Hello Community,
I’d need to set up an Azure AD connection for a customer but I’m not able to explain why they need to grant Directory.All.Read access to their app.
This question has already been asked but there is no clear answer.
Can someone help me with that ?
Best,
Nicolas
To sum up what we talked about on Twitter:
And the key question is: How could I tell the Connection to not ask for Directory Read permissions?
I think the doc in question is here: Connect Your App to Microsoft Azure Active Directory
Are we on track? 
Thanks for this summary! We’re perfectly on track! 
Hi Nicolas,
I’ve reached out internally for more information regarding this permission requirement and will share what I discover.
Hello Kevin,
Any updates regarding this topic ? My first need would be to be able to explain why the permission is required. Could you help with this ? Sorry to bug you again about this.
We only require User.Read if the extended profile is enabled, and Directory.Read.All if groups are requested.
And yet you’re still being prompted to provide these permissions?
Can you verify that the following options are not enabled on your Azure AD configuration page?
Hi Kevin,
Thanks for your reply. The permissions were not enabled on the configuration pages of both connections.
I just removed the permissions in the Azure AD that I manage and indeed, both permissions are not required, I am able to configure a working connection.
So, I suppose there is a misconfiguration in the permissions of the tenant of my client (that I don’t manage).
Sorry for disturbing you guys about this.
Thanks again for your support!
Best,
Nicolas
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
