Table of Contents

Application.ReadWrite.All

Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Does not allow management of consent grants.

Permissions that allow managing credentials, such as Application.ReadWrite.All, allow an application to act as other entities, and use the privileges they were granted. Use caution when granting any of these permissions.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Application.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 bdfbf15f-ee85-4955-8675-146e8e5296b5
DisplayText Read and write all applications Read and write all applications
Description Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Does not allow management of consent grants.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods
DELETE /applications(appId='{appId}')
DELETE /applications(appId='{appId}')/extensionProperties/{extensionPropertyId}
DELETE /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
DELETE /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
DELETE /applications(appId='{appId}')/owners/{id}/$ref
DELETE /applications(appId='{appId}')/tokenIssuancePolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /applications(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /applications/{application ObjectId}/extensionProperties/{extensionPropertyId}
DELETE /applications/{applicationObjectId}
DELETE /applications/{applicationObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
DELETE /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
DELETE /applications/{id}/owners/{id}/$ref
DELETE /applications/{id}/tokenIssuancePolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /directory/deletedItems/{id}
DELETE /directoryObjects/{id}
DELETE /schemaExtensions/{id}
Application.ReadWrite.All and Directory.ReadWrite.All
DELETE /servicePrincipals(appId='{appId}')
DELETE /servicePrincipals(appId='{appId}')/claimsMappingPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /servicePrincipals(appId='{appId}')/owners/{id}/$ref
DELETE /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /servicePrincipals/{id}
DELETE /servicePrincipals/{id}/claimsMappingPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /servicePrincipals/{id}/homeRealmDiscoveryPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /serviceprincipals/{id}/owners/{id}/$ref
DELETE /servicePrincipals/{servicePrincipalObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
DELETE /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/$ref
DELETE /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups/{targetDeviceGroupId}/$ref
GET /applications
GET /applications(appId='{appId}')
GET /applications(appId='{appId}')/extensionProperties
GET /applications(appId='{appId}')/extensionProperties/{extensionPropertyId}
GET /applications(appId='{appId}')/federatedIdentityCredentials
GET /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
GET /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
GET /applications(appId='{appId}')/owners
GET /applications(appId='{appId}')/tokenIssuancePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /applications(appId='{appId}')/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /applications/{application ObjectId}/extensionProperties
GET /applications/{application ObjectId}/extensionProperties/{extensionPropertyId}
GET /applications/{applicationObjectId}
GET /applications/{id}/federatedIdentityCredentials
GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
GET /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
GET /applications/{id}/owners
GET /applications/{id}/tokenIssuancePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /applications/{id}/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /applications/delta
GET /servicePrincipals
GET /servicePrincipals(appId='{appId}')
GET /servicePrincipals(appId='{appId}')/appRoleAssignedTo
GET /servicePrincipals(appId='{appId}')/appRoleAssignments
GET /servicePrincipals(appId='{appId}')/claimsMappingPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /servicePrincipals(appId='{appId}')/createdObjects
GET /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /servicePrincipals(appId='{appId}')/memberOf
GET /servicePrincipals(appId='{appId}')/ownedObjects
GET /servicePrincipals(appId='{appId}')/owners
GET /servicePrincipals(appId='{appId}')/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /servicePrincipals(appId='{appId}')/transitiveMemberOf
GET /servicePrincipals/{id}
GET /servicePrincipals/{id}/appRoleAssignedTo
GET /servicePrincipals/{id}/appRoleAssignments
GET /servicePrincipals/{id}/claimsMappingPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /servicePrincipals/{id}/createdObjects
GET /servicePrincipals/{id}/homeRealmDiscoveryPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /servicePrincipals/{id}/memberOf
GET /servicePrincipals/{id}/ownedObjects
GET /servicePrincipals/{id}/owners
