4-060fe85ed148 | Application | TeamsTab.ReadWriteForTeam.All |
| Allows a Teams app to read, install, upgrade, and uninstall all tabs for any user, without a signed-in user. | 425b4b59-d5af-45c8-832f-bb0b7402348a | Application | TeamsTab.ReadWriteForUser.All |
| Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user. | 9f62e4a2-a2d6-4350-b28b-d244728c4f86 | Application | TeamsTab.ReadWriteSelfForChat.All |
| Allows a Teams app to read, install, upgrade, and uninstall its own tabs in any team, without a signed-in user. | 91c32b81-0ef0-453f-a5c7-4ce2e562f449 | Application | TeamsTab.ReadWriteSelfForTeam.All |
| Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user, without a signed-in user. | 3c42dec6-49e8-4a0a-b469-36cff0d9da93 | Application | TeamsTab.ReadWriteSelfForUser.All |
| Allows the app to read all available Teams Templates, without a signed-user. | 6323133e-1f6e-46d4-9372-ac33a0870636 | Application | TeamTemplates.Read.All |
| Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization. | dfb0dd15-61de-45b2-be36-d6a69fba3c79 | Application | Teamwork.Migrate.All |
| Allows the app to read the Teams app settings without a signed-in user. | 475ebe88-f071-4bd7-af2b-642952bd4986 | Application | TeamworkAppSettings.Read.All |
| Allows the app to read and write the Teams app settings without a signed-in user. | ab5b445e-8f10-45f4-9c79-dd3f8062cc4e | Application | TeamworkAppSettings.ReadWrite.All |
| Allow the app to read the management data for Teams devices, without a signed-in user. | 0591bafd-7c1c-4c30-a2a5-2b9aacb1dfe8 | Application | TeamworkDevice.Read.All |
| Allow the app to read and write the management data for Teams devices, without a signed-in user. | 79c02f5b-bd4f-4713-bc2c-a8a4a66e127b | Application | TeamworkDevice.ReadWrite.All |
| Allows the app to readtags in Teamswithout a signed-in user. | b74fd6c4-4bde-488e-9695-eeb100e4907f | Application | TeamworkTag.Read.All |
| Allows the app to read and write tags in Teams without a signed-in user. | a3371ca5-911d-46d6-901c-42c8c7a937d8 | Application | TeamworkTag.ReadWrite.All |
| Allows the app to read all term store data, without a signed-in user. This includes all sets, groups and terms in the term store. | ea047cc2-df29-4f3e-83a3-205de61501ca | Application | TermStore.Read.All |
| Allows the app to read, edit or write all term store data, without a signed-in user. This includes all sets, groups and terms in the term store. | f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95 | Application | TermStore.ReadWrite.All |
| Allows an app to read your organization’s threat assessment requests, without a signed-in user. | f8f035bb-2cce-47fb-8bf5-7baf3ecbee48 | Application | ThreatAssessment.Read.All |
| Allows the app to run hunting queries, without a signed-in user. | dd98c7f5-2d42-42d3-a0e4-633161547251 | Application | ThreatHunting.Read.All |
| Allows the app to read all the indicators for your organization, without a signed-in user. | 197ee4e9-b993-4066-898f-d6aecc55125b | Application | ThreatIndicators.Read.All |
| Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. It cannot update any threat indicators it does not own. | 21792b6c-c986-4ffc-85de-df9da54b52fa | Application | ThreatIndicators.ReadWrite.OwnedBy |
| Allows the app to read your organization’s threat submissions and to view threat submission policies without a signed-in user. | 86632667-cd15-4845-ad89-48a88e8412e1 | Application | ThreatSubmission.Read.All |
| Allows the app to read your organization’s threat submissions and threat submission policies without a signed-in user. Also allows the app to create new threat submissions without a signed-in user. | d72bdbf4-a59b-405c-8b04-5995895819ac | Application | ThreatSubmission.ReadWrite.All |
| Allows the app to read your organization’s threat submission policies without a signed-in user. Also allows the app to create new threat submission polices without a signed-in user. | 926a6798-b100-4a20-a22f-a4918f13951d | Application | ThreatSubmissionPolicy.ReadWrite.All |
