Azure AD Does Not Require "Directory.Read.All" Access Privileges

Problem statement

Azure Active Directory (AD) is configured as part of an enterprise federation. The Auth0 documentation states that two levels of delegated permissions are supported:

Given that the application does not make use of directory access at this time, is the permission Directory.Read.All strictly necessary?


The Directory.Read.All permission is not strictly required. The connection should work as expected with only the User.Read permission enabled. In general terms, Auth0 only requires:

  • User.Read if the extended profile is enabled
  • Directory.Read.All if groups are requested

Related References