I want to turn off the "Read Directory" permission for Azure AD connection - what will happen?

Hi there

We have set up an application registration for our application and ticked the permission “Read directory data” as per the instructions in the doc below:

We now want to set this permission to OFF. We don’t need any extended profiles or security groups or other group info from the directory - we just need the signed in user’s basic details.

What would happen if we turn this off?

Note: I have already seen this topic but it didn’t really tell me why this permissions was needed, so wanted to ask a further question…

Hi @dean.ashton

Off hand I am not sure what would happen in this scenario. I would suggest testing this in a throwaway tenant.

Hi Mark, thanks for your reply. I was hoping someone would be able to say they did it and the effect was XYZ.

We can turn this OFF in a throwaway tenant and test it as you suggest, to see if it will be an issue, but I was hoping not to do that as we would have to get a customer on board to test it and it can sometimes be hard to get them on board just to test something for us.


Hi Dean,

Understood. Always awkward to have your users involved in the troubleshooting! I’m afraid I can’t offer anything definitive. I do have ADFS hooked up in my dev tenant. Not sure if it will help but I’ll see if I can learn anything there.