DEVHIDE
Login Or Sign up

Microsoft Graph Permissions overlaps

42 Views Asked by At

I'm trying to understand Microsoft Graph Permissions (The ones you add to an App Registration) and have encountered some overlaps and hierarchical relationships among them. However, I'm struggling to find a comprehensive description or hierarchy tree that outlines which permissions are covered by others and the overall structure.

Could anyone point me in the right direction or provide insights into where I can find detailed information regarding these permission overlaps?

Any documentation or references you could share would be greatly appreciated!

azure-active-directory microsoft-graph-api azure-app-registration microsoft-entra-id
Original Q&A
1

There are 1 best solutions below

0
Rukmini On

Note that: There are multiple Microsoft Graph API permissions which overlaps or have hierarchy.

For sample: The Microsoft Graph API permissions User.ReadWrite.All overlaps User.Read.All.

  • User.ReadWrite.All allows the application to read and write all user profile properties.
  • User.Read.All allows the application to read all user profile properties.

User.ReadWrite.All includes all the permissions of User.Read.All and hence if you want to allow the application to read and write all user profile properties, then you can only assign User.ReadWrite.All not User.Read.All.

I created a Microsoft Entra ID application and granted User.ReadWrite.All API permission:

enter image description here

Generated access token via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
grant_type:client_credentials
scope:https://graph.microsoft.com/.default

enter image description here

Decoded token:

enter image description here

Hence by using the above token the application can read and write the user profile:

Read User profile:

GET https://graph.microsoft.com/v1.0/users/UserID

enter image description here

Write User profile:

PATCH https://graph.microsoft.com/v1.0/users/UserID

{
"businessPhones": [
"xxx"
],
"officeLocation": "18/2111"
}

enter image description here

  • Same with Application.Read.All and Application.ReadWrite.All, Files.Read.All and Files.ReadWrite.All and many more.
  • You can understand the overlap or hierarchy of the Microsoft Graph API permissions by the permission description.

For more detail, refer the below MsDoc:

Microsoft Graph permissions reference - Microsoft Graph | Microsoft

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in MICROSOFT-GRAPH-API

Related Questions in AZURE-APP-REGISTRATION

Related Questions in MICROSOFT-ENTRA-ID

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.