Required Permissions
Important
If you want to enable additional cloud governance features for your Entra Cloud Objects (for example, Azure Cloud Object Management , such as, Management Groups, Subscriptions, Resource Groups and Role Assignment or Service Principal Accounts Management), you must have
Note
This list of permissions includes the most commonly used features from the connector, however there may be custom permissions and roles required for certain specific features. Ensure to read the details for each feature in the Supported Features section.
The following permissions must be granted to the client application created in Azure:
-
Read Directory Data
-
Read and Write Directory Data
To grant permissions to the client application:
-
Select API permissions in the Microsoft Entra ID console.
-
Select Add a permission.
-
On the Request API permissions page, you will see a list of supported APIs. Select Microsoft Graph API.
-
Select Application permissions under What type of permissions does your application require?
-
Under Select permissions, choose permissions mentioned in the following permission table. Select Add permissions.
-
In Grant consent, select Grant admin consent for your configuration and directory. On the pop-up dialog box, select Yes.
Granular Level Application Permission
Permission |
Type |
Purpose |
---|---|---|
User.Invite.All |
Application |
Creating / Inviting B2B User |
User.Read.All |
Application |
Account Aggregation, Account Delta, Get Object, Roles and Groups Membership Aggregation |
User.ReadWrite.All |
Application |
Create User, Update User Properties (Non Entitlement), Add / Remove License Pack and Plan, Enable/ Disable User Account, Delete User |
Organization.Read.All |
Application |
Aggregate License Pack and Plan Details of tenant |
RoleManagement.ReadWrite.Directory |
Application |
Add / Remove Directory Roles |
User.Read |
Application |
Pass-through Authentication |
Group.Read.All |
Application |
Group Aggregation |
Group.ReadWrite.All |
Application |
Create Group, Update Group, Delete Group |
Application.Read.All |
Application |
Service Principal Aggregation |
AppRoleAssignment.ReadWrite.All |
Application |
Add / Remove users from Service Principal |
RoleManagement.ReadWrite.Directory |
Application |
Role provisioning (if defined as Entitlement object) |
RoleManagement.Read.Directory |
Application |
Role Aggregation (if defined as Entitlement object) |
Applicable for SAML Bearer Assertion, Refresh Token / AuthCode and JWT Certificate Credentials Grant Types |
||
Directory.AccessAsUser.All |
Delegated |
Change Password, Delete User |
Applicable for Access Packages Management |
||
EntitlementManagement.ReadWrite.All |
Application |
Add / Remove Access Packages |
EntitlementManagement.Read.All |
Application |
Access Package Aggregation |
Applicable for Multi-Factor Authentication Management |
||
UserAuthenticationMethod.Read.All |
Application |
MFA Related User Information Aggregation |
UserAuthenticationMethod.ReadWrite.All |
Application |
Add / Update / Remove MFA Related User Information |
To perform Set Password and Delete user operations, an application created on Azure must have the User Administrator role.
To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role.
Use the Azure portal to assign the previously mentioned administrative roles. For more information, refer to Assign Microsoft Entra Roles to Users.