Microsoft Graph App and Scope permissions.
August 2021 (Updated April 2024)
Overview
Below are the details of Microsoft Graph permissions including IDs which are required when using Terraform, PowerShell or Azure CLI.
Update April 2024
Thanks to this GitHub issue raised by jan-swiecki, I have updated this article with an example of how to find the ID of the MS Graph permissions using Terraform with the azuread_service_principal resource. This functionality was introduced just after I had written the original article. The below Terraform file demonstrates outputing the IDs via variables and also how to use the permission IDs to create an application.
Thanks again to jan-swiecki for taking the time to share this knowledge.
Original article continues
In my previous article on using Terraform to deploy to Azure AD, I used the required_resource_access argument in the Terraform azuread_application resource to set the Microsoft Graph API permissions for the app being created. One thing that stumped me for a bit was how to get the ID of the permission. This wasn’t available on the Microsoft Graph API permissions documentation at the time of writing.
Searching showed that you can see the current API grants of an application by the Azure CLI by running:
az ad app show --id
This outputs the following section:
"requiredResourceAccess": [
{
"additionalProperties": null,
"resourceAccess": [
{
"additionalProperties": null,
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
}
],
"resourceAppId": "00000003-0000-0000-c000-000000000000"
}
],
The resourceAppId in the above snippet is for the Microsoft Graph. This post has details of the other application IDs for Microsoft resources. The resourceAccess ID is for the role Directory.Read.All and this is what is displayed in the Azure portal. This was a start but I wanted to know other IDs and this method only showed what was already granted to that app. I couldn’t find a way to do this via the Azure CLI or PowerShell.
I ended up finding this comment on a GitHub issue that showed how to retrieve the information from the MS Graph by the following query: https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'&$select=appRoles, oauth2PermissionScopes.
I created a basic python cli script to get this information, format it and output it in a markdown table which is what is below to be used for future reference.
Note: Role permissions display as Application and scope permissions display as Delegated in the Azure portal.
Role permissions
| Role Name | ID | Display Name | Description |
|---|---|---|---|
| APIConnectors.Read.All | b86848a7-d5b1-41eb-a9b4-54a4e6306e97 | Read API connectors for authentication flows | Allows the app to read the API connectors used in user authentication flows, without a signed-in user. |
| APIConnectors.ReadWrite.All | 1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171 | Read and write API connectors for authentication flows | Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user. |
| AccessReview.Read.All | d07a8cc0-3d51-4b77-b3b0-32704d1f69fa | Read all access reviews | Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user. |
| AccessReview.ReadWrite.All | ef5f7d5c-338f-44b0-86c3-351f46c8bb5f | Manage all access reviews | Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user. |
| AccessReview.ReadWrite.Membership | 18228521-a591-40f1-b215-5fad4488c117 | Manage access reviews for group and app memberships | Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization for group and app memberships, without a signed-in user. |
| AdministrativeUnit.Read.All | 134fd756-38ce-4afd-ba33-e9623dbe66c2 | Read all administrative units | Allows the app to read administrative units and administrative unit membership without a signed-in user. |
| AdministrativeUnit.ReadWrite.All | 5eb59dd3-1da2-4329-8733-9dabdc435916 | Read and write all administrative units | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. |
| Agreement.Read.All | 2f3e6f8c-093b-4c57-a58b-ba5ce494a169 | Read all terms of use agreements | Allows the app to read terms of use agreements, without a signed in user. |
| Agreement.ReadWrite.All | c9090d00-6101-42f0-a729-c41074260d47 | Read and write all terms of use agreements | Allows the app to read and write terms of use agreements, without a signed in user. |
| AgreementAcceptance.Read.All | d8e4ec18-f6c0-4620-8122-c8b1f2bf400e | Read all terms of use acceptance statuses | Allows the app to read terms of use acceptance statuses, without a signed in user. |
| AppRoleAssignment.ReadWrite.All | 06b708a9-e830-4db3-a914-8e69da51d44f | Manage app permission grants and app role assignments | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. |
| Application.Read.All | 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 | Read all applications | Allows the app to read all applications and service principals without a signed-in user. |
| Application.ReadWrite.All | 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 | Read and write all applications | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. |
| Application.ReadWrite.OwnedBy | 18a4783c-866b-4cc7-a460-3d5e5662c884 | Manage apps that this app creates or owns | Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of. |
| ApprovalRequest.Read.AdminConsentRequest | 0d9d2e88-e2eb-4ac7-9b1d-9b68ed9f9f4f | Read all admin consent approval requests | Allows the app to read admin consent requests, business flows, and governance policy templates without a signed-in user. |
| ApprovalRequest.Read.CustomerLockbox | 080ce695-a830-4d5c-a45a-375e3ab11b11 | Read all customer lockbox approval requests | Allows the app to read customer lockbox requests, business flows, and governance policy templates without a signed-in user. |
| ApprovalRequest.Read.EntitlementManagement | b2a3adf0-5774-4846-986c-a91c705b0141 | Read all entitlement management approval requests | Allows the app to read entitlement management requests, business flows, and governance policy templates without a signed-in user. |
| ApprovalRequest.Read.PriviligedAccess | 3f410ed8-2d83-4435-b2c4-c776f44e4ae1 | Read all privileged access approval requests | Allows the app to read privileged access requests, business flows, and governance policy templates without a signed-in user. |
| ApprovalRequest.ReadWrite.AdminConsentRequest | afe5c674-a576-4b80-818c-e3d7f6afd299 | Read and write all admin consent approval requests | Allows the app to read and write admin consent requests, business flows, and governance policy templates without a signed-in user. |
| ApprovalRequest.ReadWrite.CustomerLockbox | 5f411d27-abad-4dc3-83c6-b84a46ffa434 | Read and write all customer lockbox approval requests | Allows the app to read and write customer lockbox requests, business flows, and governance policy templates without a signed-in user. |
| ApprovalRequest.ReadWrite.EntitlementManagement | fbfdecc9-4b78-4882-bb98-7decbddcbddf | Read and write all entitlement management approval requests | Allows the app to read and write entitlement management requests, business flows, and governance policy templates without a signed-in user. |
| ApprovalRequest.ReadWrite.PriviligedAccess | 60182ac6-4565-4baa-8b04-9350fe8dbfca | Read and write all privileged access approval requests | Allows the app to read and write privileged access requests, business flows, and governance policy templates without a signed-in user. |
| AuditLog.Read.All | b0afded3-3588-46d8-8b3d-9842eff778da | Read all audit log data | Allows the app to read and query your audit log activities, without a signed-in user. |
| BitlockerKey.Read.All | 57f1cf28-c0c4-4ec3-9a30-19a2eaaf2f6e | Read all BitLocker keys | Allows an app to read BitLocker keys for all devices, without a signed-in user. Allows read of the recovery key. |
| BitlockerKey.ReadBasic.All | f690d423-6b29-4d04-98c6-694c42282419 | Read all BitLocker keys basic information | Allows an app to read basic BitLocker key properties for all devices, without a signed-in user. Does not allow read of the recovery key. |
| Calendars.Read | 798ee544-9d2d-430c-a058-570e29e34338 | Read calendars in all mailboxes | Allows the app to read events of all calendars without a signed-in user. |
| Calendars.ReadWrite | ef54d2bf-783f-4e0f-bca1-3210c0444d99 | Read and write calendars in all mailboxes | Allows the app to create, read, update, and delete events of all calendars without a signed-in user. |
| CallRecord-PstnCalls.Read.All | a2611786-80b3-417e-adaa-707d4261a5f0 | Read PSTN and direct routing call log data | Allows the app to read all PSTN and direct routing call log data without a signed-in user. |
| CallRecords.Read.All | 45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8 | Read all call records | Allows the app to read call records for all calls and online meetings without a signed-in user. |
| Calls.AccessMedia.All | a7a681dc-756e-4909-b988-f160edc6655f | Access media streams in a call as an app | Allows the app to get direct access to media streams in a call, without a signed-in user. |
| Calls.Initiate.All | 284383ee-7f6e-4e40-a2a8-e85dcb029101 | Initiate outgoing 1 to 1 calls from the app | Allows the app to place outbound calls to a single user and transfer calls to users in your organization’s directory, without a signed-in user. |
| Calls.InitiateGroupCall.All | 4c277553-8a09-487b-8023-29ee378d8324 | Initiate outgoing group calls from the app | Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. |
| Calls.JoinGroupCall.All | f6b49018-60ab-4f81-83bd-22caeabfed2d | Join group calls and meetings as an app | Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your organization. |
| Calls.JoinGroupCallAsGuest.All | fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4 | Join group calls and meetings as a guest | Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined as a guest to meetings in your organization. |
| Channel.Create | f3a65bd4-b703-46df-8f7e-0174fea562aa | Create channels | Create channels in any team, without a signed-in user. |
| Channel.Delete.All | 6a118a39-1227-45d4-af0c-ea7b40d210bc | Delete channels | Delete channels in any team, without a signed-in user. |
| Channel.ReadBasic.All | 59a6b24b-4225-4393-8165-ebaec5f55d7a | Read the names and descriptions of all channels | Read all channel names and channel descriptions, without a signed-in user. |
| ChannelMember.Read.All | 3b55498e-47ec-484f-8136-9013221c06a9 | Read the members of all channels | Read the members of all channels, without a signed-in user. |
| ChannelMember.ReadWrite.All | 35930dcf-aceb-4bd1-b99a-8ffed403c974 | Add and remove members from all channels | Add and remove members from all channels, without a signed-in user. Also allows changing a member’s role, for example from owner to non-owner. |
| ChannelMessage.Read.All | 7b2449af-6ccd-4f4d-9f78-e550c193f0d1 | Read all channel messages | Allows the app to read all channel messages in Microsoft Teams |
| ChannelMessage.UpdatePolicyViolation.All | 4d02b0cc-d90b-441f-8d82-4fb55c34d6bb | Flag channel messages for violating policy | Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. |
| ChannelSettings.Read.All | c97b873f-f59f-49aa-8a0e-52b32d762124 | Read the names, descriptions, and settings of all channels | Read all channel names, channel descriptions, and channel settings, without a signed-in user. |
| ChannelSettings.ReadWrite.All | 243cded2-bd16-4fd6-a953-ff8177894c3d | Read and write the names, descriptions, and settings of all channels | Read and write the names, descriptions, and settings of all channels, without a signed-in user. |
| Chat.Create | d9c48af6-9ad9-47ad-82c3-63757137b9af | Create chats | Allows the app to create chats without a signed-in user. |
| Chat.Read.All | 6b7d71aa-70aa-4810-a8d9-5d9fb2830017 | Read all chat messages | Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams. |
| Chat.ReadBasic.All | b2e060da-3baf-4687-9611-f4ebc0f0cbde | Read names and members of all chat threads | Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user. |
| Chat.ReadWrite.All | 294ce7c9-31ba-490a-ad7d-97a7d075e4ed | Read and write all chat messages | Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user. |
| Chat.UpdatePolicyViolation.All | 7e847308-e030-4183-9899-5235d7270f58 | Flag chat messages for violating policy | Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. |
| ChatMember.Read.All | a3410be2-8e48-4f32-8454-c29a7465209d | Read the members of all chats | Read the members of all chats, without a signed-in user. |
| ChatMember.ReadWrite.All | 57257249-34ce-4810-a8a2-a03adf0c5693 | Add and remove members from all chats | Add and remove members from all chats, without a signed-in user. |
| ChatMessage.Read.All | b9bb2381-47a4-46cd-aafb-00cb12f68504 | Read all chat messages | Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user. |
| CloudPC.Read.All | a9e09520-8ed4-4cde-838e-4fdea192c227 | Read Cloud PCs | Allows the app to read the properties of Cloud PCs, without a signed-in user. |
| CloudPC.ReadWrite.All | 3b4349e1-8cf5-45a3-95b7-69d1751d3e6a | Read and write Cloud PCs | Allows the app to read and write the properties of Cloud PCs, without a signed-in user. |
| ConsentRequest.Read.All | 1260ad83-98fb-4785-abbb-d6cc1806fd41 | Read all consent requests | Allows the app to read consent requests and approvals without a signed-in user. |
| ConsentRequest.ReadWrite.All | 9f1b81a7-0223-4428-bfa4-0bcb5535f27d | Read and write all consent requests | Allows the app to read app consent requests and approvals, and deny or approve those requests without a signed-in user. |
| Contacts.Read | 089fe4d0-434a-44c5-8827-41ba8a0b17f5 | Read contacts in all mailboxes | Allows the app to read all contacts in all mailboxes without a signed-in user. |
| Contacts.ReadWrite | 6918b873-d17a-4dc1-b314-35f528134491 | Read and write contacts in all mailboxes | Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. |
| DelegatedPermissionGrant.ReadWrite.All | 8e8e4742-1d95-4f68-9d56-6ee75648c72a | Manage all delegated permission grants | Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user. |
| Device.Read.All | 7438b122-aefc-4978-80ed-43db9fcc7715 | Read all devices | Allows the app to read your organization’s devices’ configuration information without a signed-in user. |
| Device.ReadWrite.All | 1138cb37-bd11-4084-a2b7-9f71582aeddb | Read and write devices | Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers. |
| DeviceManagementApps.Read.All | 7a6ee1e7-141e-4cec-ae74-d9db155731ff | Read Microsoft Intune apps | Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. |
| DeviceManagementApps.ReadWrite.All | 78145de6-330d-4800-a6ce-494ff2d33d07 | Read and write Microsoft Intune apps | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. |
| DeviceManagementConfiguration.Read.All | dc377aa6-52d8-4e23-b271-2a7ae04cedf3 | Read Microsoft Intune device configuration and policies | Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. |
| DeviceManagementConfiguration.ReadWrite.All | 9241abd9-d0e6-425a-bd4f-47ba86e767a4 | Read and write Microsoft Intune device configuration and policies | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. |
| DeviceManagementManagedDevices.PrivilegedOperations.All | 5b07b0dd-2377-4e44-a38d-703f09a0dc3c | Perform user-impacting remote actions on Microsoft Intune devices | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user. |
| DeviceManagementManagedDevices.Read.All | 2f51be20-0bb4-4fed-bf7b-db946066c75e | Read Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user. |
| DeviceManagementManagedDevices.ReadWrite.All | 243333ab-4d21-40cb-a475-36241daa0842 | Read and write Microsoft Intune devices | Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device’s owner |
| DeviceManagementRBAC.Read.All | 58ca0d9a-1575-47e1-a3cb-007ef2e4583b | Read Microsoft Intune RBAC settings | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. |
| DeviceManagementRBAC.ReadWrite.All | e330c4f0-4170-414e-a55a-2f022ec2b57b | Read and write Microsoft Intune RBAC settings | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. |
| DeviceManagementServiceConfig.Read.All | 06a5fe6d-c49d-46a7-b082-56b1b14103c7 | Read Microsoft Intune configuration | Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. |
| DeviceManagementServiceConfig.ReadWrite.All | 5ac13192-7ace-4fcf-b828-1a26f28068ee | Read and write Microsoft Intune configuration | Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user. |
| Directory.Read.All | 7ab1d382-f21e-4acd-a863-ba3e13f7da61 | Read directory data | Allows the app to read data in your organization’s directory, such as users, groups and apps, without a signed-in user. |
| Directory.ReadWrite.All | 19dbc75e-c2e2-444c-a770-ec69d8559fc7 | Read and write directory data | Allows the app to read and write data in your organization’s directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. |
| Domain.Read.All | dbb9058a-0e50-45d7-ae91-66909b5d4664 | Read domains | Allows the app to read all domain properties without a signed-in user. |
| Domain.ReadWrite.All | 7e05723c-0bb0-42da-be95-ae9f08a6e53c | Read and write domains | Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains. |
| EduAdministration.Read.All | 7c9db06a-ec2d-4e7b-a592-5a1e30992566 | Read Education app settings | Read the state and settings of all Microsoft education apps. |
| EduAdministration.ReadWrite.All | 9bc431c3-b8bc-4a8d-a219-40f10f92eff6 | Manage education app settings | Manage the state and settings of all Microsoft education apps. |
| EduAssignments.Read.All | 4c37e1b6-35a1-43bf-926a-6f30f2cdf585 | Read class assignments with grades | Allows the app to read assignments and their grades for all users. |
| EduAssignments.ReadBasic.All | 6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e | Read class assignments without grades | Allows the app to read assignments without grades for all users. |
| EduAssignments.ReadWrite.All | 0d22204b-6cad-4dd0-8362-3e3f2ae699d9 | Read and write class assignments with grades | Allows the app to read and write assignments and their grades for all users. |
| EduAssignments.ReadWriteBasic.All | f431cc63-a2de-48c4-8054-a34bc093af84 | Read and write class assignments without grades | Allows the app to read and write assignments without grades for all users. |
