Azure Active Directory Graph
Permission | Details |
Application.ReadWrite.Al | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. |
Application.ReadWrite.OwnedBy | Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of. |
Device.ReadWrite.All | Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers. |
Directory.AccessAsUser.All | Admin consent required No Admin consent display name Access your organization's directory Admin consent description Allow the application to access your organization's directory on behalf of the signed-in user.
User consent display name. |
Directory.Read.All | Admin consent required Yes Admin consent display name Read directory data Admin consent description Allow the application to read data in your organization's directory, such as users, groups and applications. User consent display name Read directory data User consent description Allow the application to read data in your organization's directory, such as users, groups and applications |
Directory.ReadWrite.All | Admin consent required Yes Display Name Read and write directory data Description Allows the app to read and write data in your company or school directory, such as users, and groups. Does not allow user or group deletion. |
Azure Batch
Permission | Details |
User_impersonation | Admin consent required No Admin consent display name Access Azure Batch Service Admin consent description Allow the application to access the Azure Batch Service API on behalf of the signed-in user. User consent display name Full access to Azure Batch Service API User consent description Allow the application to access all Azure Batch Service functionality on your behalf. |
Azure Service Management
Permission | Details |
User_impersonation | Admin consent required No Admin consent display name Access Azure Service Management as organization users (preview) Admin consent description Allows the application to access the Azure Management Service API acting as users in the organization. User consent display name Access Azure Service Management as you (preview) User consent description Allows the application to access Azure Service Management as you. |
Microsoft Graph
Permission | Details |
Directory.Read.All | Admin consent required Yes Display Name Read directory data Description Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. |
Directory.ReadWrite.All | Admin consent required Yes Display Name Read and write directory data Description Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. |
Policy.Read.All | Admin consent required Yes Display Name Read your organization's policies Description Allows the app to read all your organization's policies without a signed in user. |
Policy.Read.ConditionalAccess | Admin consent required Yes Display Name Read your organization's conditional access policies Description Allows the app to read your organization's conditional access policies, without a signed-in user. |
Policy.Read.PermissionGrant | Admin consent required Yes Display Name Read consent and permission grant policies Description Allows the app to read policies related to consent and permission grants for applications, without a signed-in user. |
Policy.ReadWrite.ApplicationConfiguration | Admin consent required Yes Display Name Read and write your organization's application configuration policies Description Allows the app to read and write your organization's application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. |
Policy.ReadWrite.AuthenticationFlows | Admin consent required Yes Display Name Read and write authentication flow policies Description Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user. |
Policy.ReadWrite.AuthenticationMethod | Admin consent required Yes Display Name Read and write all authentication method policies Description Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. |
Policy.ReadWrite.Authorization | Admin consent required Yes Display Name Read and write your organization's authorization policy Description Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. |
Policy.ReadWrite.ConditionalAccess | Admin consent required Yes Display Name Read and write your organization's conditional access policies Description Allows the app to read and write your organization's conditional access policies, without a signed-in user. |
Policy.ReadWrite.ConsentRequest | Admin consent required Yes Display Name Read and write your organization's consent request policy Description Allows the app to read and write your organization's consent requests policy without a signed-in user. |
Policy.ReadWrite.FeatureRollout | Admin consent required Yes Display Name Read and write feature rollout policies Description Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to roll out of a specific feature. |
Policy.ReadWrite.PermissionGrant | Admin consent required Yes Display Name Manage consent and permission grant policies Description Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user. |
Policy.ReadWrite.TrustFramework | Admin consent required Yes Display Name Read and write your organization's trust framework policies Description Allows the app to read and write your organization's trust framework policies without a signed in user. |
User.Export.All | Admin consent required Yes Display Name Export user's data Description Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator). |
User.Invite.All | Admin consent required Yes Display Name Invite guest users to the organization Description Allows the app to invite guest users to the organization, without a signed-in user. |
BillingConfiguration.ReadWrite.All | Admin consent required Yes Display Name Read and write application billing configuration Description Allows the app to read and write the billing configuration on all applications without a signed-in user. |