More precisions about why 2 extrat permissions are needed with Azure AD connection

benoit.tigeot · November 25, 2021, 5:14pm

Hello

On the documentation about Azure AD. There is a part about permissions. I would like to know when two “Permissions” are required?

After reading Microsoft Graph permissions reference this is still no clear why those 2 permissions are required :

Directory.AccessAsUser.All because documentation say Directory.Read.All already returns groups so why is it needed?
Directory.Read.All as Application Permission. Is in case of calling Microsoft Graph API from Actions or Rules?

We implement Azure AD of other client and we have to justifiy about why we request this kind of permissions.

Thanks in advance

benoit.tigeot · November 26, 2021, 9:20am

Ok.

After reading the Microsoft documentation. Directory.Read.All is not enough to get group. user resource do not include groups.

To get groups you need other permissions.
For “Delegated”:

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All

For “Application”:

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

Have a nice day.

konrad.sopala · November 26, 2021, 4:37pm

Thanks for sharing that with the rest of community!

Topic		Replies	Views
Why Read Directory permission is absolutely required for Azure AD connection? Help azure-ad	7	6021	April 18, 2020
Azure AD Does Not Require "Directory.Read.All" Access Privileges Knowledge Articles	1	618	January 23, 2024
Is Read Directory permission absolutely required for Azure AD connection? Help azure-ad	2	4327	September 6, 2018
I want to turn off the "Read Directory" permission for Azure AD connection - what will happen? Help azure-ad	4	4162	August 29, 2019
Only Allow Access for Certain Active Directory User Groups Knowledge Articles azure-ad , groups , actions , access-control	1	914	January 25, 2024