| EduRoster.Read.All | e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648 | Read the organization’s roster | Allows the app to read the structure of schools and classes in the organization’s roster and education-specific information about all users to be read. |
| EduRoster.ReadBasic.All | 0d412a8c-a06c-439f-b3ec-8abcf54d2f96 | Read a limited subset of the organization’s roster | Allows the app to read a limited subset of properties from both the structure of schools and classes in the organization’s roster and education-specific information about all users. Includes name, status, role, email address and photo. |
| EduRoster.ReadWrite.All | d1808e82-ce13-47af-ae0d-f9b254e6d58a | Read and write the organization’s roster | Allows the app to read and write the structure of schools and classes in the organization’s roster and education-specific information about all users to be read and written. |
| EntitlementManagement.Read.All | c74fd47d-ed3c-45c3-9a9e-b8676de685d2 | Read all entitlement management resources | Allows the app to read access packages and related entitlement management resources without a signed-in user. |
| EntitlementManagement.ReadWrite.All | 9acd699f-1e81-4958-b001-93b1d2506e19 | Read and write all entitlement management resources | Allows the app to read and write access packages and related entitlement management resources without a signed-in user. |
| ExternalConnection.ReadWrite.OwnedBy | f431331c-49a6-499f-be1c-62af19c34a9d | Read and write external connections | Allows the app to read and write external connections without a signed-in user. The app can only read and write external connections that it is authorized to, or it can create new external connections. |
| ExternalItem.ReadWrite.All | 38c3d6ee-69ee-422f-b954-e17819665354 | Read and write items in external datasets | Allow the app to read or write items in all external datasets that the app is authorized to access |
| ExternalItem.ReadWrite.OwnedBy | 8116ae0f-55c2-452d-9944-d18420f5b2c8 | Read and write external items | Allows the app to read and write external items without a signed-in user. The app can only read external items of the connection that it is authorized to. |
| Files.Read.All | 01d4889c-1287-42c6-ac1f-5d1e02578ef6 | Read files in all site collections | Allows the app to read all files in all site collections without a signed in user. |
| Files.ReadWrite.All | 75359482-378d-4052-8f01-80520e7db3cd | Read and write files in all site collections | Allows the app to read, create, update and delete all files in all site collections without a signed in user. |
| Group.Create | bf7b1a76-6e77-406b-b258-bf5c7720e98f | Create groups | Allows the app to create groups without a signed-in user. |
| Group.Read.All | 5b567255-7703-4780-807c-7be8301ae99b | Read all groups | Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user. |
| Group.ReadWrite.All | 62a82d76-70ea-41e2-9197-370581804d09 | Read and write all groups | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user. |
| GroupMember.Read.All | 98830695-27a2-44f7-8c18-0c3ebc9698f6 | Read all group memberships | Allows the app to read memberships and basic group properties for all groups without a signed-in user. |
| GroupMember.ReadWrite.All | dbaae8cf-10b5-4b86-a4a1-f871c94c6695 | Read and write all group memberships | Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. |
| IdentityProvider.Read.All | e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0 | Read identity providers | Allows the app to read your organization’s identity (authentication) providers’ properties without a signed in user. |
| IdentityProvider.ReadWrite.All | 90db2b9a-d928-4d33-a4dd-8442ae3d41e4 | Read and write identity providers | Allows the app to read and write your organization’s identity (authentication) providers’ properties without a signed in user. |
| IdentityRiskEvent.Read.All | 6e472fd1-ad78-48da-a0f0-97ab2c6b769e | Read all identity risk event information | Allows the app to read the identity risk event information for your organization without a signed in user. |
| IdentityRiskEvent.ReadWrite.All | db06fb33-1953-4b7b-a2ac-f1e2c854f7ae | Read and write all risk detection information | Allows the app to read and update identity risk detection information for your organization without a signed-in user. Update operations include confirming risk event detections. |
| IdentityRiskyUser.Read.All | dc5007c0-2d7d-4c42-879c-2dab87571379 | Read all identity risky user information | Allows the app to read the identity risky user information for your organization without a signed in user. |
| IdentityRiskyUser.ReadWrite.All | 656f6061-f9fe-4807-9708-6a2e0934df76 | Read and write all risky user information | Allows the app to read and update identity risky user information for your organization without a signed-in user. Update operations include dismissing risky users. |
| IdentityUserFlow.Read.All | 1b0c317f-dd31-4305-9932-259a8b6e8099 | Read all identity user flows | Allows the app to read your organization’s user flows, without a signed-in user. |
| IdentityUserFlow.ReadWrite.All | 65319a09-a2be-469d-8782-f6b07debf789 | Read and write all identity user flows | Allows the app to read or write your organization’s user flows, without a signed-in user. |
| InformationProtectionPolicy.Read.All | 19da66cb-0fb0-4390-b071-ebc76a349482 | Read all published labels and label policies for an organization. | Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user. |
| Mail.Read | 810c84a8-4a9e-49e6-bf7d-12d183f40d01 | Read mail in all mailboxes | Allows the app to read mail in all mailboxes without a signed-in user. |
| Mail.ReadBasic | 6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a | Read basic mail in all mailboxes | Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties. |
| Mail.ReadBasic.All | 693c5e45-0940-467d-9b8a-1022fb9d42ef | Read basic mail in all mailboxes | Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties. |
| Mail.ReadWrite | e2a3a72e-5f79-4c64-b1b1-878b674786c9 | Read and write mail in all mailboxes | Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail. |
| Mail.Send | b633e1c5-b582-4048-a93e-9f11b44c7e96 | Send mail as any user | Allows the app to send mail as any user without a signed-in user. |
| MailboxSettings.Read | 40f97065-369a-49f4-947c-6a255697ae91 | Read all user mailbox settings | Allows the app to read user’s mailbox settings without a signed-in user. Does not include permission to send mail. |
| MailboxSettings.ReadWrite | 6931bccd-447a-43d1-b442-00a195474933 | Read and write all user mailbox settings | Allows the app to create, read, update, and delete user’s mailbox settings without a signed-in user. Does not include permission to send mail. |
| Member.Read.Hidden | 658aa5d8-239f-45c4-aa12-864f4fc7e490 | Read all hidden memberships | Allows the app to read the memberships of hidden groups and administrative units without a signed-in user. |
| Notes.Read.All | 3aeca27b-ee3a-4c2b-8ded-80376e2134a4 | Read all OneNote notebooks | Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. |
| Notes.ReadWrite.All | 0c458cef-11f3-48c2-a568-c66751c238c0 | Read and write all OneNote notebooks | Allows the app to read all the OneNote notebooks in your organization, without a signed-in user. |
| OnPremisesPublishingProfiles.ReadWrite.All | 0b57845e-aa49-4e6f-8109-ce654fffa618 | Manage on-premises published resources | Allows the app to create, view, update and delete on-premises published resources, on-premises agents and agent groups, as part of a hybrid identity configuration, without a signed in user. |
| OnlineMeetings.Read.All | c1684f21-1984-47fa-9d61-2dc8c296bb70 | Read online meeting details | Allows the app to read online meeting details in your organization, without a signed-in user. |
| OnlineMeetings.ReadWrite.All | b8bb2037-6e08-44ac-a4ea-4674e010e2a4 | Read and create online meetings | Allows the app to read and create online meetings as an application in your organization. |
| OrgContact.Read.All | e1a88a34-94c4-4418-be12-c87b00e26bea | Read organizational contacts | Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user’s personal contacts. |
| Organization.Read.All | 498476ce-e0fe-48b0-b801-37ba7e2685c6 | Read organization information | Allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information. |
| Organization.ReadWrite.All | 292d869f-3427-49a8-9dab-8c70152b74e9 | Read and write organization information | Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information. |
| People.Read.All | b528084d-ad10-4598-8b93-929746b4d7d6 | Read all users’ relevant people lists | Allows the app to read any user’s scored list of relevant people, without a signed-in user. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype). |
| Place.Read.All | 913b9306-0ce1-42b8-9137-6a7df690a760 | Read all company places | Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user. |
| Policy.Read.All | 246dd0d5-5bd0-4def-940b-0421030a5b68 | Read your organization’s policies | Allows the app to read all your organization’s policies without a signed in user. |
| Policy.Read.ConditionalAccess | 37730810-e9ba-4e46-b07e-8ca78d182097 | Read your organization’s conditional access policies | Allows the app to read your organization’s conditional access policies, without a signed-in user. |
| Policy.Read.PermissionGrant | 9e640839-a198-48fb-8b9a-013fd6f6cbcd | Read consent and permission grant policies | Allows the app to read policies related to consent and permission grants for applications, without a signed-in user. |
| Policy.ReadWrite.ApplicationConfiguration | be74164b-cff1-491c-8741-e671cb536e13 | Read and write your organization’s application configuration policies | Allows the app to read and write your organization’s application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. |
| Policy.ReadWrite.AuthenticationFlows | 25f85f3c-f66c-4205-8cd5-de92dd7f0cec | Read and write authentication flow policies | Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user. |
| Policy.ReadWrite.AuthenticationMethod | 29c18626-4985-4dcd-85c0-193eef327366 | Read and write all authentication method policies | Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. |
| Policy.ReadWrite.Authorization | fb221be6-99f2-473f-bd32-01c6a0e9ca3b | Read and write your organization’s authorization policy | Allows the app to read and write your organization’s authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. |
| Policy.ReadWrite.ConditionalAccess | 01c0a623-fc9b-48e9-b794-0756f8e8f067 | Read and write your organization’s conditional access policies | Allows the app to read and write your organization’s conditional access policies, without a signed-in user. |
| Policy.ReadWrite.ConsentRequest | 999f8c63-0a38-4f1b-91fd-ed1947bdd1a9 | Read and write your organization’s consent request policy | Allows the app to read and write your organization’s consent requests policy without a signed-in user. |
| Policy.ReadWrite.FeatureRollout | 2044e4f1-e56c-435b-925c-44cd8f6ba89a | Read and write feature rollout policies | Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. |
| Policy.ReadWrite.PermissionGrant | a402ca1c-2696-4531-972d-6e5ee4aa11ea | Manage consent and permission grant policies | Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user. |
| Policy.ReadWrite.TrustFramework | 79a677f7-b79d-40d0-a36a-3e6f8688dd7a | Read and write your organization’s trust framework policies | Allows the app to read and write your organization’s trust framework policies without a signed in user. |
| Presence.ReadWrite.All | 83cded22-8297-4ff6-a7fa-e97e9545a259 | Read and write presence information for all users | Allows the app to read all presence information and write activity and availability of all users in the directory without a signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, time zone and location. |
| PrintJob.Manage.All | 58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8 | Perform advanced operations on print jobs | Allows the application to perform advanced operations like redirecting a print job to another printer without a signed-in user. Also allows the application to read and update the metadata of print jobs. |
| PrintJob.Read.All | ac6f956c-edea-44e4-bd06-64b1b4b9aec9 | Read print jobs | Allows the application to read the metadata and document content of print jobs without a signed-in user. |
| PrintJob.ReadBasic.All | fbf67eee-e074-4ef7-b965-ab5ce1c1f689 | Read basic information for print jobs | Allows the application to read the metadata of print jobs without a signed-in user. Does not allow access to print job document content. |
| PrintJob.ReadWrite.All | 5114b07b-2898-4de7-a541-53b0004e2e13 | Read and write print jobs | Allows the application to read and update the metadata and document content of print jobs without a signed-in user. |
| PrintJob.ReadWriteBasic.All | 57878358-37f4-4d3a-8c20-4816e0d457b1 | Read and write basic information for print jobs | Allows the application to read and update the metadata of print jobs without a signed-in user. Does not allow access to print job document content. |
| PrintSettings.Read.All | b5991872-94cf-4652-9765-29535087c6d8 | Read tenant-wide print settings | Allows the application to read tenant-wide print settings without a signed-in user. |
| PrintTaskDefinition.ReadWrite.All | 456b71a7-0ee0-4588-9842-c123fcc8f664 | Read, write and update print task definitions | Allows the application to read and update print task definitions without a signed-in user. |
| Printer.Read.All | 9709bb33-4549-49d4-8ed9-a8f65e45bb0f | Read printers | Allows the application to read printers without a signed-in user. |
| Printer.ReadWrite.All | f5b3f73d-6247-44df-a74c-866173fddab0 | Read and update printers | Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting (unregistering) printers. |
| PrivilegedAccess.Read.AzureAD | 4cdc2547-9148-4295-8d11-be0db1391d6b | Read privileged access to Azure AD roles | Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. |
| PrivilegedAccess.Read.AzureADGroup | 01e37dc9-c035-40bd-b438-b2879c4870a6 | Read privileged access to Azure AD groups | Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user. |
| PrivilegedAccess.Read.AzureResources | 5df6fe86-1be0-44eb-b916-7bd443a71236 | Read privileged access to Azure resources | Allows the app to read time-based assignment and just-in-time elevation of user privileges to audit Azure resources in your organization, without a signed-in user. |
| PrivilegedAccess.ReadWrite.AzureAD | 854d9ab1-6657-4ec8-be45-823027bcd009 | Read and write privileged access to Azure AD roles | Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user. |
| PrivilegedAccess.ReadWrite.AzureADGroup | 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e | Read and write privileged access to Azure AD groups | Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user. |
| PrivilegedAccess.ReadWrite.AzureResources | 6f9d5abc-2db6-400b-a267-7de22a40fb87 | Read and write privileged access to Azure resources | Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) in your organization, without a signed-in user. |
| ProgramControl.Read.All | eedb7fdd-7539-4345-a38b-4839e4a84cbd | Read all programs | Allows the app to read programs and program controls in the organization, without a signed-in user. |
| ProgramControl.ReadWrite.All | 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36 | Manage all programs | Allows the app to read, update, delete and perform actions on programs and program controls in the organization, without a signed-in user. |
| Reports.Read.All | 230c1aed-a721-4c5d-9cb4-a90514e508ef | Read all usage reports | Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. |
| RoleManagement.Read.All | c7fbd983-d9aa-4fa7-84b8-17382c103bc4 | Read role management data for all RBAC providers | Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes reading role definitions and role assignments. |
| RoleManagement.Read.Directory | 483bed4a-2ad3-4361-a73b-c83ccdbdc53c | Read all directory RBAC settings | Allows the app to read the role-based access control (RBAC) settings for your company’s directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships. |
| RoleManagement.ReadWrite.Directory | 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 | Read and write all directory RBAC settings | Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
| Schedule.Read.All | 7b2ebf90-d836-437f-b90d-7b62722c4456 | Read all schedule items | Allows the app to read all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user. |
| Schedule.ReadWrite.All | b7760610-0545-4e8a-9ec3-cce9e63db01c | Read and write all schedule items | Allows the app to manage all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user. |
| SecurityActions.Read.All | 5e0edab9-c148-49d0-b423-ac253e121825 | Read your organization’s security actions | Allows the app to read security actions, without a signed-in user. |
| SecurityActions.ReadWrite.All | f2bf083f-0179-402a-bedb-b2784de8a49b | Read and update your organization’s security actions | Allows the app to read or update security actions, without a signed-in user. |
| SecurityEvents.Read.All | bf394140-e372-4bf9-a898-299cfc7564e5 | Read your organization’s security events | Allows the app to read your organization’s security events without a signed-in user. |
| SecurityEvents.ReadWrite.All | d903a879-88e0-4c09-b0c9-82f6a1333f84 | Read and update your organization’s security events | Allows the app to read your organization’s security events without a signed-in user. Also allows the app to update editable properties in security events. |
| ServiceHealth.Read.All | 79c261e0-fe76-4144-aad5-bdc68fbe4037 | Read service health | Allows the app to read your tenant’s service health information, without a signed-in user. Health information may include service issues or service health overviews. |
| ServiceMessage.Read.All | 1b620472-6534-4fe6-9df2-4680e8aa28ec | Read service messages | Allows the app to read your tenant’s service announcement messages, without a signed-in user. Messages may include information about new or changed features. |
| ServicePrincipalEndpoint.Read.All | 5256681e-b7f6-40c0-8447-2d9db68797a0 | Read service principal endpoints | Allows the app to read service principal endpoints |
| ServicePrincipalEndpoint.ReadWrite.All | 89c8469c-83ad-45f7-8ff2-6e3d4285709e | Read and update service principal endpoints | Allows the app to update service principal endpoints |
