More precisions about why 2 extrat permissions are needed with Azure AD connection

Hello

On the documentation about Azure AD. There is a part about permissions. I would like to know when two “Permissions” are required?

After reading Microsoft Graph permissions reference this is still no clear why those 2 permissions are required :

• Directory.AccessAsUser.All because documentation say Directory.Read.All already returns groups so why is it needed?
• Directory.Read.All as Application Permission. Is in case of calling Microsoft Graph API from Actions or Rules?

We implement Azure AD of other client and we have to justifiy about why we request this kind of permissions.

Thanks in advance

Ok.

After reading the Microsoft documentation. Directory.Read.All is not enough to get group. user resource do not include groups.

To get groups you need other permissions.
For “Delegated”:

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All

For “Application”:

GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All

Have a nice day.

Thanks for sharing that with the rest of community!