CrossTenantUserProfileSharing.ReadWrite.All

Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the CrossTenantUserProfileSharing.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	306785c5-c09b-4ba0-a4ee-023f3da165cb	64dfa325-cbf8-48e3-938d-51224a0cac01
DisplayText	Read all shared cross-tenant user profiles and export or delete their data	Read all shared cross-tenant user profiles and export or delete their data
Description	Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user.	Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /directory/inboundSharedUserProfiles
	GET /directory/inboundSharedUserProfiles/{userId}
	GET /directory/outboundSharedUserProfiles
	GET /directory/outboundSharedUserProfiles/{userId}
	GET /directory/outboundSharedUserProfiles/{userId}/tenants
	POST /directory/inboundSharedUserProfiles/{userId}/exportPersonalData
	POST /directory/inboundSharedUserProfiles/{userId}/removePersonalData
	POST /directory/outboundSharedUserProfiles/{userId}/tenants/{tenantId}/removePersonalData

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Export-MgBetaDirectoryInboundSharedUserProfilePersonalData
	Get-MgBetaDirectoryInboundSharedUserProfile
	Get-MgBetaDirectoryOutboundSharedUserProfile
	Get-MgBetaDirectoryOutboundSharedUserProfileTenant
	Remove-MgBetaDirectoryInboundSharedUserProfilePersonalData
	Remove-MgBetaDirectoryOutboundSharedUserProfileTenantPersonalData

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: inboundSharedUserProfile

Property	Type	Description
displayName	String	The name displayed in the address book for the user at the time when the sharing record was created. Read-only.
homeTenantId	String	The home tenant id of the external user. Read-only.
userId	String	The object id of the external user. Read-only.
userPrincipalName	String	The user principal name (UPN) of the external user. Read-only.

Table of Contents

CrossTenantUserProfileSharing.ReadWrite.All

Graph Methods

Resources