| ShortNotes.Read.All | 0c7d31ec-31ca-4f58-b6ec-9950b6b0de69 | Read all users’ short notes | Allows the app to read all the short notes without a signed-in user. |
| ShortNotes.ReadWrite.All | 842c284c-763d-4a97-838d-79787d129bab | Read, create, edit, and delete all users’ short notes | Allows the app to read, create, edit, and delete all the short notes without a signed-in user. |
| Sites.FullControl.All | a82116e5-55eb-4c41-a434-62fe8a61c773 | Have full control of all site collections | Allows the app to have full control of all site collections without a signed in user. |
| Sites.Manage.All | 0c0bf378-bf22-4481-8f81-9e89a9b4960a | Create, edit, and delete items and lists in all site collections | Allows the app to create or delete document libraries and lists in all site collections without a signed in user. |
| Sites.Read.All | 332a536c-c7ef-4017-ab91-336970924f0d | Read items in all site collections | Allows the app to read documents and list items in all site collections without a signed in user. |
| Sites.ReadWrite.All | 9492366f-7969-46a4-8d15-ed1a20078fff | Read and write items in all site collections | Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user. |
| Sites.Selected | 883ea226-0bf2-4a8f-9f9d-92c9162a727d | Access selected site collections | Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online. |
| Team.Create | 23fc2474-f741-46ce-8465-674744c5c361 | Create teams | Allows the app to create teams without a signed-in user. |
| Team.ReadBasic.All | 2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e | Get a list of all teams | Get a list of all teams, without a signed-in user. |
| TeamMember.Read.All | 660b7406-55f1-41ca-a0ed-0b035e182f3e | Read the members of all teams | Read the members of all teams, without a signed-in user. |
| TeamMember.ReadWrite.All | 0121dc95-1b9f-4aed-8bac-58c5ac466691 | Add and remove members from all teams | Add and remove members from all teams, without a signed-in user. Also allows changing a team member’s role, for example from owner to non-owner. |
| TeamMember.ReadWriteNonOwnerRole.All | 4437522e-9a86-4a41-a7da-e380edd4a97d | Add and remove members with non-owner role for all teams | Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role. |
| TeamSettings.Read.All | 242607bd-1d2c-432c-82eb-bdb27baa23ab | Read all teams’ settings | Read all team’s settings, without a signed-in user. |
| TeamSettings.ReadWrite.All | bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f | Read and change all teams’ settings | Read and change all teams’ settings, without a signed-in user. |
| TeamsActivity.Read.All | 70dec828-f620-4914-aa83-a29117306807 | Read all users’ teamwork activity feed | Allows the app to read all users’ teamwork activity feed, without a signed-in user. |
| TeamsActivity.Send | a267235f-af13-44dc-8385-c1dc93023186 | Send a teamwork activity to any user | Allows the app to create new notifications in users’ teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies. |
| TeamsApp.Read.All | afdb422a-4b2a-4e07-a708-8ceed48196bf | Read all users’ installed Teams apps | Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. |
| TeamsApp.ReadWrite.All | eb6b3d76-ed75-4be6-ac36-158d04c0a555 | Manage all users’ Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read or write application-specific settings. |
| TeamsAppInstallation.ReadForChat.All | cc7e7635-2586-41d6-adaa-a8d3bcad5ee5 | Read installed Teams apps for all chats | Allows the app to read the Teams apps that are installed in any chat, without a signed-in user. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadForTeam.All | 1f615aea-6bf9-4b05-84bd-46388e138537 | Read installed Teams apps for all teams | Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadForUser.All | 9ce09611-f4f7-4abd-a629-a05450422a97 | Read installed Teams apps for all users | Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteForChat.All | 9e19bae1-2623-4c4f-ab6e-2664615ff9a0 | Manage Teams apps for all chats | Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteForTeam.All | 5dad17ba-f6cc-4954-a5a2-a0dcc95154f0 | Manage Teams apps for all teams | Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteForUser.All | 74ef0291-ca83-4d02-8c7e-d2391e6a444f | Manage Teams apps for all users | Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteSelfForChat.All | 73a45059-f39c-4baf-9182-4954ac0e55cf | Allow the Teams app to manage itself for all chats | Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user. |
| TeamsAppInstallation.ReadWriteSelfForTeam.All | 9f67436c-5415-4e7f-8ac1-3014a7132630 | Allow the Teams app to manage itself for all teams | Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user. |
| TeamsAppInstallation.ReadWriteSelfForUser.All | 908de74d-f8b2-4d6b-a9ed-2a17b3b78179 | Allow the app to manage itself for all users | Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user. |
| TeamsTab.Create | 49981c42-fd7b-4530-be03-e77b21aed25e | Create tabs in Microsoft Teams. | Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. |
| TeamsTab.Read.All | 46890524-499a-4bb2-ad64-1476b4f3e1cf | Read tabs in Microsoft Teams. | Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
| TeamsTab.ReadWrite.All | a96d855f-016b-47d7-b51c-1218a98d791c | Read and write tabs in Microsoft Teams. | Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs. |
| TeamsTab.ReadWriteForChat.All | fd9ce730-a250-40dc-bd44-8dc8d20f39ea | Allow the Teams app to manage all tabs for all chats | Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user. |
| TeamsTab.ReadWriteForTeam.All | 6163d4f4-fbf8-43da-a7b4-060fe85ed148 | Allow the Teams app to manage all tabs for all teams | Allows a Teams app to read, install, upgrade, and uninstall all tabs in any team, without a signed-in user. |
| TeamsTab.ReadWriteForUser.All | 425b4b59-d5af-45c8-832f-bb0b7402348a | Allow the app to manage all tabs for all users | Allows a Teams app to read, install, upgrade, and uninstall all tabs for any user, without a signed-in user. |
| Teamwork.Migrate.All | dfb0dd15-61de-45b2-be36-d6a69fba3c79 | Create chat and channel messages with anyone’s identity and with any timestamp | Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization. |
| TeamworkTag.Read.All | b74fd6c4-4bde-488e-9695-eeb100e4907f | Read tags in Teams | Allows the app to read tags in Teams without a signed-in user. |
| TeamworkTag.ReadWrite.All | a3371ca5-911d-46d6-901c-42c8c7a937d8 | Read and write tags in Teams | Allows the app to read and write tags in Teams without a signed-in user. |
| TermStore.Read.All | ea047cc2-df29-4f3e-83a3-205de61501ca | Read all term store data | Allows the app to read all term store data, without a signed-in user. This includes all sets, groups and terms in the term store. |
| TermStore.ReadWrite.All | f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95 | Read and write all term store data | Allows the app to read, edit or write all term store data, without a signed-in user. This includes all sets, groups and terms in the term store. |
| ThreatAssessment.Read.All | f8f035bb-2cce-47fb-8bf5-7baf3ecbee48 | Read threat assessment requests | Allows an app to read your organization’s threat assessment requests, without a signed-in user. |
| ThreatIndicators.Read.All | 197ee4e9-b993-4066-898f-d6aecc55125b | Read all threat indicators | Allows the app to read all the indicators for your organization, without a signed-in user. |
| ThreatIndicators.ReadWrite.OwnedBy | 21792b6c-c986-4ffc-85de-df9da54b52fa | Manage threat indicators this app creates or owns | Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. It cannot update any threat indicators it does not own. |
| TrustFrameworkKeySet.Read.All | fff194f1-7dce-4428-8301-1badb5518201 | Read trust framework key sets | Allows the app to read trust framework key set properties without a signed-in user. |
| TrustFrameworkKeySet.ReadWrite.All | 4a771c9a-1cf2-4609-b88e-3d3e02d539cd | Read and write trust framework key sets | Allows the app to read and write trust framework key set properties without a signed-in user. |
| User.Export.All | 405a51b5-8d8d-430b-9842-8be4b0e9f324 | Export user’s data | Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator). |
| User.Invite.All | 09850681-111b-4a89-9bed-3f2cae46d706 | Invite guest users to the organization | Allows the app to invite guest users to the organization, without a signed-in user. |
| User.ManageIdentities.All | c529cfca-c91b-489c-af2b-d92990b66ce6 | Manage all users’ identities | Allows the app to read, update and delete identities that are associated with a user’s account, without a signed in user. This controls the identities users can sign-in with. |
| User.Read.All | df021288-bdef-4463-88db-98f22de89214 | Read all users’ full profiles | Allows the app to read user profiles without a signed in user. |
| User.ReadWrite.All | 741f803b-c850-494e-b5df-cde7c675a1ca | Read and write all users’ full profiles | Allows the app to read and update user profiles without a signed in user. |
| UserAuthenticationMethod.Read.All | 38d9df27-64da-44fd-b7c5-a6fbac20248f | Read all users’ authentication methods | Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
| UserAuthenticationMethod.ReadWrite.All | 50483e42-d915-4231-9639-7fdb7fd190e5 | Read and write all users’ authentication methods | Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods |
| UserNotification.ReadWrite.CreatedByApp | 4e774092-a092-48d1-90bd-baad67c7eb47 | Deliver and manage all user’s notifications | Allows the app to send, read, update and delete user’s notifications, without a signed-in user. |
| UserShiftPreferences.Read.All | de023814-96df-4f53-9376-1e2891ef5a18 | Read all user shift preferences | Allows the app to read all users’ shift schedule preferences without a signed-in user. |
| UserShiftPreferences.ReadWrite.All | d1eec298-80f3-49b0-9efb-d90e224798ac | Read and write all user shift preferences | Allows the app to manage all users’ shift schedule preferences without a signed-in user. |
| WindowsUpdates.ReadWrite.All | 7dd1be58-6e76-4401-bf8d-31d1e8180d5b | Read and write all Windows update deployment settings | Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user. |
| WorkforceIntegration.ReadWrite.All | 202bf709-e8e6-478e-bcfd-5d63c50b68e3 | Read and write workforce integrations | Allows the app to manage workforce integrations to synchronize data from Microsoft Teams Shifts, without a signed-in user. |
Scope permissions
| Scope Name | ID | Admin Display Name | Admin Description | User Display Name | User Description |
|---|---|---|---|---|---|
| APIConnectors.Read.All | 1b6ff35f-31df-4332-8571-d31ea5a4893f | Read API connectors for authentication flows | Allows the app to read the API connectors used in user authentication flows, on behalf of the signed-in user. | Read API connectors for authentication flows | Allows the app to read the API connectors used in user authentication flows, on your behalf. |
| APIConnectors.ReadWrite.All | c67b52c5-7c69-48b6-9d48-7b3af3ded914 | Read and write API connectors for authentication flows | Allows the app to read, create and manage the API connectors used in user authentication flows, on behalf of the signed-in user. | Read and write API connectors for authentication flows | Allows the app to read, create and manage the API connectors used in user authentication flows, on your behalf. |
| AccessReview.Read.All | ebfcd32b-babb-40f4-a14b-42706e83bd28 | Read all access reviews that user can access | Allows the app to read access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization. | Read access reviews that you can access | Allows the app to read information on access reviews, reviewers, decisions and settings that you have access to. |
| AccessReview.ReadWrite.All | e4aa47b9-9a69-4109-82ed-36ec70d85ff1 | Manage all access reviews that user can access | Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization. | Manage access reviews that you can access | Allows the app to read, update and perform action on access reviews, reviewers, decisions and settings that you have access to. |
| AccessReview.ReadWrite.Membership | 5af8c3f5-baca-439a-97b0-ea58a435e269 | Manage access reviews for group and app memberships | Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings for group and app memberships that the signed-in user has access to in the organization. | Manage access reviews for group and app memberships | Allows the app to read, update and perform action on access reviews, reviewers, decisions and settings that you have access to. |
| AdministrativeUnit.Read.All | 3361d15d-be43-4de6-b441-3c746d05163d | Read administrative units | Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user. | Read administrative units | Allows the app to read administrative units and administrative unit membership on your behalf. |
| AdministrativeUnit.ReadWrite.All | 7b8a2d34-6b3f-4542-a343-54651608ad81 | Read and write administrative units | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. | Read and write administrative units | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on your behalf. |
| Agreement.Read.All | af2819c9-df71-4dd3-ade7-4d7c9dc653b7 | Read all terms of use agreements | Allows the app to read terms of use agreements on behalf of the signed-in user. | Read all terms of use agreements | Allows the app to read terms of use agreements on your behalf. |
| Agreement.ReadWrite.All | ef4b5d93-3104-4664-9053-a5c49ab44218 | Read and write all terms of use agreements | Allows the app to read and write terms of use agreements on behalf of the signed-in user. | Read and write all terms of use agreements | Allows the app to read and write terms of use agreements on your behalf. |
| AgreementAcceptance.Read | 0b7643bb-5336-476f-80b5-18fbfbc91806 | Read user terms of use acceptance statuses | Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. | Read your terms of use acceptance statuses | Allows the app to read your terms of use acceptance statuses. |
| AgreementAcceptance.Read.All | a66a5341-e66e-4897-9d52-c2df58c2bfb9 | Read terms of use acceptance statuses that user can access | Allows the app to read terms of use acceptance statuses on behalf of the signed-in user. | Read all terms of use acceptance statuses | Allows the app to read terms of use acceptance statuses on your behalf. |
| Analytics.Read | e03cf23f-8056-446a-8994-7d93dfc8b50e | Read user activity statistics | Allows the app to read the signed-in user’s activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions. | Read your activity statistics | Allows the app to read your activity statistics, such as how much time you’ve spent on emails, in meetings, or in chat sessions. |
| AppCatalog.Read.All | 88e58d74-d3df-44f3-ad47-e89edf4472e4 | Read all app catalogs | Allows the app to read the apps in the app catalogs. | Read all app catalogs | Allows the app to read apps in the app catalogs. |
| AppCatalog.ReadWrite.All | 1ca167d5-1655-44a1-8adf-1414072e1ef9 | Read and write to all app catalogs | Allows the app to create, read, update, and delete apps in the app catalogs. | Read and write to all app catalogs | Allows the app to create, read, update, and delete apps in the app catalogs. |
| AppCatalog.Submit | 3db89e36-7fa6-4012-b281-85f3d9d9fd2e | Submit application packages to the catalog and cancel pending submissions | Allows the app to submit application packages to the catalog and cancel submissions that are pending review on behalf of the signed-in user. | Submit application packages to your organization’s catalog and cancel pending submissions | Allows the app to submit application packages to the catalog and cancel submissions that are pending review on your behalf. |
| AppRoleAssignment.ReadWrite.All | 84bccea3-f856-4a8a-967b-dbe0a3d53a64 | Manage app permission grants and app role assignments | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. | Manage app permission grants and app role assignments | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on your behalf. |
| Application.Read.All | c79f8feb-a9db-4090-85f9-90d820caa0eb | Read applications | Allows the app to read applications and service principals on behalf of the signed-in user. | Read applications | Allows the app to read applications and service principals on your behalf. |
| Application.ReadWrite.All | bdfbf15f-ee85-4955-8675-146e8e5296b5 | Read and write all applications | Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Does not allow management of consent grants. | Read and write applications | Allows the app to create, read, update and delete applications and service principals on your behalf. Does not allow management of consent grants. |
| Approval.Read.All | 1196552e-b226-4363-b01e-b8901fe10a11 | Read approvals | Allows the app to read approvals on behalf of the signed-in user. | Read approvals | Allows the app to read approvals on your behalf. |
| Approval.ReadWrite.All | 1d3d0bc7-4b3a-427a-ae9f-6de4e1edc95f | Read and write approvals | Allows the app to read and write approvals on behalf of the signed-in user. | Read and write approvals | Allows the app to read and write approvals on your behalf. |
| ApprovalRequest.Read.AdminConsentRequest | fad55eff-94e6-4517-9859-439301f0bad2 | Read admin consent approval requests | Allows the app to read admin consent requests, business flows, and governance policy templates on behalf of the signed-in user. | Read admin consent approval requests | Allows the app to read admin consent requests, business flows, and governance policy templates on your behalf. |
| ApprovalRequest.Read.CustomerLockbox | 8123bef2-defe-4f3a-8d33-02baa9e6fcfc | Read customer lockbox approval requests | Allows the app to read customer lockbox requests, business flows and governance policy templates on behalf of the signed-in user. | Read customer lockbox approval requests | Allows the app to read customer lockbox requests, business flows and governance policy templates on your behalf. |
| ApprovalRequest.Read.EntitlementManagement | 95b85e04-9c5c-4554-a3ad-2e933c8a81cd | Read entitlement management approval requests | Allows the app to read entitlement management requests, business flows, and governance policy templates on behalf of the signed-in user. | Read entitlement management approval requests | Allows the app to read entitlement management requests, business flows, and governance policy templates on your behalf. |
