Microsoft Graph API connects many different resources & data of million users on Microsoft cloud.

Graph

MS Graph

It grants either native application or Web the ability to traverse between resources and access, perform actions on them. It also provides insight and intelligence about Microsoft Graph data like trending files & relevant people around a specific user. Please see more at official Microsoft Graph document:

https://developer.microsoft.com/en-us/graph/docs/concepts/overview

Great power comes with great responsibility, we cannot grant our application with all APIs from Microsoft Graph. There must be some restrictions. To use specific API, we have to grant permission for application to use that APIs.

We can declare application permission at 2 places when developing. When first create the application through Application Registration Portal. And when send the scope to Azure AD to get the access token.

These permissions will be granted (or denied) when user login for the first time.

Choosing the right permission will be crucial for your application.

For detail of available permission, we can look up the document:

https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference

I extracted some information for quick reference here.

 

 Permission Name Delegated
Permission
Required Admin Consent Application
Permission
Microsoft
Accounts
Work or School Accounts Description for Delegated Permission
Description for Application Permission
Calendars.Read Allows the app to read events in user calendars .
Allows the app to read events of all calendars without a signed-in user.
Calendars.Read.Shared Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.
Calendars.ReadWrite Allows the app to create, read, update, and delete events in user calendars.
Allows the app to create, read, update, and delete events of all calendars without a signed-in user.
Calendars.ReadWrite.Shared Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars.
Contacts.Read Allows the app to read user contacts.
Allows the app to read all contacts in all mailboxes without a signed-in user.
Contacts.Read.Shared Allows the app to read contacts a user has permissions to access, including their own and shared contacts.
Contacts.ReadWrite Allows the app to create, read, update, and delete user contacts.
Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.
Contacts.ReadWrite.Shared Allows the app to create, read, update, and delete contacts a user has permissions to, including their own and shared contacts.
Device.Command Allows the app to launch another app or communicate with another app on a user’s device on behalf of the signed-in user.
Device.Read Allows the app to read a user’s list of devices on behalf of the signed-in user.
Device.ReadWrite.All Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers.
DeviceManagementApps.Read.All Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
DeviceManagementApps.ReadWrite.All Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
DeviceManagementConfiguration.Read.All Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.
DeviceManagementConfiguration.

ReadWrite.All

Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.
DeviceManagementManagedDevices.

PrivilegedOperations.All

Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.
DeviceManagementManagedDevices.

Read.All

Allows the app to read the properties of devices managed by Microsoft Intune.
DeviceManagementManagedDevices.

ReadWrite.All

Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner.
DeviceManagementRBAC.Read.All Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
DeviceManagementRBAC.ReadWrite.All Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
DeviceManagementServiceConfig.

Read.All

Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration.
DeviceManagementServiceConfig.

