In the Auth0 documentation it states that in order to set up an Enterprise Application in Entra for Auth0, one of the required Microsoft Graph permissions is “Directory.All.Read”.
This permission has very broad access and grants more than is probably required by Auth0, not to mention that Microsoft have stated that it may be deprecated in the future. So I’m wondering if it’s possible to use more specific permissions, such as GroupMember.All.Read?
Essentially I’m asking, what is the minimum working set of permissions that we can grant?
As mentioned in this knowledge article, the Directory.All.Read permission is not strictly necessary and the connection should work only with the User.Read permission.
If you have any other questions, feel free to leave a reply!
Thanks for the response - I had failed to find that KB article. However it still suggests that in order to be able to read users’ group memberships the Directory.All.Read permission is required. Or am I misunderstanding?
Indeed, the Directory.All.Read would be required if you wish to read users groups info.
You can try to provide the access to only the GroupMember.All.Read permission to see if it does the trick however I am not 100% sure.
If you are unable to accomplish your implementation, then it means Directory.All.Read permission is a must for Auth0 to be able to access the information you need.