| ApprovalRequest.Read.PriviligedAccess | 31df746c-3cfa-4b19-b243-36a6fb2b6a66 | Read privileged access approval requests | Allows the app to read privileged access requests, business flows, and governance policy templates on behalf of the signed-in user. | Read privileged access approval requests | Allows the app to read privileged access requests, business flows, and governance policy templates on your behalf. |
| ApprovalRequest.ReadWrite.AdminConsentRequest | 0c940179-817f-401c-9a44-277f3fc38e2b | Read and write admin consent approval requests | Allows the app to read and write admin consent requests, business flows, and governance policy templates on behalf of the signed-in user. | Read and write admin consent approval requests | Allows the app to read and write admin consent requests, business flows, and governance policy templates on your behalf. |
| ApprovalRequest.ReadWrite.CustomerLockbox | 115b3477-4404-4685-a45d-4cf6a6092533 | Read and write customer lockbox approval requests | Allows the app to read and write admin consent requests, business flows, and governance policy templates on behalf of the signed-in user. | Read and write customer lockbox approval requests | Allows the app to read and write customer lockbox requests, business flows and governance policy templates on your behalf. |
| ApprovalRequest.ReadWrite.EntitlementManagement | 15dc7bc3-a26c-40b1-8b58-b2a764eb06c1 | Read and write entitlement management approval requests | Allows the app to read and write entitlement management requests, business flows, and governance policy templates on behalf of the signed-in user. | Read and write entitlement management approval requests | Allows the app to read and write entitlement management requests, business flows, and governance policy templates on your behalf. |
| ApprovalRequest.ReadWrite.PriviligedAccess | 51e5d7dc-745e-4986-aa03-63d64036a7a5 | Read and write privileged access approval requests | Allows the app to read and write privileged access requests, business flows, and governance policy templates on behalf of the signed-in user. | Read and write privileged access approval requests | Allows the app to read and write privileged access requests, business flows, and governance policy templates on your behalf. |
| AuditLog.Read.All | e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 | Read audit log data | Allows the app to read and query your audit log activities, on behalf of the signed-in user. | Read audit log data | Allows the app to read and query your audit log activities, on your behalf. |
| BitlockerKey.Read.All | b27a61ec-b99c-4d6a-b126-c4375d08ae30 | Read BitLocker keys | Allows the app to read BitLocker keys on behalf of the signed-in user, for their owned devices. Allows read of the recovery key. | Read your BitLocker keys | Allows the app to read BitLocker keys for your owned devices. Allows read of the recovery key. |
| BitlockerKey.ReadBasic.All | 5a107bfc-4f00-4e1a-b67e-66451267bc68 | Read BitLocker keys basic information | Allows the app to read basic BitLocker key properties on behalf of the signed-in user, for their owned devices. Does not allow read of the recovery key itself. | Read your BitLocker keys basic information | Allows the app to read basic BitLocker key properties for your owned devices. Does not allow read of the recovery key itself. |
| Bookings.Manage.All | 7f36b48e-542f-4d3b-9bcb-8406f0ab9fdb | Manage bookings information | Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | Manage bookings information | Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on your behalf. |
| Bookings.Read.All | 33b1df99-4b29-4548-9339-7a7b83eaeebc | Read bookings information | Allows an app to read bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. | Read bookings information | Allows an app to read bookings appointments, businesses, customers, services, and staff on your behalf. |
| Bookings.ReadWrite.All | 948eb538-f19d-4ec5-9ccc-f059e1ea4c72 | Read and write bookings information | Allows an app to read and write bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete and publish of booking businesses. | Read and write bookings information | Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on your behalf. Does not allow create, delete and publish of booking businesses. |
| BookingsAppointment.ReadWrite.All | 02a5a114-36a6-46ff-a102-954d89d9ab02 | Read and write booking appointments | Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on behalf of the signed-in user. | Read and write booking appointments | Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on your behalf. |
| Calendars.Read | 465a38f9-76ea-45b9-9f34-9e8b0d4b0b42 | Read user calendars | Allows the app to read events in user calendars . | Read your calendars | Allows the app to read events in your calendars. |
| Calendars.Read.Shared | 2b9c4092-424d-4249-948d-b43879977640 | Read user and shared calendars | Allows the app to read events in all calendars that the user can access, including delegate and shared calendars. | Read calendars you can access | Allows the app to read events in all calendars that you can access, including delegate and shared calendars. |
| Calendars.ReadWrite | 1ec239c2-d7c9-4623-a91a-a9775856bb36 | Have full access to user calendars | Allows the app to create, read, update, and delete events in user calendars. | Have full access to your calendars | Allows the app to read, update, create and delete events in your calendars. |
| Calendars.ReadWrite.Shared | 12466101-c9b8-439a-8589-dd09ee67e8e9 | Read and write user and shared calendars | Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars. | Read and write to your and shared calendars | Allows the app to read, update, create and delete events in all calendars in your organization you have permissions to access. This includes delegate and shared calendars. |
| Channel.Create | 101147cf-4178-4455-9d58-02b5c164e759 | Create channels | Create channels in any team, on behalf of the signed-in user. | Create channels | Create channels in any team, on your behalf. |
| Channel.Delete.All | cc83893a-e232-4723-b5af-bd0b01bcfe65 | Delete channels | Delete channels in any team, on behalf of the signed-in user. | Delete channels | Delete channels in any team, on your behalf. |
| Channel.ReadBasic.All | 9d8982ae-4365-4f57-95e9-d6032a4c0b87 | Read the names and descriptions of channels | Read channel names and channel descriptions, on behalf of the signed-in user. | Read the names and descriptions of channels | Read channel names and channel descriptions, on your behalf. |
| ChannelMember.Read.All | 2eadaff8-0bce-4198-a6b9-2cfc35a30075 | Read the members of channels | Read the members of channels, on behalf of the signed-in user. | Read the members of teams and channels | Read the members of channels, on your behalf. |
| ChannelMember.ReadWrite.All | 0c3e411a-ce45-4cd1-8f30-f99a3efa7b11 | Add and remove members from channels | Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member’s role, for example from owner to non-owner. | Add and remove members from teams and channels | Add and remove members from channels, on your behalf. Also allows changing a member’s role, for example from owner to non-owner. |
| ChannelMessage.Delete | 32ea53ac-4a89-4cde-bac4-727c6fb9ac29 | Delete user’s channel messages | Allows an app to delete channel messages in Microsoft Teams, on behalf of the signed-in user. | Delete your channel messages | Allows the app to delete channel messages in Microsoft Teams, on your behalf. |
| ChannelMessage.Edit | 2b61aa8a-6d36-4b2f-ac7b-f29867937c53 | Edit user’s channel messages | Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user. | Edit your channel messages | Allows the app to edit channel messages in Microsoft Teams, on your behalf. |
| ChannelMessage.Read.All | 767156cb-16ae-4d10-8f8b-41b657c8c8c8 | Read user channel messages | Allows an app to read a channel’s messages in Microsoft Teams, on behalf of the signed-in user. | Read your channel messages | Allows the app to read a channel’s messages in Microsoft Teams, on your behalf. |
| ChannelMessage.Send | ebf0f66e-9fb1-49e4-a278-222f76911cf4 | Send channel messages | Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. | Send channel messages | Allows the app to send channel messages in Microsoft Teams, on your behalf. |
| ChannelSettings.Read.All | 233e0cf1-dd62-48bc-b65b-b38fe87fcf8e | Read the names, descriptions, and settings of channels | Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user. | Read the names, descriptions, and settings of channels | Read all channel names, channel descriptions, and channel settings, on your behalf. |
| ChannelSettings.ReadWrite.All | d649fb7c-72b4-4eec-b2b4-b15acf79e378 | Read and write the names, descriptions, and settings of channels | Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. | Read and write the names, descriptions, and settings of channels | Read and write the names, descriptions, and settings of all channels, on your behalf. |
| Chat.Create | 38826093-1258-4dea-98f0-00003be2b8d0 | Create chats | Allows the app to create chats on behalf of the signed-in user. | Create chats | Allows the app to create chats on your behalf. |
| Chat.Read | f501c180-9344-439a-bca0-6cbf209fd270 | Read user chat messages | Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user. | Read your chat messages | Allows an app to read your 1 on 1 or group chat messages in Microsoft Teams, on your behalf. |
| Chat.ReadBasic | 9547fcb5-d03f-419d-9948-5928bbf71b0f | Read names and members of user chat threads | Allows an app to read the members and descriptions of one-to-one and group chat threads, on behalf of the signed-in user. | Read names and members of your chat threads | Allows an app to read the members and descriptions of one-to-one and group chat threads, on your behalf. |
| Chat.ReadWrite | 9ff7295e-131b-4d94-90e1-69fde507ac11 | Read and write user chat messages | Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user. | Read and write your chat messages | Allows an app to read and write your 1 on 1 or group chat messages in Microsoft Teams, on your behalf. |
| ChatMember.Read | c5a9e2b1-faf6-41d4-8875-d381aa549b24 | Read the members of chats | Read the members of chats, on behalf of the signed-in user. | Read the members of chats | Read the members of chats, on your behalf. |
| ChatMember.ReadWrite | dea13482-7ea6-488f-8b98-eb5bbecf033d | Add and remove members from chats | Add and remove members from chats, on behalf of the signed-in user. | Add and remove members from chats | Add and remove members from chats, on your behalf. |
| ChatMessage.Read | cdcdac3a-fd45-410d-83ef-554db620e5c7 | Read user chat messages | Allows an app to read one-to-one and group chat messages, on behalf of the signed-in user. | Read user chat messages | Allows an app to read one-to-one or group chat messages in Microsoft Teams, on your behalf. |
| ChatMessage.Send | 116b7235-7cc6-461e-b163-8e55691d839e | Send user chat messages | Allows an app to send one-to-one and group chat messages in Microsoft Teams, on behalf of the signed-in user. | Send chat messages | Allows an app to send one-to-one and group chat messages in Microsoft Teams, on your behalf. |
| CloudPC.Read.All | 5252ec4e-fd40-4d92-8c68-89dd1d3c6110 | Read Cloud PCs | Allows the app to read the properties of Cloud PCs on behalf of the signed-in user. | Read Cloud PCs | Allows the app to read the properties of Cloud PCs, on your behalf. |
| CloudPC.ReadWrite.All | 9d77138f-f0e2-47ba-ab33-cd246c8b79d1 | Read and write Cloud PCs | Allows the app to read and write the properties of Cloud PCs on behalf of the signed-in user. | Read and write Cloud PCs | Allows the app to read and write the properties of Cloud PCs, on your behalf. |
| ConsentRequest.Read.All | f3bfad56-966e-4590-a536-82ecf548ac1e | Read consent requests | Allows the app to read consent requests and approvals on behalf of the signed-in user. | Read consent requests | Allows the app to read consent requests and approvals, on your behalf. |
| ConsentRequest.ReadWrite.All | 497d9dfa-3bd1-481a-baab-90895e54568c | Read and write consent requests | Allows the app to read app consent requests and approvals, and deny or approve those requests on behalf of the signed-in user. | Read and write consent requests | Allows the app to read app consent requests for your approval, and deny or approve those request on your behalf. |
| Contacts.Read | ff74d97f-43af-4b68-9f2a-b77ee6968c5d | Read user contacts | Allows the app to read user contacts. | Read your contacts | Allows the app to read contacts in your contact folders. |
| Contacts.Read.Shared | 242b9d9e-ed24-4d09-9a52-f43769beb9d4 | Read user and shared contacts | Allows the app to read contacts a user has permissions to access, including their own and shared contacts. | Read your and shared contacts | Allows the app to read contacts you have permissions to access, including your own and shared contacts. |
| Contacts.ReadWrite | d56682ec-c09e-4743-aaf4-1a3aac4caa21 | Have full access to user contacts | Allows the app to create, read, update, and delete user contacts. | Have full access of your contacts | Allows the app to read, update, create and delete contacts in your contact folders. |
| Contacts.ReadWrite.Shared | afb6c84b-06be-49af-80bb-8f3f77004eab | Read and write user and shared contacts | Allows the app to create, read, update, and delete contacts a user has permissions to, including their own and shared contacts. | Read and write to your and shared contacts | Allows the app to read, update, create, and delete contacts you have permissions to access, including your own and shared contacts. |
| CustomSecAttributeAssignment.ReadWrite.All | ca46335e-8453-47cd-a001-8459884efeae | Read and write custom security attribute assignments | Allows the app to read and write custom security attribute assignments for all principals in the tenant on behalf of a signed in user. | Read and write custom security attribute assignments | Allows the app to read and write custom security attribute assignments for all principals in the tenant on your behalf. |
| CustomSecAttributeDefinition.ReadWrite.All | 8b0160d4-5743-482b-bb27-efc0a485ca4a | Read and write custom security attribute definitions | Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user. | Read and write custom security attribute definitions | Allows the app to read and write custom security attribute definitions for the tenant on your behalf. |
| DelegatedPermissionGrant.ReadWrite.All | 41ce6ca6-6826-4807-84f1-1c82854f7ee5 | Manage all delegated permission grants | Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on behalf of the signed in user. | Manage all delegated permission grants | Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on your behalf. |
| Device.Command | bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804 | Communicate with user devices | Allows the app to launch another app or communicate with another app on a user’s device on behalf of the signed-in user. | Communicate with your other devices | Allows the app to launch another app or communicate with another app on a device that you own. |
| Device.Read | 11d4cd79-5ba5-460f-803f-e22c8ab85ccd | Read user devices | Allows the app to read a user’s list of devices on behalf of the signed-in user. | View your list of devices | Allows the app to see your list of devices. |
| Device.Read.All | 951183d1-1a61-466f-a6d1-1fde911bfd95 | Read all devices | Allows the app to read your organization’s devices’ configuration information on behalf of the signed-in user. | Read all devices | Allows the app to read devices’ configuration information on your behalf. |
| DeviceManagementApps.Read.All | 4edf5f54-4666-44af-9de9-0144fb4b6e8c | Read Microsoft Intune apps | Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | Read Microsoft Intune apps | Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. |
| DeviceManagementApps.ReadWrite.All | 7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af | Read and write Microsoft Intune apps | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. | Read and write Microsoft Intune apps | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune. |
| DeviceManagementConfiguration.Read.All | f1493658-876a-4c87-8fa7-edb559b3476a | Read Microsoft Intune Device Configuration and Policies | Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | Read Microsoft Intune Device Configuration and Policies | Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. |
| DeviceManagementConfiguration.ReadWrite.All | 0883f392-0a7a-443d-8c76-16a6d39c7b63 | Read and write Microsoft Intune Device Configuration and Policies | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | Read and write Microsoft Intune Device Configuration and Policies | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. |
| DeviceManagementManagedDevices.PrivilegedOperations.All | 3404d2bf-2b13-457e-a330-c24615765193 | Perform user-impacting remote actions on Microsoft Intune devices | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. | Perform user-impacting remote actions on Microsoft Intune devices | Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune. |
| DeviceManagementManagedDevices.Read.All | 314874da-47d6-4978-88dc-cf0d37f0bb82 | Read Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune. | Read devices Microsoft Intune devices | Allows the app to read the properties of devices managed by Microsoft Intune. |
| DeviceManagementManagedDevices.ReadWrite.All | 44642bfe-8385-4adc-8fc6-fe3cb2c375c3 | Read and write Microsoft Intune devices | Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. | Read and write Microsoft Intune devices | Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner. |
| DeviceManagementRBAC.Read.All | 49f0cc30-024c-4dfd-ab3e-82e137ee5431 | Read Microsoft Intune RBAC settings | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | Read Microsoft Intune RBAC settings | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. |
| DeviceManagementRBAC.ReadWrite.All | 0c5e8a55-87a6-4556-93ab-adc52c4d862d | Read and write Microsoft Intune RBAC settings | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. | Read and write Microsoft Intune RBAC settings | Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings. |