ReadWrite.All

Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.
Directory.AccessAsUser.All Allows the app to have the same access to information in the directory as the signed-in user.
Directory.Read.All Allows the app to read data in your organization’s directory, such as users, groups and apps.
Allows the app to read data in your organization’s directory, such as users, groups and apps, without a signed-in user.
Directory.ReadWrite.All Allows the app to read and write data in your organization’s directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.
Allows the app to read and write data in your organization’s directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.
Domain.ReadWrite.All Allows the app to read and write all domain properties without a signed in user.  Also allows the app to add,  verify and remove domains.
EduAdministration.Read Read the state and settings of all Microsoft education apps on behalf of the user.
EduAdministration.ReadWrite Manage the state and settings of all Microsoft education apps on behalf of the user.
EduAdministration.Read.All Read the state and settings of all Microsoft education apps.
EduAdministration.ReadWrite.All Manage the state and settings of all Microsoft education apps.
EduAssignments.Read Allows the app to read assignments and their grades on behalf of the user.
EduAssignments.ReadBasic Allows the app to read assignments without grades on behalf of the user.
EduAssignments.ReadWrite Allows the app to read and write assignments and their grades on behalf of the user.
EduAssignments.ReadWriteBasic Allows the app to read and write assignments without grades on behalf of the user.
EduAssignments.Read.All Allows the app to read assignments and their grades for all users.
EduAssignments.ReadBasic.All Allows the app to read assignments without grades for all users.
EduAssignments.ReadWrite.All Allows the app to read and write assignments and their grades for all users.
EduAssignments.ReadWriteBasic.All Allows the app to read and write assignments without grades for all users.
EduRoster.Read Allows the app to read the structure of schools and classes in an organization’s roster and education-specific information about users to be read on behalf of the user.
EduRoster.ReadBasic Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization’s roster and a limited subset of properties about users to be read on behalf of the user. Includes name, status, education role, email address and photo.
EduRoster.ReadWrite Allows the app to read and write the structure of schools and classes in an organization’s roster and education-specific information about users to be read and written on behalf of the user.
EduRoster.Read.All Allows the app to read the structure of schools and classes in the organization’s roster and education-specific information about all users to be read.
EduRoster.ReadBasic.All Allows the app to read a limited subset of properties from both the structure of schools and classes in the organization’s roster and education-specific information about all users. Includes name, status, role, email address and photo.
EduRoster.ReadWrite.All Allows the app to read and write the structure of schools and classes in the organization’s roster and education-specific information about all users to be read and written.
Files.Read Allows the app to read the signed-in user’s files.
Files.Read.All Allows the app to read all files the signed-in user can access.
Allows the app to read all files in all site collections without a signed in user.
Files.Read.Selected (Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file.
Only exposed to working with Office 365 file handlers (v1.0).
Files.ReadWrite Allows the app to read, create, update and delete the signed-in user’s files.
Files.ReadWrite.All Allows the app to read, create, update and delete all files the signed-in user can access.
Allows the app to read, create, update and delete all files in all site collections without a signed in user.
Files.ReadWrite.AppFolder (Preview) Allows the app to read, create, update and delete files in the application’s folder.
Files.ReadWrite.Selected (Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file.
Only exposed to working with Office 365 file handlers (v1.0).
Group.Read.All Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.
Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.
Group.ReadWrite.All Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.
Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.
IdentityRiskEvent.Read.All Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user.
Allows the app to read the identity risk event information for your organization without a signed in user.
Mail.Read Allows the app to read email in user mailboxes.
Allows the app to read mail in all mailboxes without a signed-in user.
Mail.Read.Shared Allows the app to read mail a user can access, including their own and shared mail.
Mail.ReadWrite Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail.
Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.
Mail.ReadWrite.Shared Allows the app to create, read, update, and delete mail a user has permission to access, including their own and shared mail. Does not include permission to send mail.
Mail.Send Allows the app to send mail as users in the organization.
Allows the app to send mail as any user without a signed-in user.
Mail.Send.Shared Allows the app to send mail as the signed-in user, including sending on-behalf of others.
MailboxSettings.Read Allows the app to the read user’s mailbox settings. Does not include permission to send mail.
Allows the app to read user’s mailbox settings without a signed-in user. Does not include permission to send mail.
MailboxSettings.ReadWrite Allows the app to create, read, update, and delete user’s mailbox settings. Does not include permission to send mail.
Allows the app to create, read, update, and delete user’s mailbox settings without a signed-in user. Does not include permission to send mail.
Member.Read.Hidden Allows the app to read the memberships of hidden groups and administrative units without a signed-in user.
Notes.Create Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user.
Notes.Read Allows the app to read OneNote notebooks on behalf of the signed-in user.
Notes.Read.All Allows the app to read OneNote notebooks that the signed-in user has access to in the organization.
Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.
Notes.ReadWrite Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user.
Notes.ReadWrite.All Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization.
Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.
People.Read Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype).
People.Read.All Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user’s organization. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype).
Allows the app to read any user’s scored list of relevant people, without a signed-in user. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype).
Reports.Read.All Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
Sites.FullControl.All Allows the app to have full control of all site collections without a signed in user.
Sites.Manage.All Allows the app to create or delete document libraries and lists in all site collections without a signed in user.
Sites.Read.All Allows the application to read documents and list items in all site collections on behalf of the signed-in user
Allows the app to read documents and list items in all site collections without a signed in user.
Sites.ReadWrite.All Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.
Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.
Tasks.Read Allows the app to read user tasks
Tasks.Read.Shared Allows the app to read tasks a user has permissions to access, including their own and shared tasks.
Tasks.ReadWrite Allows the app to create, read, update and delete tasks and plans (and tasks in them), that are assigned to or shared with the signed-in user.
Tasks.ReadWrite.Shared Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks.
User.Invite.All Allows the app to invite guest users to the organization, on behalf of the signed-in user.
Allows the app to invite guest users to the organization, without a signed-in user.
User.Read Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
User.Read.All Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
Allows the app to read user profiles without a signed in user.
User.ReadBasic.All Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.
User.ReadWrite Allows the app to read your profile. It also allows the app to update your profile information on your behalf.
User.ReadWrite.All Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
Allows the app to read and update user profiles without a signed in user.
UserTimelineActivity.Write.CreatedByApp Allows the app to report the signed-in user’s app activity information to Microsoft Timeline.

 

 

Delegated Permissions: Used by app that have signed-in user. The app has permission to act as signed-in user when making call to Microsoft Graph APIs.

Delegated permission can be consented by either a user or with higher privilege, an admin.

Application Permission: Used by app that does not have signed-in user. Application permission is granted by an administrator of organization.

Please keep in mind that delegated permission & application permission are separated. Even they have the same name, they may have different scope & access level.

 

It is not guaranteed that when the app is granted with a permission, it will have access to all available data permitted by that permission. It is also depended on the access privilege of signed-in user.

For example: permission X have access to data A & B; user Y have access to data B & C. So, when user Y consent for app to have permission X, the app will have access to B only.

In general, if a user has a set of permissions Y, the application requested a set of permissions X. The actual permissions that the application can be granted are Z = X ∩ Y.

It is called effective permissions.

 

Permissions can be support by Microsoft/personal accounts only, work or school accounts only or both.

For example, all Shared permissions can be understood that it is demonstrate relationships between users in an organization. Naturally, those permissions are only supported by work or school accounts.

Application permissions can only be granted by administrators, so those permission are supported by work or school accounts.

 

Also, please notice that some permissions have preview/beta status. They are in development & may change in the future.

Leave a Reply

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>