GET /servicePrincipals/{id}/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
GET /servicePrincipals/{id}/transitiveMemberOf
GET /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration
GET /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups
GET /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups/{targetDeviceGroupId}
GET /servicePrincipals/delta
PATCH /applications(appId='{appId}')
PATCH /applications(appId='{appId}')/federatedIdentityCredentials(name='{name}')
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
PATCH /applications(uniqueName='{uniqueName}')
PATCH /applications/{applicationObjectId}
PATCH /applications/{id}/federatedIdentityCredentials(name='{name}')
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
PATCH /schemaExtensions/{id}
Application.ReadWrite.All and Directory.ReadWrite.All
PATCH /servicePrincipals(appId='{appId}')
PATCH /servicePrincipals(appId='appId')
PATCH /servicePrincipals/{id}
PATCH /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration
PATCH /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups/{targetDeviceGroupId}
POST /applications
POST /applications(appId='{appId}')/addKey
POST /applications(appId='{appId}')/addPassword
POST /applications(appId='{appId}')/extensionProperties
POST /applications(appId='{appId}')/federatedIdentityCredentials
POST /applications(appId='{appId}')/owners/$ref
Application.ReadWrite.All and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All
POST /applications(appId='{appId}')/removeKey
POST /applications(appId='{appId}')/removePassword
POST /applications(appId='{appId}')/setVerifiedPublisher
POST /applications(appId='{appId}')/tokenIssuancePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /applications(appId='{appId}')/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /applications(appId='{appId}')/unsetVerifiedPublisher
POST /applications/{application ObjectId}/extensionProperties
POST /applications/{id}/addKey
POST /applications/{id}/addPassword
POST /applications/{id}/federatedIdentityCredentials
POST /applications/{id}/owners/$ref
Application.ReadWrite.All and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All
POST /applications/{id}/removeKey
POST /applications/{id}/removePassword
POST /applications/{id}/setVerifiedPublisher
POST /applications/{id}/tokenIssuancePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /applications/{id}/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /applications/{id}/unsetVerifiedPublisher
POST /applicationTemplates/{applicationTemplate-id}/instantiate
POST /directory/deletedItems/{id}/restore
POST /directoryObjects/{id}/checkMemberGroups
POST /directoryObjects/{id}/checkMemberObjects
POST /directoryObjects/{id}/getMemberGroups
POST /directoryObjects/{id}/getMemberObjects
POST /groups/{group-id}/members/
GroupMember.ReadWrite.All and Application.ReadWrite.All
POST /groups/{group-id}/members/$ref
GroupMember.ReadWrite.All and Application.ReadWrite.All
POST /schemaExtensions
Application.ReadWrite.All and Directory.ReadWrite.All
POST /servicePrincipals
POST /servicePrincipals(appId='{appId}')/addKey
POST /servicePrincipals(appId='{appId}')/addPassword
POST /servicePrincipals(appId='{appId}')/addTokenSigningCertificate
POST /servicePrincipals(appId='{appId}')/claimsMappingPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /servicePrincipals(appId='{appId}')/owners/$ref
Application.ReadWrite.All and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All
POST /servicePrincipals(appId='{appId}')/removeKey
POST /servicePrincipals(appId='{appId}')/removePassword
POST /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /serviceprincipals/{id}/addKey
POST /servicePrincipals/{id}/addPassword
POST /servicePrincipals/{id}/addTokenSigningCertificate
POST /servicePrincipals/{id}/claimsMappingPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /servicePrincipals/{id}/homeRealmDiscoveryPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /servicePrincipals/{id}/owners/$ref
Application.ReadWrite.All and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All
POST /serviceprincipals/{id}/removeKey
POST /servicePrincipals/{id}/removePassword
POST /servicePrincipals/{id}/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
POST /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration
POST /servicePrincipals/{servicePrincipalsId}/remoteDesktopSecurityConfiguration/targetDeviceGroups

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: addIn

Property Type Description
id GUID The unique identifier for the addIn object.
properties keyValue collection The collection of key-value pairs that define parameters that the consuming service can use or call. You must specify this property when performing a POST or a PATCH operation on the addIns collection. Required.
type string The unique name for the functionality exposed by the app.