| DeviceManagementServiceConfig.Read.All | 8696daa5-bce5-4b2e-83f9-51b6defc4e1e | Read Microsoft Intune configuration | Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration. | Read Microsoft Intune configuration | Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration. |
| DeviceManagementServiceConfig.ReadWrite.All | 662ed50a-ac44-4eef-ad86-62eed9be2a29 | Read and write Microsoft Intune configuration | Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. | Read and write Microsoft Intune configuration | Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration. |
| Directory.AccessAsUser.All | 0e263e50-5827-48a4-b97c-d940288653c7 | Access directory as the signed in user | Allows the app to have the same access to information in the directory as the signed-in user. | Access the directory as you | Allows the app to have the same access to information in your work or school directory as you do. |
| Directory.Read.All | 06da0dbc-49e2-44d2-8312-53f166ab848a | Read directory data | Allows the app to read data in your organization’s directory, such as users, groups and apps. | Read directory data | Allows the app to read data in your organization’s directory. |
| Directory.ReadWrite.All | c5366453-9fb0-48a5-a156-24f0c49a4b84 | Read and write directory data | Allows the app to read and write data in your organization’s directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. | Read and write directory data | Allows the app to read and write data in your organization’s directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords. |
| Domain.Read.All | 2f9ee017-59c1-4f1d-9472-bd5529a7b311 | Read domains. | Allows the app to read all domain properties on behalf of the signed-in user. | Read domains. | Allows the app to read all domain properties on your behalf. |
| Domain.ReadWrite.All | 0b5d694c-a244-4bde-86e6-eb5cd07730fe | Read and write domains | Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify and remove domains. | Read and write domains | Allows the app to read and write all domain properties on your behalf. Also allows the app to add, verify and remove domains. |
| EAS.AccessAsUser.All | ff91d191-45a0-43fd-b837-bd682c4a0b0f | Access mailboxes via Exchange ActiveSync | Allows the app to have the same access to mailboxes as the signed-in user via Exchange ActiveSync. | Access your mailboxes | Allows the app full access to your mailboxes on your behalf. |
| EWS.AccessAsUser.All | 9769c687-087d-48ac-9cb3-c37dde652038 | Access mailboxes as the signed-in user via Exchange Web Services | Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services. | Access your mailboxes | Allows the app full access to your mailboxes on your behalf. |
| EduAdministration.Read | 8523895c-6081-45bf-8a5d-f062a2f12c9f | Read education app settings | Read the state and settings of all Microsoft education apps on behalf of the user. | View your education app settings | Allows the app to view the state and settings of all Microsoft education apps on your behalf. |
| EduAdministration.ReadWrite | 63589852-04e3-46b4-bae9-15d5b1050748 | Manage education app settings | Manage the state and settings of all Microsoft education apps on behalf of the user. | Manage your education app settings | Allows the app to manage the state and settings of all Microsoft education apps on your behalf. |
| EduAssignments.Read | 091460c9-9c4a-49b2-81ef-1f3d852acce2 | Read users’ class assignments and their grades | Allows the app to read assignments and their grades on behalf of the user. | View your assignments and grades | Allows the app to view your assignments on your behalf including grades. |
| EduAssignments.ReadBasic | c0b0103b-c053-4b2e-9973-9f3a544ec9b8 | Read users’ class assignments without grades | Allows the app to read assignments without grades on behalf of the user. | View your assignments without grades | Allows the app to view your assignments on your behalf without seeing grades. |
| EduAssignments.ReadWrite | 2f233e90-164b-4501-8bce-31af2559a2d3 | Read and write users’ class assignments and their grades | Allows the app to read and write assignments and their grades on behalf of the user. | View and modify your assignments and grades | Allows the app to view and modify your assignments on your behalf including grades. |
| EduAssignments.ReadWriteBasic | 2ef770a1-622a-47c4-93ee-28d6adbed3a0 | Read and write users’ class assignments without grades | Allows the app to read and write assignments without grades on behalf of the user. | View and modify your assignments without grades | Allows the app to view and modify your assignments on your behalf without seeing grades. |
| EduRoster.Read | a4389601-22d9-4096-ac18-36a927199112 | Read users’ view of the roster | Allows the app to read the structure of schools and classes in an organization’s roster and education-specific information about users to be read on behalf of the user. | View your school, class and user information | Allows the app to view information about schools and classes in your organization and education-related information about you and other users on your behalf. |
| EduRoster.ReadBasic | 5d186531-d1bf-4f07-8cea-7c42119e1bd9 | Read a limited subset of users’ view of the roster | Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization’s roster and a limited subset of properties about users to be read on behalf of the user. Includes name, status, education role, email address and photo. | View a limited subset of your school, class and user information | Allows the app to view minimal information about both schools and classes in your organization and education-related information about you and other users on your behalf. |
| EduRoster.ReadWrite | 359e19a6-e3fa-4d7f-bcab-d28ec592b51e | Read and write users’ view of the roster | Allows the app to read and write the structure of schools and classes in an organization’s roster and education-specific information about users to be read and written on behalf of the user. | View and modify your school, class and user information | Allows the app to view and modify information about schools and classes in your organization and education-related information about you and other users on your behalf. |
| EntitlementManagement.Read.All | 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2 | Read all entitlement management resources | Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user. | Read all entitlement management resources | Allows the app to read access packages and related entitlement management resources that you have access to. |
| EntitlementManagement.ReadWrite.All | ae7a573d-81d7-432b-ad44-4ed5c9d89038 | Read and write entitlement management resources | Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user. | Read and write entitlement management resources | Allows the app to request access to and management of access packages and related entitlement management resources that you have access to. |
| ExternalItem.Read.All | 922f9392-b1b7-483c-a4be-0089be7704fb | Read items in external datasets | Allow the app to read external datasets and content, on behalf of the signed-in user. | Read items in external datasets | Allows the app to read external datasets and content that you have access to. |
| Family.Read | 3a1e4806-a744-4c70-80fc-223bf8582c46 | Read your family info | Allows the app to read your family information, members and their basic profile. | Read your family info | Allows the app to read your family information, members and their basic profile. |
| Files.Read | 10465720-29dd-4523-a11a-6a75c743c9d9 | Read user files | Allows the app to read the signed-in user’s files. | Read your files | Allows the app to read your files. |
| Files.Read.All | df85f4d6-205c-4ac5-a5ea-6bf408dba283 | Read all files that user can access | Allows the app to read all files the signed-in user can access. | Read all files that you have access to | Allows the app to read all files you can access. |
| Files.Read.Selected | 5447fe39-cb82-4c1a-b977-520e67e724eb | Read files that the user selects (preview) | (Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file. | Read selected files | (Preview) Allows the app to read files that you select. After you select a file, the app has access to the file for several hours. |
| Files.ReadWrite | 5c28f0bf-8a70-41f1-8ab2-9032436ddb65 | Have full access to user files | Allows the app to read, create, update and delete the signed-in user’s files. | Have full access to your files | Allows the app to read, create, update, and delete your files. |
| Files.ReadWrite.All | 863451e7-0667-486c-a5d6-d135439485f0 | Have full access to all files user can access | Allows the app to read, create, update and delete all files the signed-in user can access. | Have full access to all files you have access to | Allows the app to read, create, update and delete all files that you can access. |
| Files.ReadWrite.AppFolder | 8019c312-3263-48e6-825e-2b833497195b | Have full access to the application’s folder (preview) | (Preview) Allows the app to read, create, update and delete files in the application’s folder. | Have full access to the application’s folder | (Preview) Allows the app to read, create, update and delete files in the application’s folder. |
| Files.ReadWrite.Selected | 17dde5bd-8c17-420f-a486-969730c1b827 | Read and write files that the user selects (preview) | (Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file. | Read and write selected files | (Preview) Allows the app to read and write files that you select. After you select a file, the app has access to the file for several hours. |
| Financials.ReadWrite.All | f534bf13-55d4-45a9-8f3c-c92fe64d6131 | Read and write financials data | Allows the app to read and write financials data on behalf of the signed-in user. | Read and write financials data | Allows the app to read and write financials data on your behalf. |
| Group.Read.All | 5f8c59db-677d-491f-a6b8-5f174b11ec1d | Read all groups | Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. | Read all groups | Allows the app to list groups, and to read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access. |
| Group.ReadWrite.All | 4e46008b-f24c-477d-8fff-7bb4ec7aafe0 | Read and write all groups | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. | Read and write all groups | Allows the app to create groups and read all group properties and memberships on your behalf. Additionally allows the app to manage your groups and to update group content for groups you are a member of. |
| GroupMember.Read.All | bc024368-1153-4739-b217-4326f2e966d0 | Read group memberships | Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. | Read group memberships | Allows the app to list groups, read basic group properties and read membership of all your groups. |
| GroupMember.ReadWrite.All | f81125ac-d3b7-4573-a3b2-7099cc39df9e | Read and write group memberships | Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted. | Read and write group memberships | Allows the app to list groups, read basic properties, read and update the membership of your groups. Group properties and owners cannot be updated and groups cannot be deleted. |
| IMAP.AccessAsUser.All | 652390e4-393a-48de-9484-05f9b1212954 | Read and write access to mailboxes via IMAP. | Allows the app to have the same access to mailboxes as the signed-in user via IMAP protocol. | Read and write access to your mail. | Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail. |
| IdentityProvider.Read.All | 43781733-b5a7-4d1b-98f4-e8edff23e1a9 | Read identity providers | Allows the app to read your organization’s identity (authentication) providers’ properties on behalf of the user. | Read identity providers | Allows the app to read your organization’s identity (authentication) providers’ properties on your behalf. |
| IdentityProvider.ReadWrite.All | f13ce604-1677-429f-90bd-8a10b9f01325 | Read and write identity providers | Allows the app to read and write your organization’s identity (authentication) providers’ properties on behalf of the user. | Read and write identity providers | Allows the app to read and write your organization’s identity (authentication) providers’ properties on your behalf. |
| IdentityRiskEvent.Read.All | 8f6a01e7-0391-4ee5-aa22-a3af122cef27 | Read identity risk event information | Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. | Read identity risk event information | Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user. |
| IdentityRiskEvent.ReadWrite.All | 9e4862a5-b68f-479e-848a-4e07e25c9916 | Read and write risk event information | Allows the app to read and update identity risk event information for all users in your organization on behalf of the signed-in user. Update operations include confirming risk event detections. | Read and write risk event information | Allows the app to read and update identity risk event information for all users in your organization on your behalf. Update operations include confirming risk event detections. |
| IdentityRiskyUser.Read.All | d04bb851-cb7c-4146-97c7-ca3e71baf56c | Read identity risky user information | Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user. | Read identity risky user information | Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user. |
| IdentityRiskyUser.ReadWrite.All | e0a7cdbb-08b0-4697-8264-0069786e9674 | Read and write risky user information | Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user. Update operations include dismissing risky users. | Read and write identity risky user information | Allows the app to read and update identity risky user information for all users in your organization on your behalf. Update operations include dismissing risky users. |
| IdentityUserFlow.Read.All | 2903d63d-4611-4d43-99ce-a33f3f52e343 | Read all identity user flows | Allows the app to read your organization’s user flows, on behalf of the signed-in user. | Read all identity user flows | Allows the app to read your organization’s user flows, on your behalf. |
| IdentityUserFlow.ReadWrite.All | 281892cc-4dbf-4e3a-b6cc-b21029bb4e82 | Read and write all identity user flows | Allows the app to read or write your organization’s user flows, on behalf of the signed-in user. | Read and write all identity user flows | Allows the app to read or write your organization’s user flows, on your behalf. |
| InformationProtectionPolicy.Read | 4ad84827-5578-4e18-ad7a-86530b12f884 | Read user sensitivity labels and label policies. | Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user. | Read user sensitivity labels and label policies. | Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user. |
| Mail.Read | 570282fd-fa5c-430d-a7fd-fc8dc98a9dca | Read user mail | Allows the app to read the signed-in user’s mailbox. | Read your mail | Allows the app to read email in your mailbox. |
| Mail.Read.Shared | 7b9103a5-4610-446b-9670-80643382c1fa | Read user and shared mail | Allows the app to read mail a user can access, including their own and shared mail. | Read mail you can access | Allows the app to read mail you can access, including shared mail. |
| Mail.ReadBasic | a4b8392a-d8d1-4954-a029-8e668a39a170 | Read user basic mail | Allows the app to read email in the signed-in user’s mailbox except body, previewBody, attachments and any extended properties. | Read user basic mail | Allows the app to read email in the signed-in user’s mailbox except body, previewBody, attachments and any extended properties. |
| Mail.ReadWrite | 024d486e-b451-40bb-833d-3e66d98c5c73 | Read and write access to user mail | Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. | Read and write access to your mail | Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail. |
| Mail.ReadWrite.Shared | 5df07973-7d5d-46ed-9847-1271055cbd51 | Read and write user and shared mail | Allows the app to create, read, update, and delete mail a user has permission to access, including their own and shared mail. Does not include permission to send mail. | Read and write mail you can access | Allows the app to read, update, create, and delete mail you have permission to access, including your own and shared mail. Does not allow the app to send mail on your behalf. |
| Mail.Send | e383f46e-2787-4529-855e-0e479a3ffac0 | Send mail as a user | Allows the app to send mail as users in the organization. | Send mail as you | Allows the app to send mail as you. |
| Mail.Send.Shared | a367ab51-6b49-43bf-a716-a1fb06d2a174 | Send mail on behalf of others | Allows the app to send mail as the signed-in user, including sending on-behalf of others. | Send mail on behalf of others or yourself | Allows the app to send mail as you or on-behalf of someone else. |
| MailboxSettings.Read | 87f447af-9fa4-4c32-9dfa-4a57a73d18ce | Read user mailbox settings | Allows the app to the read user’s mailbox settings. Does not include permission to send mail. | Read your mailbox settings | Allows the app to read your mailbox settings. |
| MailboxSettings.ReadWrite | 818c620a-27a9-40bd-a6a5-d96f7d610b4b | Read and write user mailbox settings | Allows the app to create, read, update, and delete user’s mailbox settings. Does not include permission to send mail. | Read and write to your mailbox settings | Allows the app to read, update, create, and delete your mailbox settings. |
| Member.Read.Hidden | f6a3db3e-f7e8-4ed2-a414-557c8c9830be | Read hidden memberships | Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to. | Read your hidden memberships | Allows the app to read the memberships of hidden groups or administrative units on your behalf, for those hidden groups or adminstrative units that you have access to. |
| Notes.Create | 9d822255-d64d-4b7a-afdb-833b9a97ed02 | Create user OneNote notebooks | Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user. | Create your OneNote notebooks | Allows the app to view the titles of your OneNote notebooks and sections and to create new pages, notebooks, and sections on your behalf. |
| Notes.Read | 371361e4-b9e2-4a3f-8315-2a301a3b0a3d | Read user OneNote notebooks | Allows the app to read OneNote notebooks on behalf of the signed-in user. | Read your OneNote notebooks | Allows the app to read OneNote notebooks on your behalf. |
