Required Permissions
Following permissions must be granted to the client application created in Azure:
-
Read Directory Data
-
Read and Write Directory Data
To grant permissions to the client application:
-
Select API permissions in Azure Active Directory console.
-
Select Add a permission.
-
On the Request API permissions page, you will see a list of supported APIs. Select Microsoft Graph API.
-
Select Application permissions under What type of permissions does your application require?
-
Under Select permissions, choose permissions mentioned in the following permission table. Select Add permissions.
-
In Grant consent, select Grant admin consent for your configuration and directory. On the pop-up dialog box, select Yes.
|
Permission |
Type |
Purpose |
|---|---|---|
|
User.Invite.All |
Application |
Creating / Inviting B2B User |
|
User.Read.All |
Application |
Account Aggregation, Account Delta, Get Object, Roles and Groups Membership Aggregation |
|
User.ReadWrite.All |
Application |
Create User, Update User Properties (Non Entitlement), Add / Remove License Pack and Plan, Enable/ Disable User Account, Delete User |
|
Organization.Read.All |
Application |
Aggregate License Pack and Plan Details of tenant |
|
RoleManagement.ReadWrite.Directory |
Application |
Add / Remove Directory Roles |
|
User.Read |
Application |
Pass-through Authentication |
|
Group.Read.All |
Application |
Group Aggregation |
|
Group.ReadWrite.All |
Application |
Create Group, Update Group, Delete Group |
|
Application.Read.All |
Application |
Service Principal Aggregation |
|
AppRoleAssignment.ReadWrite.All |
Application |
Add / Remove users from Service Principal |
|
RoleManagement.ReadWrite.Directory |
Application |
Role provisioning (if defined as Entitlement object) |
|
RoleManagement.Read.Directory |
Application |
Role Aggregation (if defined as Entitlement object) |
|
Applicable for SAML Bearer Assertion, Refresh Token / AuthCode and JWT Certificate Credentials Grant Types |
||
|
Directory.AccessAsUser.All |
Delegated |
Change Password, Delete User |
|
Applicable for Access Packages Management |
||
|
EntitlementManagement.ReadWrite.All |
Application |
Add / Remove Access Packages |
|
EntitlementManagement.Read.All |
Application |
Access Package Aggregation |
|
Applicable for Multi-Factor Authentication Management |
||
|
UserAuthenticationMethod.Read.All |
Application |
MFA Related User Information Aggregation |
|
UserAuthenticationMethod.ReadWrite.All |
Application |
Add / Update / Remove MFA Related User Information |
To perform Set Password and Delete user operations, an application created on Azure must have the User Administrator role.
To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role.
Use the Azure portal to assign the previously mentioned administrative roles. For more information, refer to Assign Azure AD Roles to Users.