Required Permissions
Note
This list of permissions includes the most commonly used features from the connector, however there may be custom permissions and roles required for certain specific features. Ensure to read the details for each feature in the Supported Features section.
If you don’t want to provide granular permissions on each API, provide the following permissions on the entire directory to the client application created in Azure, which will enable the connector to perform read and write operations on users and groups (excluding deleting users and groups) :
-
Directory.Read.All (Read Directory Data)
-
Directory.ReadWrite.All (Read and Write Directory Data)
Assigning Necessary Permissions to the Client Application
To grant the necessary permissions to the client application, follow these steps:
-
In the Microsoft Entra console, go to API permissions and select Add a permission.
-
On the Request API permissions page, select Microsoft Graph API from the list of APIs.
-
For the permission type, select Application permissions.
-
Under Select permissions, choose the permissions listed in the table below, and then select Add permissions.
-
Go to the Grant consent section and select Grant admin consent for your directory.
-
When the confirmation dialog appears, select Yes.
Granular Level Application Permission
-
To perform Set Password and Delete user operations, an application created on Azure must have the User Administrator role.
-
To manage users with administrative roles, an application created on Azure must have the User Administrator or Global Administrator role and the Privileged Authentication Administrator role.
-
Use the Azure portal to assign the previously mentioned administrative roles. For more information, refer to Assign Microsoft Entra Roles to Users.
The following table lists the required permission types and their purposes:
|
Permission |
Type |
Purpose |
|---|---|---|
|
User.Invite.All |
Application |
Creating / Inviting B2B User |
|
User.Read.All |
Application |
Account Aggregation, Account Delta, Get Object, Roles and Groups Membership Aggregation |
|
User.ReadWrite.All |
Application |
Create User, Update User Properties (Non Entitlement), Add / Remove License Pack and Plan, Enable/ Disable User Account, Delete User |
|
Organization.Read.All |
Application |
Aggregate License Pack and Plan Details of tenant |
|
RoleManagement.ReadWrite.Directory |
Application |
Add / Remove Directory Roles |
|
User.Read |
Application |
Pass-through Authentication |
|
Group.Read.All |
Application |
Group Aggregation |
|
Group.ReadWrite.All |
Application |
Create Group, Update Group, Delete Group |
|
Application.Read.All |
Application |
Aggregation of Application Roles |
|
AppRoleAssignment.ReadWrite.All |
Application |
Add / Remove users from Service Principal |
|
DelegatedPermissionGrant.Read.All |
Application |
Aggregation of Admin/User Consented Permissions for Service Principals |
|
RoleManagement.ReadWrite.Directory |
Application |
Role provisioning (if defined as Entitlement object) |
|
RoleManagement.Read.Directory |
Application |
Role Aggregation (if defined as Entitlement object) |
|
Applicable for SAML Bearer Assertion, Refresh Token / AuthCode and JWT Certificate Credentials Grant Types |
||
|
Directory.AccessAsUser.All |
Delegated |
Change Password, Delete User |
|
Applicable for Access Packages Management |
||
|
EntitlementManagement.ReadWrite.All |
Application |
Add / Remove Access Packages |
|
EntitlementManagement.Read.All |
Application |
Access Package Aggregation |
|
Applicable for User Management |
||
|
User.EnableDisableAccount.All |
Application |
Delete User |
|
User-PasswordProfile.ReadWrite.All |
Application |
Set Password |