| Notes.Read.All | dfabfca6-ee36-4db2-8208-7a28381419b3 | Read all OneNote notebooks that user can access | Allows the app to read OneNote notebooks that the signed-in user has access to in the organization. | Read all OneNote notebooks that you can access | Allows the app to read all the OneNote notebooks that you have access to. |
| Notes.ReadWrite | 615e26af-c38a-4150-ae3e-c3b0d4cb1d6a | Read and write user OneNote notebooks | Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user. | Read and write your OneNote notebooks | Allows the app to read, share, and modify OneNote notebooks on your behalf. |
| Notes.ReadWrite.All | 64ac0503-b4fa-45d9-b544-71a463f05da0 | Read and write all OneNote notebooks that user can access | Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization. | Read and write all OneNote notebooks that you can access | Allows the app to read, share, and modify all the OneNote notebooks that you have access to. |
| Notes.ReadWrite.CreatedByApp | ed68249d-017c-4df5-9113-e684c7f8760b | Limited notebook access (deprecated) | This is deprecated! Do not use! This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app. | Limited access to your OneNote notebooks for this app (preview) | This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app. |
| Notifications.ReadWrite.CreatedByApp | 89497502-6e42-46a2-8cb2-427fd3df970a | Deliver and manage user notifications for this app | Allows the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user’s notification items for this app. | Deliver and manage your notifications for this app | Allows the app to deliver its notifications, on your behalf. Also allows the app to read, update, and delete your notification items for this app. |
| OnPremisesPublishingProfiles.ReadWrite.All | 8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42 | Manage on-premises published resources | Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user. | Manage on-premises published resources | Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on your behalf. |
| OnlineMeetings.Read | 9be106e1-f4e3-4df5-bdff-e4bc531cbe43 | Read user’s online meetings | Allows the app to read online meeting details on behalf of the signed-in user. | Read your online meetings | Allows the app to read online meeting details on your behalf. |
| OnlineMeetings.ReadWrite | a65f2972-a4f8-4f5e-afd7-69ccb046d5dc | Read and create user’s online meetings | Allows the app to read and create online meetings on behalf of the signed-in user. | Read and create your online meetings | Allows the app to read and create online meetings on your behalf. |
| OrgContact.Read.All | 08432d1b-5911-483c-86df-7980af5cdee0 | Read organizational contacts | Allows the app to read all organizational contacts on behalf of the signed-in user. These contacts are managed by the organization and are different from a user’s personal contacts. | Read organizational contacts | Allows the app to read all organizational contacts on your behalf. These contacts are managed by the organization and are different from your personal contacts. |
| Organization.Read.All | 4908d5b9-3fb2-4b1e-9336-1888b7937185 | Read organization information | Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed skus and tenant branding information. | Read organization information | Allows the app to read the organization and related resources, on your behalf. Related resources include things like subscribed skus and tenant branding information. |
| Organization.ReadWrite.All | 46ca0847-7e6b-426e-9775-ea810a948356 | Read and write organization information | Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed skus and tenant branding information. | Read and write organization information | Allows the app to read and write the organization and related resources, on your behalf. Related resources include things like subscribed skus and tenant branding information. |
| POP.AccessAsUser.All | d7b7f2d9-0f45-4ea1-9d42-e50810c06991 | Read and write access to mailboxes via POP. | Allows the app to have the same access to mailboxes as the signed-in user via POP protocol. | Read and write access to your mail. | Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail. |
| People.Read | ba47897c-39ec-4d83-8086-ee8256fa737d | Read users’ relevant people lists | Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype). | Read your relevant people list | Allows the app to read a list of people in the order that’s most relevant to you. This includes your local contacts, your contacts from social networking, people listed in your organization’s directory, and people from recent communications. |
| People.Read.All | b89f9189-71a5-4e70-b041-9887f0bc7e4a | Read all users’ relevant people lists | Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user’s organization. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype). | Read all users’ relevant people lists | Allows the app to read a list of people in the order that is most relevant to you. Allows the app to read a list of people in the order that is most relevant to another user in your organization. These can include local contacts, contacts from social networking, people listed in your organization’s directory, and people from recent communications. |
| Place.Read | 40f6bacc-b201-40da-90a5-09775cc4a863 | Read user places | Allows the app to read the signed-in user’s personal places. | Read your places | Allows the app to read your personal places. |
| Place.Read.All | cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec | Read all company places | Allows the app to read your company’s places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user. | Read all company places | Allows the app to read your company’s places (conference rooms and room lists) for calendar events and other applications, on your behalf. |
| Place.Read.Shared | 0b3f56bc-fecd-4036-8930-660fc672e342 | Read user places for delegates | Allows the app to read other users’ personal places that the signed-in user has delegate access to. Also allows read of the signed-in user’s personal places. | Read user delegate places | Allows the app to read your personal places and other users’ personal places that you have delegate access to. |
| Place.ReadWrite | 012ba4a5-ca82-4a76-95ba-6c27f44364c3 | Read and write user places | Allows the app to create, read, and update the signed-in user’s personal places. | Read and write your places | Allows the app to create, read, and update personal places on your behalf. |
| Place.ReadWrite.All | 4c06a06a-098a-4063-868e-5dfee3827264 | Read and write organization places | Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user. | Read and write organization places | Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on your behalf. |
| Policy.Read.All | 572fea84-0151-49b2-9301-11cb16974376 | Read your organization’s policies | Allows the app to read your organization’s policies on behalf of the signed-in user. | Read your organization’s policies | Allows the app to read your organization’s policies on your behalf. |
| Policy.Read.ConditionalAccess | 633e0fce-8c58-4cfb-9495-12bbd5a24f7c | Read your organization’s conditional access policies | Allows the app to read your organization’s conditional access policies on behalf of the signed-in user. | Read your organization’s conditional access policies | Allows the app to read your organization’s conditional access policies on your behalf. |
| Policy.Read.PermissionGrant | 414de6ea-2d92-462f-b120-6e2a809a6d01 | Read consent and permission grant policies | Allows the app to read policies related to consent and permission grants for applications, on behalf of the signed-in user. | Read consent and permission grant policies | Allows the app to read policies related to consent and permission grants for applications, on your behalf. |
| Policy.ReadWrite.ApplicationConfiguration | b27add92-efb2-4f16-84f5-8108ba77985c | Read and write your organization’s application configuration policies | Allows the app to read and write your organization’s application configuration policies on behalf of the signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. | Read and write your organization’s application configuration policies | Allows the app to read and write your organization’s application configuration policies on your behalf. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. |
| Policy.ReadWrite.AuthenticationFlows | edb72de9-4252-4d03-a925-451deef99db7 | Read and write authentication flow policies | Allows the app to read and write the authentication flow policies, on behalf of the signed-in user. | Read and write your authentication flow policies | Allows the app to read and write the authentication flow policies for your tenant, on your behalf. |
| Policy.ReadWrite.AuthenticationMethod | 7e823077-d88e-468f-a337-e18f1f0e6c7c | Read and write authentication method policies | Allows the app to read and write the authentication method policies, on behalf of the signed-in user. | Read and write your authentication method policies | Allows the app to read and write the authentication method policies for your tenant, on your behalf. |
| Policy.ReadWrite.Authorization | edd3c878-b384-41fd-95ad-e7407dd775be | Read and write your organization’s authorization policy | Allows the app to read and write your organization’s authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. | Read and write your organization’s authorization policy | Allows the app to read and write your organization’s authorization policy on your behalf. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. |
| Policy.ReadWrite.ConditionalAccess | ad902697-1014-4ef5-81ef-2b4301988e8c | Read and write your organization’s conditional access policies | Allows the app to read and write your organization’s conditional access policies on behalf of the signed-in user. | Read and write your organization’s conditional access policies | Allows the app to read and write your organization’s conditional access policies on your behalf. |
| Policy.ReadWrite.ConsentRequest | 4d135e65-66b8-41a8-9f8b-081452c91774 | Read and write consent request policy | Allows the app to read and write your organization’s consent requests policy on behalf of the signed-in user. | Read and write consent request policy | Allows the app to read and write your organization’s consent request policy on your behalf. |
| Policy.ReadWrite.DeviceConfiguration | 40b534c3-9552-4550-901b-23879c90bcf9 | Read and write your organization’s device configuration policies | Allows the app to read and write your organization’s device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks. | Read and write your organization’s device configuration policies | Allows the app to read and write your organization’s device configuration policies on your behalf. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks. |
| Policy.ReadWrite.FeatureRollout | 92a38652-f13b-4875-bc77-6e1dbb63e1b2 | Read and write your organization’s feature rollout policies | Allows the app to read and write your organization’s feature rollout policies on behalf of the signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature. | Read and write your organization’s feature rollout policies | Allows the app to read and write your organization’s feature rollout policies on your behalf. Includes abilities to assign and remove users and groups to rollout of a specific feature. |
| Policy.ReadWrite.MobilityManagement | a8ead177-1889-4546-9387-f25e658e2a79 | Read and write your organization’s mobility management policies | Allows the app to read and write your organization’s mobility management policies on behalf of the signed-in user. For example, a mobility management policy can set the enrollment scope for a given mobility management application. | Read and write your organization’s mobility management policies | Allows the app to read and write your organization’s mobility management policies on your behalf. For example, a mobility management policy can set the enrollment scope for a given mobility management application. |
| Policy.ReadWrite.PermissionGrant | 2672f8bb-fd5e-42e0-85e1-ec764dd2614e | Manage consent and permission grant policies | Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user. | Manage consent and permission grant policies | Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user. |
| Policy.ReadWrite.TrustFramework | cefba324-1a70-4a6e-9c1d-fd670b7ae392 | Read and write your organization’s trust framework policies | Allows the app to read and write your organization’s trust framework policies on behalf of the signed-in user. | Read and write trust framework policies | Allows the app to read and write your organization’s trust framework policies on your behalf. |
| Presence.Read | 76bc735e-aecd-4a1d-8b4c-2b915deabb79 | Read user’s presence information | Allows the app to read presence information on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | Read your presence information | Allows the app to read your presence information on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. |
| Presence.Read.All | 9c7a330d-35b3-4aa1-963d-cb2b9f927841 | Read presence information of all users in your organization | Allows the app to read presence information of all users in the directory on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. | Read presence information of all users in your organization | Allows the app to read presence information of all users in the directory on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location. |
| PrintConnector.Read.All | d69c2d6d-4f72-4f99-a6b9-663e32f8cf68 | Read print connectors | Allows the application to read print connectors on behalf of the signed-in user. | Read print connectors | Allows the application to read print connectors on your behalf. |
| PrintConnector.ReadWrite.All | 79ef9967-7d59-4213-9c64-4b10687637d8 | Read and write print connectors | Allows the application to read and write print connectors on behalf of the signed-in user. | Read and write print connectors | Allows the application to read and write print connectors on your behalf. |
| PrintJob.Create | 21f0d9c0-9f13-48b3-94e0-b6b231c7d320 | Create print jobs | Allows the application to create print jobs on behalf of the signed-in user and upload document content to print jobs that the signed-in user created. | Create your print jobs | Allows the application to create print jobs on your behalf and upload document content to print jobs that you created. |
| PrintJob.Read | 248f5528-65c0-4c88-8326-876c7236df5e | Read user’s print jobs | Allows the application to read the metadata and document content of print jobs that the signed-in user created. | Read your print jobs | Allows the application to read the metadata and document content of print jobs that you created. |
| PrintJob.Read.All | afdd6933-a0d8-40f7-bd1a-b5d778e8624b | Read print jobs | Allows the application to read the metadata and document content of print jobs on behalf of the signed-in user. | Read print jobs | Allows the application to read the metadata and document content of print jobs on your behalf. |
| PrintJob.ReadBasic | 6a71a747-280f-4670-9ca0-a9cbf882b274 | Read basic information of user’s print jobs | Allows the application to read the metadata of print jobs that the signed-in user created. Does not allow access to print job document content. | Read basic information of your print jobs | Allows the application to read the metadata of print jobs that you created. Does not allow access to print job document content. |
| PrintJob.ReadBasic.All | 04ce8d60-72ce-4867-85cf-6d82f36922f3 | Read basic information of print jobs | Allows the application to read the metadata of print jobs on behalf of the signed-in user. Does not allow access to print job document content. | Read basic information of print jobs | Allows the application to read the metadata of print jobs on your behalf. Does not allow access to print job document content. |
| PrintJob.ReadWrite | b81dd597-8abb-4b3f-a07a-820b0316ed04 | Read and write user’s print jobs | Allows the application to read and update the metadata and document content of print jobs that the signed-in user created. | Read and update your print jobs | Allows the application to read and update the metadata and document content of print jobs that you created. |
| PrintJob.ReadWrite.All | 036b9544-e8c5-46ef-900a-0646cc42b271 | Read and write print jobs | Allows the application to read and update the metadata and document content of print jobs on behalf of the signed-in user. | Read and update print jobs | Allows the application to read and update the metadata and document content of print jobs on your behalf. |
| PrintJob.ReadWriteBasic | 6f2d22f2-1cb6-412c-a17c-3336817eaa82 | Read and write basic information of user’s print jobs | Allows the application to read and update the metadata of print jobs that the signed-in user created. Does not allow access to print job document content. | Read and write basic information of your print jobs | Allows the application to read and update the metadata of print jobs that you created. Does not allow access to print job document content. |
| PrintJob.ReadWriteBasic.All | 3a0db2f6-0d2a-4c19-971b-49109b19ad3d | Read and write basic information of print jobs | Allows the application to read and update the metadata of print jobs on behalf of the signed-in user. Does not allow access to print job document content. | Read and write basic information of print jobs | Allows the application to read and update the metadata of print jobs on your behalf. Does not allow access to print job document content. |
| PrintSettings.Read.All | 490f32fd-d90f-4dd7-a601-ff6cdc1a3f6c | Read tenant-wide print settings | Allows the application to read tenant-wide print settings on behalf of the signed-in user. | Read tenant-wide print settings | Allows the application to read tenant-wide print settings on your behalf. |
| PrintSettings.ReadWrite.All | 9ccc526a-c51c-4e5c-a1fd-74726ef50b8f | Read and write tenant-wide print settings | Allows the application to read and write tenant-wide print settings on behalf of the signed-in user. | Read and write tenant-wide print settings | Allows the application to read and write tenant-wide print settings on your behalf. |
| Printer.Create | 90c30bed-6fd1-4279-bf39-714069619721 | Register printers | Allows the application to create (register) printers on behalf of the signed-in user. | Register printers | Allows the application to create (register) printers on your behalf. |
