Why Read Directory permission is absolutely required for Azure AD connection?

Hello Community,

I’d need to set up an Azure AD connection for a customer but I’m not able to explain why they need to grant Directory.All.Read access to their app.

This question has already been asked but there is no clear answer.

Can someone help me with that ?


To sum up what we talked about on Twitter:

  • It’s only required if you choose to get more user details (groups, extended properties, etc.)
  • …but you just opted in for the basic user data & Azure AD is still telling you the apps need more permissions (that only an admin can grant).
  • Sign in and read user profile permissions are normal for apps authenticating using OpenID Connect (https://docs.microsoft.com/en-us/graph/permissions-reference#directory-permissions)
  • You manage the Azure AD of the working connection and set the correct permissions as described in the Auth0 doc.

And the key question is: How could I tell the Connection to not ask for Directory Read permissions?

I think the doc in question is here: https://auth0.com/docs/connections/enterprise/azure-active-directory/v2#add-permissions

Are we on track? :smile:


Thanks for this summary! We’re perfectly on track! :grinning:

1 Like

Hi Nicolas,

I’ve reached out internally for more information regarding this permission requirement and will share what I discover.


Hello Kevin,

Any updates regarding this topic ? My first need would be to be able to explain why the permission is required. Could you help with this ? Sorry to bug you again about this.

We only require User.Read if the extended profile is enabled, and Directory.Read.All if groups are requested.

And yet you’re still being prompted to provide these permissions?

Can you verify that the following options are not enabled on your Azure AD configuration page?


Hi Kevin,

Thanks for your reply. The permissions were not enabled on the configuration pages of both connections.
I just removed the permissions in the Azure AD that I manage and indeed, both permissions are not required, I am able to configure a working connection.
So, I suppose there is a misconfiguration in the permissions of the tenant of my client (that I don’t manage).

Sorry for disturbing you guys about this.

Thanks again for your support!


1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.