Required Permissions

Following permissions must be granted to the client application created in Azure:

  • Read Directory Data

  • Read and Write Directory Data

To grant permissions to the client application:

  1. Select API permissions in Azure Active Directory console.

  2. Select Add a permission.

  3. On the Request API permissions page, you will see a list of supported APIs. Select Microsoft Graph API.

  4. Select Application permissions under What type of permissions does your application require?

  5. Under Select permissions, choose permissions mentioned in the following permission table. Select Add permissions.

  6. In Grant consent, select Grant admin consent for your configuration and directory. On the pop-up dialog box, select Yes.


Granular Level Application Permission

Permission

Type

Purpose

User.Invite.All

Application

Creating / Inviting B2B User

User.Read.All

Application

Account Aggregation, Account Delta, Get Object, Roles and Groups Membership Aggregation

User.ReadWrite.All

Application

Create User, Update User Properties (Non Entitlement), Add / Remove License Pack and Plan, Enable/ Disable User Account, Delete User

Organization.Read.All

Application

Aggregate License Pack and Plan Details of tenant

RoleManagement.ReadWrite.Directory

Application

Add / Remove Directory Roles

User.Read

Application

Pass-through Authentication

Group.Read.All

Application

Group Aggregation

Group.ReadWrite.All

Application

Create Group, Update Group, Delete Group

Application.Read.All

Application

Service Principal Aggregation

AppRoleAssignment.ReadWrite.All

Application

Add / Remove users from Service Principal

RoleManagement.ReadWrite.Directory

Application

Role provisioning (if defined as Entitlement object)

RoleManagement.Read.Directory

Application

Role Aggregation (if defined as Entitlement object)

Applicable for SAML Bearer Assertion, Refresh Token / AuthCode and JWT Certificate Credentials Grant Types

Directory.AccessAsUser.All

Delegated

Change Password, Delete User

Applicable for Access Packages Management

EntitlementManagement.ReadWrite.All

Application

Add / Remove Access Packages

EntitlementManagement.Read.All

Application

Access Package Aggregation

Applicable for Multi-Factor Authentication Management

UserAuthenticationMethod.Read.All

Application

MFA Related User Information Aggregation

UserAuthenticationMethod.ReadWrite.All

Application

Add / Update / Remove MFA Related User Information

To perform Set Password and Delete user operations, an application created on Azure must have the User Administrator role.

To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role.

Use the Azure portal to assign the previously mentioned administrative roles. For more information, refer to Assign Azure AD Roles to Users.