| Printer.FullControl.All | 93dae4bd-43a1-4a23-9a1a-92957e1d9121 | Register, read, update, and unregister printers | Allows the application to create (register), read, update, and delete (unregister) printers on behalf of the signed-in user. | Register, read, update, and unregister printers | Allows the application to create (register), read, update, and delete (unregister) printers on your behalf. |
| Printer.Read.All | 3a736c8a-018e-460a-b60c-863b2683e8bf | Read printers | Allows the application to read printers on behalf of the signed-in user. | Read printers | Allows the application to read printers on your behalf. |
| Printer.ReadWrite.All | 89f66824-725f-4b8f-928e-e1c5258dc565 | Read and update printers | Allows the application to read and update printers on behalf of the signed-in user. Does not allow creating (registering) or deleting (unregistering) printers. | Read and update printers | Allows the application to read and update printers on your behalf. Does not allow creating (registering) or deleting (unregistering) printers. |
| PrinterShare.Read.All | ed11134d-2f3f-440d-a2e1-411efada2502 | Read printer shares | Allows the application to read printer shares on behalf of the signed-in user. | Read printer shares | Allows the application to read printer shares on your behalf. |
| PrinterShare.ReadBasic.All | 5fa075e9-b951-4165-947b-c63396ff0a37 | Read basic information about printer shares | Allows the application to read basic information about printer shares on behalf of the signed-in user. Does not allow reading access control information. | Read basic information about printer shares | Allows the application to read basic information about printer shares on your behalf. |
| PrinterShare.ReadWrite.All | 06ceea37-85e2-40d7-bec3-91337a46038f | Read and write printer shares | Allows the application to read and update printer shares on behalf of the signed-in user. | Read and update printer shares | Allows the application to read and update printer shares on your behalf. |
| PrivilegedAccess.Read.AzureAD | b3a539c9-59cb-4ad5-825a-041ddbdc2bdb | Read privileged access to Azure AD | Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user. | Read privileged access to Azure AD | Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on your behalf. |
| PrivilegedAccess.Read.AzureADGroup | d329c81c-20ad-4772-abf9-3f6fdb7e5988 | Read privileged access to Azure AD groups | Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user. | Read privileged access to Azure AD groups | Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on your behalf. |
| PrivilegedAccess.Read.AzureResources | 1d89d70c-dcac-4248-b214-903c457af83a | Read privileged access to Azure resources | Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on behalf of the signed-in user. | Read privileged access to your Azure resources | Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf. |
| PrivilegedAccess.ReadWrite.AzureAD | 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37 | Read and write privileged access to Azure AD | Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users. | Read and write privileged access to Azure AD | Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on your behalf. |
| PrivilegedAccess.ReadWrite.AzureADGroup | 32531c59-1f32-461f-b8df-6f8a3b89f73b | Read and write privileged access to Azure AD groups | Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user. | Read and write privileged access to Azure AD groups | Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on your behalf. |
| PrivilegedAccess.ReadWrite.AzureResources | a84a9652-ffd3-496e-a991-22ba5529156a | Read and write privileged access to Azure resources | Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users. | Read and write privileged access to Azure resources | Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage your Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf. |
| ProgramControl.Read.All | c492a2e1-2f8f-4caa-b076-99bbf6e40fe4 | Read all programs that user can access | Allows the app to read programs and program controls that the signed-in user has access to in the organization. | Read programs that you can access | Allows the app to read information on programs and program controls that you have access to. |
| ProgramControl.ReadWrite.All | 50fd364f-9d93-4ae1-b170-300e87cccf84 | Manage all programs that user can access | Allows the app to read, update, delete and perform actions on programs and program controls that the signed-in user has access to in the organization. | Manage programs that you can access | Allows the app to read, update and perform action on programs and program controls that you have access to. |
| Reports.Read.All | 02e97553-ed7b-43d0-ab3c-f8bace0d040c | Read all usage reports | Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory. | Read all usage reports | Allows an app to read all service usage reports on your behalf. Services that provide usage reports include Office 365 and Azure Active Directory. |
| RoleAssignmentSchedule.Read.Directory | 344a729c-0285-42c6-9014-f12b9b8d6129 | Read all active role assignments for your company’s directory | Allows the app to read the active role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles. | Read all active role assignments for your company’s directory | Allows the app to read the active role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes reading directory role templates, and directory roles. |
| RoleAssignmentSchedule.ReadWrite.Directory | 8c026be3-8e26-4774-9372-8d5d6f21daff | Read, update, and delete all active role assignments for your company’s directory | Allows the app to read and manage the active role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships. | Read, update, and delete all active role assignments for your company’s directory | Allows the app to read and manage the active role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships. |
| RoleEligibilitySchedule.Read.Directory | eb0788c2-6d4e-4658-8c9e-c0fb8053f03d | Read all eligible role assignments for your company’s directory | Allows the app to read the eligible role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles. | Read all eligible role assignments for your company’s directory | Allows the app to read the eligible role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes reading directory role templates, and directory roles. |
| RoleEligibilitySchedule.ReadWrite.Directory | 62ade113-f8e0-4bf9-a6ba-5acb31db32fd | Read, update, and delete all eligible role assignments for your company’s directory | Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships. | Read, update, and delete all eligible role assignments for your company’s directory | Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships. |
| RoleManagement.Read.All | 48fec646-b2ba-4019-8681-8eb31435aded | Read role management data for all RBAC providers | Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments. | Read role management data for all RBAC providers | Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on your behalf. This includes reading role definitions and role assignments. |
| RoleManagement.Read.Directory | 741c54c3-0c1e-44a1-818b-3f97ab4e8c83 | Read directory RBAC settings | Allows the app to read the role-based access control (RBAC) settings for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, directory roles and memberships. | Read directory RBAC settings | Allows the app to read the role-based access control (RBAC) settings for your company’s directory, on your behalf. This includes reading directory role templates, directory roles and memberships. |
| RoleManagement.ReadWrite.Directory | d01b97e9-cbc0-49fe-810a-750afd5527a3 | Read and write directory RBAC settings | Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | Read and write directory RBAC settings | Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, on your behalf. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
| RoleManagementPolicy.Read.Directory | 3de2cdbe-0ff5-47d5-bdee-7f45b4749ead | Read all policies for privileged role assignments of your company’s directory | Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company’s directory, on behalf of the signed-in user. | Read all policies for privileged role assignments of your company’s directory | Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company’s directory, on your behalf. |
| RoleManagementPolicy.ReadWrite.Directory | 1ff1be21-34eb-448c-9ac9-ce1f506b2a68 | Read, update, and delete all policies for privileged role assignments of your company’s directory | Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company’s directory, on behalf of the signed-in user. | Read, update, and delete all policies for privileged role assignments of your company’s directory | Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company’s directory, on your behalf. |
| SMTP.Send | 258f6531-6087-4cc4-bb90-092c5fb3ed3f | Send emails from mailboxes using SMTP AUTH. | Allows the app to be able to send emails from the user’s mailbox using the SMTP AUTH client submission protocol. | Access to sending emails from your mailbox. | Allows the app to send emails on your behalf from your mailbox. |
| Schedule.Read.All | fccf6dd8-5706-49fa-811f-69e2e1b585d0 | Read user schedule items | Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user. | Read your schedule items | Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on your behalf. |
| Schedule.ReadWrite.All | 63f27281-c9d9-4f29-94dd-6942f7f1feb0 | Read and write user schedule items | Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user. | Read and write your schedule items | Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on your behalf. |
| SecurityActions.Read.All | 1638cddf-07a4-4de2-8645-69c96cacad73 | Read your organization’s security actions | Allows the app to read security actions, on behalf of the signed-in user. | Read your organization’s security actions | Allows the app to read security actions, on your behalf. |
| SecurityActions.ReadWrite.All | dc38509c-b87d-4da0-bd92-6bec988bac4a | Read and update your organization’s security actions | Allows the app to read or update security actions, on behalf of the signed-in user. | Read and update your organization’s security actions | Allows the app to read and update security actions, on your behalf. |
| SecurityEvents.Read.All | 64733abd-851e-478a-bffb-e47a14b18235 | Read your organization’s security events | Allows the app to read your organization’s security events on behalf of the signed-in user. | Read your organization’s security events | Allows the app to read your organization’s security events on your behalf. |
| SecurityEvents.ReadWrite.All | 6aedf524-7e1c-45a7-bd76-ded8cab8d0fc | Read and update your organization’s security events | Allows the app to read your organization’s security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user. | Read and update your organization’s security events | Allows the app to read your organization’s security events on your behalf. Also allows you to update editable properties in security events. |
| ServiceHealth.Read.All | 55896846-df78-47a7-aa94-8d3d4442ca7f | Read service health | Allows the app to read your tenant’s service health information on behalf of the signed-in user. Health information may include service issues or service health overviews. | Read service health | Allows the app to read your tenant’s service health information on your behalf.Health information may include service issues or service health overviews. |
| ServiceMessage.Read.All | eda39fa6-f8cf-4c3c-a909-432c683e4c9b | Read service announcement messages | Allows the app to read your tenant’s service announcement messages on behalf of the signed-in user. Messages may include information about new or changed features. | Read service messages | Allows the app to read your tenant’s service announcement messages on your behalf. Messages may include information about new or changed features. |
| ServicePrincipalEndpoint.Read.All | 9f9ce928-e038-4e3b-8faf-7b59049a8ddc | Read service principal endpoints | Allows the app to read service principal endpoints | Read service principal endpoints | Allows the app to read service principal endpoints |
| ServicePrincipalEndpoint.ReadWrite.All | 7297d82c-9546-4aed-91df-3d4f0a9b3ff0 | Read and update service principal endpoints | Allows the app to update service principal endpoints | Read and update service principal endpoints | Allows the app to update service principal endpoints |
| ShortNotes.Read | 50f66e47-eb56-45b7-aaa2-75057d9afe08 | Read short notes of the signed-in user | Allows the app to read all the short notes a sign-in user has access to. | Read your short notes | Allows the app to read your short notes. |
| ShortNotes.ReadWrite | 328438b7-4c01-4c07-a840-e625a749bb89 | Read, create, edit, and delete short notes of the signed-in user | Allows the app to read, create, edit, and delete short notes of a signed-in user. | Read, create, edit, and delete your short notes | Allows the app to read, create, edit, and delete your short notes. |
| Sites.FullControl.All | 5a54b8b3-347c-476d-8f8e-42d5c7424d29 | Have full control of all site collections | Allows the application to have full control of all site collections on behalf of the signed-in user. | Have full control of all your site collections | Allow the application to have full control of all site collections on your behalf. |
| Sites.Manage.All | 65e50fdc-43b7-4915-933e-e8138f11f40a | Create, edit, and delete items and lists in all site collections | Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user. | Create, edit, and delete items and lists in all your site collections | Allow the application to create or delete document libraries and lists in all site collections on your behalf. |
| Sites.Read.All | 205e70e5-aba6-4c52-a976-6d2d46c48043 | Read items in all site collections | Allows the application to read documents and list items in all site collections on behalf of the signed-in user | Read items in all site collections | Allow the application to read documents and list items in all site collections on your behalf |
| Sites.ReadWrite.All | 89fe6a52-be36-487e-b7d8-d061c450a026 | Edit or delete items in all site collections | Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. | Edit or delete items in all site collections | Allow the application to edit or delete documents and list items in all site collections on your behalf. |
| Subscription.Read.All | 5f88184c-80bb-4d52-9ff2-757288b2e9b7 | Read all webhook subscriptions | Allows the app to read all webhook subscriptions on behalf of the signed-in user. | Read all webhook subscriptions | Allows the app to read all webhook subscriptions on your behalf. |
| Tasks.Read | f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb | Read user’s tasks and task lists | Allows the app to read the signed-in user’s tasks and task lists, including any shared with the user. Doesn’t include permission to create, delete, or update anything. | Read your tasks and task lists | Allows the app to read your tasks and task lists, including any shared with you. Doesn’t include permission to create, delete, or update anything. |
| Tasks.Read.Shared | 88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72 | Read user and shared tasks | Allows the app to read tasks a user has permissions to access, including their own and shared tasks. | Read your and shared tasks | Allows the app to read tasks you have permissions to access, including your own and shared tasks. |
| Tasks.ReadWrite | 2219042f-cab5-40cc-b0d2-16b1540b4c5f | Create, read, update, and delete user’s tasks and task lists | Allows the app to create, read, update, and delete the signed-in user’s tasks and task lists, including any shared with the user. | Create, read, update, and delete your tasks and task lists | Allows the app to create, read, update, and delete your tasks and task lists, including any shared with you. |
| Tasks.ReadWrite.Shared | c5ddf11b-c114-4886-8558-8a4e557cd52b | Read and write user and shared tasks | Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks. | Read and write to your and shared tasks | Allows the app to read, update, create, and delete tasks you have permissions to access, including your own and shared tasks. |
| Team.Create | 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 | Create teams | Allows the app to create teams on behalf of the signed-in user. | Create teams | Allows the app to create teams on your behalf. |
| Team.ReadBasic.All | 485be79e-c497-4b35-9400-0e3fa7f2a5d4 | Read the names and descriptions of teams | Read the names and descriptions of teams, on behalf of the signed-in user. | Read the names and descriptions of teams | Read the names and descriptions of teams, on your behalf. |
| TeamMember.Read.All | 2497278c-d82d-46a2-b1ce-39d4cdde5570 | Read the members of teams | Read the members of teams, on behalf of the signed-in user. | Read the members of teams | Read the members of teams, on your behalf. |
| TeamMember.ReadWrite.All | 4a06efd2-f825-4e34-813e-82a57b03d1ee | Add and remove members from teams | Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member’s role, for example from owner to non-owner. | Add and remove members from teams and channels | Add and remove members from teams, on your behalf. Also allows changing a member’s role, for example from owner to non-owner. |
| TeamMember.ReadWriteNonOwnerRole.All | 2104a4db-3a2f-4ea0-9dba-143d457dc666 | Add and remove members with non-owner role for all teams | Add and remove members from all teams, on behalf of the signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role. | Add and remove members with non-owner role for all teams | Add and remove members from all teams, on your behalf. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role. |
| TeamSettings.Read.All | 48638b3c-ad68-4383-8ac4-e6880ee6ca57 | Read teams’ settings | Read all teams’ settings, on behalf of the signed-in user. | Read teams’ settings | Read all teams’ settings, on your behalf. |
| TeamSettings.ReadWrite.All | 39d65650-9d3e-4223-80db-a335590d027e | Read and change teams’ settings | Read and change all teams’ settings, on behalf of the signed-in user. | Read and change teams’ settings | Read and change all teams’ settings, on your behalf. |
