Azure AD Does Not Require "Directory.Read.All" Access Privileges

Problem statement

Azure Active Directory (AD) is configured as part of an enterprise federation. The Auth0 documentation states that two levels of delegated permissions are supported:

Screenshot 2024-01-23 at 11.41.261336×164 13 KB

Given that the application does not make use of directory access at this time, is the permission Directory.Read.All strictly necessary?

Solution

The Directory.Read.All permission is not strictly required. The connection should work as expected with only the User.Read permission enabled. In general terms, Auth0 only requires:

• User.Read if the extended profile is enabled
• Directory.Read.All if groups are requested

Related References

• Connect Your App to Microsoft Azure Active Directory
• Read Directory Permission absolutely required?
• Microsoft Graph Permissions Reference