| Allows the app to read trust framework key set properties without a signed-in user. | fff194f1-7dce-4428-8301-1badb5518201 | Application | TrustFrameworkKeySet.Read.All |
| Allows the app to read and write trust framework key set properties without a signed-in user. | 4a771c9a-1cf2-4609-b88e-3d3e02d539cd | Application | TrustFrameworkKeySet.ReadWrite.All |
| Allows the app to read the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user. | 8556a004-db57-4d7a-8b82-97a13428e96f | Application | User-LifeCycleInfo.Read.All |
| Allows the app to read and write the lifecycle information like employeeLeaveDateTime of users in your organization, without a signed-in user. | 925f1248-0f97-47b9-8ec8-538c54e01325 | Application | User-LifeCycleInfo.ReadWrite.All |
| Allows the app to enable and disable users’ accounts, without a signed-in user. | 3011c876-62b7-4ada-afa2-506cbbecc68c | Application | User.EnableDisableAccount.All |
| Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator). | 405a51b5-8d8d-430b-9842-8be4b0e9f324 | Application | User.Export.All |
| Allows the app to invite guest users to the organization, without a signed-in user. | 09850681-111b-4a89-9bed-3f2cae46d706 | Application | User.Invite.All |
| Allows the app to read, update and delete identities that are associated with a user’s account, without a signed in user. This controls the identities users can sign-in with. | c529cfca-c91b-489c-af2b-d92990b66ce6 | Application | User.ManageIdentities.All |
| Allows the app to read user profiles without a signed in user. | df021288-bdef-4463-88db-98f22de89214 | Application | User.Read.All |
| Allows the app to read a basic set of profile properties of other users in your organization without a signed-in user. Includes display name, first and last name, email address, open extensions, and photo. | 97235f07-e226-4f63-ace3-39588e11d3a1 | Application | User.ReadBasic.All |
| Allows the app to read and update user profiles without a signed in user. | 741f803b-c850-494e-b5df-cde7c675a1ca | Application | User.ReadWrite.All |
| Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | 38d9df27-64da-44fd-b7c5-a6fbac20248f | Application | UserAuthenticationMethod.Read.All |
| Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods | 50483e42-d915-4231-9639-7fdb7fd190e5 | Application | UserAuthenticationMethod.ReadWrite.All |
| Allows the app to send, read, update and delete users notifications, without a signed-in user. | 4e774092-a092-48d1-90bd-baad67c7eb47 | Application | UserNotification.ReadWrite.CreatedByApp |
| Allows the app to read all users’ shift schedule preferences without a signed-in user. | de023814-96df-4f53-9376-1e2891ef5a18 | Application | UserShiftPreferences.Read.All |
| Allows the app to manage all users’ shift schedule preferences without a signed-in user. | d1eec298-80f3-49b0-9efb-d90e224798ac | Application | UserShiftPreferences.ReadWrite.All |
| Allows the application to read virtual appointments for all users, without a signed-in user. The app must also be authorized to access an individual users data by the online meetings application access policy. | d4f67ec2-59b5-4bdc-b4af-d78f6f9c1954 | Application | VirtualAppointment.Read.All |
| Allows the application to read and write virtual appointments for all users, without a signed-in user. The app must also be authorized to access an individual users data by the online meetings application access policy. | bf46a256-f47d-448f-ab78-f226fff08d40 | Application | VirtualAppointment.ReadWrite.All |
| Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user. | 7dd1be58-6e76-4401-bf8d-31d1e8180d5b | Application | WindowsUpdates.ReadWrite.All |
| Allows the app to manage workforce integrations to synchronize data from Microsoft Teams Shifts, without a signed-in user. | 202bf709-e8e6-478e-bcfd-5d63c50b68e3 | Application | WorkforceIntegration.ReadWrite.All |
Till the next time!