| TeamsActivity.Read | 0e755559-83fb-4b44-91d0-4cc721b9323e | Read user’s teamwork activity feed | Allows the app to read the signed-in user’s teamwork activity feed. | Read your teamwork activity feed | Allows the app to read your teamwork activity feed. |
| TeamsActivity.Send | 7ab1d787-bae7-4d5d-8db6-37ea32df9186 | Send a teamwork activity as the user | Allows the app to create new notifications in users’ teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies. | Send a teamwork activity | Allows the app to create new activities in your teamwork activity feed, and send new activities to other users’ activity feed, on your behalf. |
| TeamsApp.Read | daef10fc-047a-48b0-b1a5-da4b5e72fabc | Read user’s installed Teams apps | Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings. | Read your installed Teams apps | Allows the app to read the Teams apps that are installed for you. Does not give the ability to read application-specific settings. |
| TeamsApp.Read.All | 9127ba42-f79f-43b1-be80-f23ecd42377e | Read all installed Teams apps | Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. Does not give the ability to read application-specific settings. | Read all installed Teams apps | Allows the app to read the Teams apps that are installed for you, and in teams you are a member of. Does not give the ability to read application-specific settings. |
| TeamsApp.ReadWrite | 2a5addc2-4d9e-4d7d-8527-5215aec410f3 | Manage user’s Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user. Does not give the ability to read or write application-specific settings. | Manage your Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps, on your behalf. Does not give the ability to read or write application-specific settings. |
| TeamsApp.ReadWrite.All | d3f0af02-b22d-4778-a433-14f7e3f2e1e2 | Manage all Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. Does not give the ability to read or write application-specific settings. | Manage all Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps, on your behalf. Does not give the ability to read or write application-specific settings. |
| TeamsAppInstallation.ReadForChat | bf3fbf03-f35f-4e93-963e-47e4d874c37a | Read installed Teams apps in chats | Allows the app to read the Teams apps that are installed in chats the signed-in user can access. Does not give the ability to read application-specific settings. | Read installed Teams apps in chats | Allows the app to read the Teams apps that are installed in chats that you can access. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadForTeam | 5248dcb1-f83b-4ec3-9f4d-a4428a961a72 | Read installed Teams apps in teams | Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings. | Read installed Teams apps in teams | Allows the app to read the Teams apps that are installed in teams that you can access. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadForUser | c395395c-ff9a-4dba-bc1f-8372ba9dca84 | Read user’s installed Teams apps | Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings. | Read your installed Teams apps | Allows the app to read the Teams apps that are installed for you. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteForChat | aa85bf13-d771-4d5d-a9e6-bca04ce44edf | Manage installed Teams apps in chats | Allows the app to read, install, upgrade, and uninstall Teams apps in chats the signed-in user can access. Does not give the ability to read application-specific settings. | Manage installed Teams apps in chats | Allows the app to read, install, upgrade, and uninstall Teams apps in chats you can access. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteForTeam | 2e25a044-2580-450d-8859-42eeb6e996c0 | Manage installed Teams apps in teams | Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings. | Manage installed Teams apps in teams | Allows the app to read, install, upgrade, and uninstall Teams apps in teams you can access. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteForUser | 093f8818-d05f-49b8-95bc-9d2a73e9a43c | Manage user’s installed Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed-in user. Does not give the ability to read application-specific settings. | Manage your installed Teams apps | Allows the app to read, install, upgrade, and uninstall Teams apps installed for you. Does not give the ability to read application-specific settings. |
| TeamsAppInstallation.ReadWriteSelfForChat | 0ce33576-30e8-43b7-99e5-62f8569a4002 | Allow the Teams app to manage itself in chats | Allows a Teams app to read, install, upgrade, and uninstall itself in chats the signed-in user can access. | Allow the Teams app to manage itself in chats | Allows a Teams app to read, install, upgrade, and uninstall itself in chats you can access. |
| TeamsAppInstallation.ReadWriteSelfForTeam | 0f4595f7-64b1-4e13-81bc-11a249df07a9 | Allow the app to manage itself in teams | Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access. | Allow the app to manage itself in teams | Allows a Teams app to read, install, upgrade, and uninstall itself to teams you can access. |
| TeamsAppInstallation.ReadWriteSelfForUser | 207e0cb1-3ce7-4922-b991-5a760c346ebc | Allow the Teams app to manage itself for a user | Allows a Teams app to read, install, upgrade, and uninstall itself for the signed-in user. | Allow the Teams app to manage itself for you | Allows a Teams app to read, install, upgrade, and uninstall itself for you. |
| TeamsTab.Create | a9ff19c2-f369-4a95-9a25-ba9d460efc8e | Create tabs in Microsoft Teams. | Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. | Create tabs in Microsoft Teams. | Allows the app to create tabs in any team in Microsoft Teams, on your behalf. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs. |
| TeamsTab.Read.All | 59dacb05-e88d-4c13-a684-59f1afc8cc98 | Read tabs in Microsoft Teams. | Read the names and settings of tabs inside any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs. | Read tabs in Microsoft Teams. | Read the names and settings of tabs inside any team in Microsoft Teams, on your behalf. This does not give access to the content inside the tabs. |
| TeamsTab.ReadWrite.All | b98bfd41-87c6-45cc-b104-e2de4f0dafb9 | Read and write tabs in Microsoft Teams. | Read and write tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs. | Read and write tabs in Microsoft Teams. | Read and write tabs in any team in Microsoft Teams, on your behalf. This does not give access to the content inside the tabs. |
| TeamsTab.ReadWriteForChat | ee928332-e9c2-4747-b4a0-f8c164b68de6 | Allow the Teams app to manage all tabs in chats | Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats the signed-in user can access. | Allow the Teams app to manage all tabs in chats | Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats you can access. |
| TeamsTab.ReadWriteForTeam | c975dd04-a06e-4fbb-9704-62daad77bb49 | Allow the Teams app to manage all tabs in teams | Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams the signed-in user can access. | Allow the app to manage all tabs in teams | Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams you can access. |
| TeamsTab.ReadWriteForUser | c37c9b61-7762-4bff-a156-afc0005847a0 | Allow the Teams app to manage all tabs for a user | Allows a Teams app to read, install, upgrade, and uninstall all tabs for the signed-in user. | Allow the Teams app to manage all tabs for you | Allows a Teams app to read, install, upgrade, and uninstall all tabs for you. |
| TermStore.Read.All | 297f747b-0005-475b-8fef-c890f5152b38 | Read term store data | Allows the app to read the term store data that the signed-in user has access to. This includes all sets, groups and terms in the term store. | Read term store data | Allows the app to read the term store data that you have access to. This includes all sets, groups and terms in the term store. |
| TermStore.ReadWrite.All | 6c37c71d-f50f-4bff-8fd3-8a41da390140 | Read and write term store data | Allows the app to read or modify data that the signed-in user has access to. This includes all sets, groups and terms in the term store. | Read and write term store data | Allows the app to read or modify data that you have access to. This includes all sets, groups and terms in the term store. |
| ThreatAssessment.ReadWrite.All | cac97e40-6730-457d-ad8d-4852fddab7ad | Read and write threat assessment requests | Allows an app to read your organization’s threat assessment requests on behalf of the signed-in user. Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user. | Read and write threat assessment requests | Allows an app to read your organization’s threat assessment requests on your behalf. Also allows the app to create new requests to assess threats received by your organization on your behalf. |
| ThreatIndicators.Read.All | 9cc427b4-2004-41c5-aa22-757b755e9796 | Read all threat indicators | Allows the app to read all the indicators for your organization, on behalf of the signed-in user. | Read all threat indicators | Allows the app to read all the indicators for your organization, on your behalf. |
| ThreatIndicators.ReadWrite.OwnedBy | 91e7d36d-022a-490f-a748-f8e011357b42 | Manage threat indicators this app creates or owns | Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on behalf of the signed-in user. It cannot update any threat indicators it does not own. | Manage threat indicators this app creates or owns | Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on your behalf. It cannot update any threat indicators that it is not an owner of. |
| TrustFrameworkKeySet.Read.All | 7ad34336-f5b1-44ce-8682-31d7dfcd9ab9 | Read trust framework key sets | Allows the app to read trust framework key set properties on behalf of the signed-in user. | Read trust framework key sets | Allows the app to read trust framework key sets, on your behalf. |
| TrustFrameworkKeySet.ReadWrite.All | 39244520-1e7d-4b4a-aee0-57c65826e427 | Read and write trust framework key sets | Allows the app to read and write trust framework key set properties on behalf of the signed-in user. | Read and write trust framework key sets | Allows the app to read or write trust framework key sets, on your behalf. |
| UnifiedGroupMember.Read.AsGuest | 73e75199-7c3e-41bb-9357-167164dbb415 | Read unified group memberships as guest | Allows the app to read basic unified group properties, memberships and owners of the group the signed-in guest is a member of. | Read unified group memberships as guest | Allows the app to read basic unified group properties, memberships and owners of the group you are a member of. |
| User.Export.All | 405a51b5-8d8d-430b-9842-8be4b0e9f324 | Export user’s data | Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator). | Export user’s data | Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator). |
| User.Invite.All | 63dd7cd9-b489-4adf-a28c-ac38b9a0f962 | Invite guest users to the organization | Allows the app to invite guest users to the organization, on behalf of the signed-in user. | Invite guest users to the organization | Allows the app to invite guest users to the organization, on your behalf. |
| User.ManageIdentities.All | 637d7bec-b31e-4deb-acc9-24275642a2c9 | Manage user identities | Allows the app to read, update and delete identities that are associated with a user’s account that the signed-in user has access to. This controls the identities users can sign-in with. | Manage user identities | Allows the app to read, update and delete identities that are associated with a user’s account that you have access to. This controls the identities users can sign-in with. |
| User.Read | e1fe6dd8-ba31-4d61-89e7-88639da4683d | Sign in and read user profile | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | Sign you in and read your profile | Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information. |
| User.Read.All | a154be20-db9c-4678-8ab7-66f6cc099a59 | Read all users’ full profiles | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | Read all users’ full profiles | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf. |
| User.ReadBasic.All | b340eb25-3456-403f-be2f-af7a0d370277 | Read all users’ basic profiles | Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo. | Read all users’ basic profiles | Allows the app to read a basic set of profile properties of other users in your organization on your behalf. Includes display name, first and last name, email address and photo. |
| User.ReadWrite | b4e74841-8e56-480b-be8b-910348b18b4c | Read and write access to user profile | Allows the app to read your profile. It also allows the app to update your profile information on your behalf. | Read and update your profile | Allows the app to read your profile, and discover your group membership, reports and manager. It also allows the app to update your profile information on your behalf. |
| User.ReadWrite.All | 204e0828-b5ca-4ad8-b9f3-f32a958e7cc4 | Read and write all users’ full profiles | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | Read and write all users’ full profiles | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf. |
| UserActivity.ReadWrite.CreatedByApp | 47607519-5fb1-47d9-99c7-da4b48f369b1 | Read and write app activity to users’ activity feed | Allows the app to read and report the signed-in user’s activity in the app. | Read and write app activity to your activity feed | Allows the app to read and report your activity in the app. |
| UserAuthenticationMethod.Read | 1f6b61c5-2f65-4135-9c9f-31c0f8d32b52 | Read user authentication methods. | Allows the app to read the signed-in user’s authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user’s passwords, or to sign-in or otherwise use the signed-in user’s authentication methods. | Read your authentication methods. | Allows the app to read your authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods. |
| UserAuthenticationMethod.Read.All | aec28ec7-4d02-4e8c-b864-50163aea77eb | Read all users’ authentication methods | Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Read all users’ authentication methods | Allows the app to read authentication methods of all users you have access to in your organization. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
| UserAuthenticationMethod.ReadWrite | 48971fc1-70d7-4245-af77-0beb29b53ee2 | Read and write user authentication methods | Allows the app to read and write the signed-in user’s authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user’s passwords, or to sign-in or otherwise use the signed-in user’s authentication methods. | Read and write your authentication methods | Allows the app to read and write your authentication methods, including phone numbers and Authenticator app settings.This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods. |
| UserAuthenticationMethod.ReadWrite.All | b7887744-6746-4312-813d-72daeaee7e2d | Read and write all users’ authentication methods. | Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Read and write all users’ authentication methods | Allows the app to read and write authentication methods of all users you have access to in your organization. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
| UserNotification.ReadWrite.CreatedByApp | 26e2f3e8-b2a1-47fc-9620-89bb5b042024 | Deliver and manage user’s notifications | Allows the app to send, read, update and delete user’s notifications. | Deliver and manage your notifications | Allows the app to send, read, update and delete your app-specific notifications. |
| UserTimelineActivity.Write.CreatedByApp | 367492fc-594d-4972-a9b5-0d58c622c91c | Write app activity to users’ timeline | Allows the app to report the signed-in user’s app activity information to Microsoft Timeline. | Write app activity to your timeline | Allows the app to report your app activity information to Microsoft Timeline. |
| WindowsUpdates.ReadWrite.All | 11776c0c-6138-4db3-a668-ee621bea2555 | Read and write all Windows update deployment settings | Allows the app to read and write all Windows update deployment settings for the organization on behalf of the signed-in user. | Read and write all Windows update deployment settings | Allows the app to read and write all Windows update deployment settings for the organization on your behalf. |
| WorkforceIntegration.Read.All | f1ccd5a7-6383-466a-8db8-1a656f7d06fa | Read workforce integrations | Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user. | Read workforce integrations | Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on your behalf. |
| WorkforceIntegration.ReadWrite.All | 08c4b377-0d23-4a8b-be2a-23c1c1d88545 | Read and write workforce integrations | Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user. | Read and write workforce integrations | Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on your behalf. |
| eDiscovery.Read.All | 99201db3-7652-4d5a-809a-bdb94f85fe3c | Read all eDiscovery objects | Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user. | Read all eDiscovery objects | Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on your behalf. |
| eDiscovery.ReadWrite.All | acb8f680-0834-4146-b69e-4ab1b39745ad | Read and write all eDiscovery objects | Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user. | Read and write all eDiscovery objects | Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on your behalf. |
| 64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0 | View users’ email address | Allows the app to read your users’ primary email address | View your email address | Allows the app to read your primary email address | |
| offline_access | 7427e0e9-2fba-42fe-b0c0-848c9e6a8182 | Maintain access to data you have given it access to | Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. | Maintain access to data you have given it access to | Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions. |
| openid | 37f7f235-527c-4136-accd-4a02d197296e | Sign users in | Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. | Sign in as you | Allows you to sign in to the app with your work or school account and allows the app to read your basic profile information. |
| profile | 14dad69e-099b-42c9-810b-d002981feec1 | View users’ basic profile | Allows the app to see your users’ basic profile (name, picture, user name) | View your basic profile | Allows the app to see your basic profile (name, picture, user name) |