Required Permissions
Note
This list of permissions includes the most commonly used features from the connector, however there may be custom permissions and roles required for certain specific features. Ensure to read the details for each feature in the Supported Features section.
If you don’t want to provide granular permissions on each API, provide the following permissions on the entire directory to the client application created in Azure, which will enable the connector to perform read and write operations on users and groups (excluding deleting users and groups) :
-
Directory.Read.All (Read Directory Data)
-
Directory.ReadWrite.All (Read and Write Directory Data)
To grant permissions to the client application:
-
Select API permissions in the Microsoft Entra console.
-
Select Add a permission.
-
On the Request API permissions page, you will see a list of supported APIs. Select Microsoft Graph API.
-
Select Application permissions under What type of permissions does your application require?
-
Under Select permissions, choose permissions mentioned in the following permission table. Select Add permissions.
-
In Grant consent, select Grant admin consent for your configuration and directory. On the pop-up dialog box, select Yes.
|
Permission |
Type |
Purpose |
|---|---|---|
|
User.Invite.All |
Application |
Creating / Inviting B2B User |
|
User.Read.All |
Application |
Account Aggregation, Account Delta, Get Object, Roles and Groups Membership Aggregation |
|
User.ReadWrite.All |
Application |
Create User, Update User Properties (Non Entitlement), Add / Remove License Pack and Plan, Enable/ Disable User Account, Delete User |
|
Organization.Read.All |
Application |
Aggregate License Pack and Plan Details of tenant |
|
RoleManagement.ReadWrite.Directory |
Application |
Add / Remove Directory Roles |
|
User.Read |
Application |
Pass-through Authentication |
|
Group.Read.All |
Application |
Group Aggregation |
|
Group.ReadWrite.All |
Application |
Create Group, Update Group, Delete Group |
|
Application.Read.All |
Application |
Aggregation of Application Roles |
|
AppRoleAssignment.ReadWrite.All |
Application |
Add / Remove users from Service Principal |
|
DelegatedPermissionGrant.Read.All |
Application |
Aggregation of Admin/User Consented Permissions for Service Principals |
|
RoleManagement.ReadWrite.Directory |
Application |
Role provisioning (if defined as Entitlement object) |
|
RoleManagement.Read.Directory |
Application |
Role Aggregation (if defined as Entitlement object) |
|
Applicable for SAML Bearer Assertion, Refresh Token / AuthCode and JWT Certificate Credentials Grant Types |
||
|
Directory.AccessAsUser.All |
Delegated |
Change Password, Delete User |
|
Applicable for Access Packages Management |
||
|
EntitlementManagement.ReadWrite.All |
Application |
Add / Remove Access Packages |
|
EntitlementManagement.Read.All |
Application |
Access Package Aggregation |
To perform Set Password and Delete user operations, an application created on Azure must have the User Administrator role.
To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role.
Use the Azure portal to assign the previously mentioned administrative roles. For more information, refer to Assign Microsoft Entra Roles to Users.