Table of Contents

Directory.Read.All

Allows the app to read data in your organization's directory, such as users, groups and apps.

Caution

Directory permissions provide the highest level of privilege for accessing directory resources such as user, group, and device in an organization.

They also exclusively control access to other directory resources like: organizational contacts and schema extensions, as well as many directory resources including administrative units, directory roles, directory settings, and policies.

Before December 3rd, 2020, when the application permission Directory.Read.All was granted, the Directory Readers directory role was also assigned to the app's service principal. This directory role isn't removed automatically when the associated application permissions are revoked. To remove an application's access to read or write to the directory, customers must also remove any directory roles that were granted to the application.

A service update disabling this behavior began rolling out on December 3rd, 2020. Deployment to all customers completed on January 11th, 2021. Directory roles are no longer automatically assigned when application permissions are granted.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Directory.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 7ab1d382-f21e-4acd-a863-ba3e13f7da61 06da0dbc-49e2-44d2-8312-53f166ab848a
DisplayText Read directory data Read directory data
Description Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. Allows the app to read data in your organization's directory, such as users, groups and apps.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods
AuditLog.Read.All and Directory.Read.All
AuditLog.Read.All and Directory.Read.All
AuditLog.Read.All and Directory.Read.All
AuditLog.Read.All and Directory.Read.All
AuditLog.Read.All and Directory.Read.All
EduRoster.Read and Directory.Read.All ▪️ EduRoster.Read.All and Directory.Read.All ▪️ EduRoster.ReadWrite.All and Directory.Read.All ▪️ EduRoster.Write and Directory.Read.All
EduRoster.Read and Directory.Read.All ▪️ EduRoster.Read.All and Directory.Read.All ▪️ EduRoster.ReadWrite.All and Directory.Read.All ▪️ EduRoster.Write and Directory.Read.All
Application.ReadWrite.All and Directory.Read.All ▪️ Application.ReadWrite.OwnedBy and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All
Application.ReadWrite.All and Directory.Read.All ▪️ Application.ReadWrite.OwnedBy and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All and Directory.Read.All
AppRoleAssignment.ReadWrite.All and Directory.Read.All
Application.ReadWrite.All and Directory.Read.All ▪️ Application.ReadWrite.OwnedBy and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All
AppRoleAssignment.ReadWrite.All and Directory.Read.All
AppRoleAssignment.ReadWrite.All and Directory.Read.All
Application.ReadWrite.All and Directory.Read.All ▪️ Application.ReadWrite.OwnedBy and Directory.Read.All ▪️ Directory.Read.All and Application.ReadWrite.All

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: adminConsentRequestPolicy

Property Type Description
isEnabled Boolean Specifies whether the admin consent request feature is enabled or disabled. Required.
notifyReviewers Boolean Specifies whether reviewers will receive notifications. Required.
remindersEnabled Boolean Specifies whether reviewers will receive reminder emails. Required.
requestDurationInDays Int32 Specifies the duration the request is active before it automatically expires if no decision is applied.
reviewers accessReviewReviewerScope collection The list of reviewers for the admin consent. Required.
version Int32 Specifies the version of this policy. When the policy is updated, this version is updated. Read-only.