DirectoryRecommendations.Read.All

Allows the app to read Azure AD recommendations, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the DirectoryRecommendations.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	ae73097b-cb2a-4447-b064-5d80f6093921	34d3bd24-f6a6-468c-b67c-0c365c1d6410
DisplayText	Read all Azure AD recommendations	Read Azure AD recommendations
Description	Allows the app to read all Azure AD recommendations, without a signed-in user.	Allows the app to read Azure AD recommendations, on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /directory/recommendations
	GET /directory/recommendations/{recommendationId}
	GET /directory/recommendations/{recommendationId}/impactedResources
	GET /directory/recommendations/{recommendationId}/impactedResources/{impactedResourceId}
	GET /directory/recommendations/tenantSecureScores

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaDirectoryRecommendation
	Get-MgBetaDirectoryRecommendationImpactedResource

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: impactedResource

Property	Type	Description
addedDateTime	DateTimeOffset	The date and time when the impactedResource object was initially associated with the recommendation.
additionalDetails	keyValue collection	Additional information unique to the impactedResource to help contextualize the recommendation.
apiUrl	String	The URL link to the corresponding Microsoft Entra resource.
displayName	String	Friendly name of the Microsoft Entra resource.
id	String	A unique identifier of the impacted Microsoft Entra resource.
lastModifiedBy	String	Name of the user or service that last updated the status.
lastModifiedDateTime	String	The date and time when the status was last updated.
owner	String	The user responsible for maintaining the resource.
portalUrl	String	The URL link to the corresponding Microsoft Entra admin center page of the resource.
postponeUntilDateTime	DateTimeOffset	The future date and time when the status of a postponed impactedResource will be `active` again.
rank	Int32	Indicates the importance of the resource. A resource with a rank equal to 1 is of the highest importance.
recommendationId	String	The unique identifier of the recommendation that the resource is associated with.
resourceType	String	Indicates the type of Microsoft Entra resource. Examples include `user`, `application`.
status	recommendationStatus	Indicates whether a resource needs to be addressed. The possible values are: `active`, `completedBySystem`, `completedByUser`, `dismissed`, `postponed`, `unknownFutureValue`. By default, a recommendation's status is set to `active` when the recommendation is first generated. Status is set to `completedBySystem` when our service detects that a resource which was once active no longer applies.
subjectId	String	The related unique identifier, depending on the **r

Graph reference: recommendation

Property	Type	Description
actionSteps	actionStep collection	List of actions to take to complete a recommendation. Inherited from recommendationBase.
benefits	String	An explanation of why completing the recommendation will benefit you. Corresponds to the Value section of a recommendation shown in the Microsoft Entra admin center. Inherited from recommendationBase.
category	recommendationCategory	Indicates the category of intelligent guidance that the recommendation falls under. The possible values are: `identityBestPractice`, `identitySecureScore`, `unknownFutureValue`. Inherited from recommendationBase. Supports `$filter`(`eq`).
createdDateTime	DateTimeOffset	The date and time when the recommendation was detected as applicable to your directory. Inherited from recommendationBase.
currentScore	Double	The number of points the tenant has attained. Only applies to recommendations with category set to `identitySecureScore`. Inherited from recommendationBase.
displayName	String	The title of the recommendation. Inherited from recommendationBase.
featureAreas	recommendationFeatureAreas collection	The directory feature that the recommendation is related to. Inherited from recommendationBase. Supports `$filter`(`eq`).
id	String	The unique identifier for the recommendation object generated for your tenant. This is a concatenation of your tenant ID and a Microsoft Entra ID-assigned nickname for the recommendation. For example, `7918d4b5-0442-4a97-be2d-36f9f9962ece_Microsoft.Identity.IAM.Insights.ThirdPartyApps`. Inherited from recommendationBase.
impactStartDateTime	DateTimeOffset	The future date and time when a recommendation should be completed. Inherited from recommendationBase.
impactType	String	Indicates the scope of impact of a recommendation. `Tenant level` indicates that the recommendation impacts the whole tenant. Other possible values include `users`, `applications`. Inherited from recommendationBase.
insights	String	Describes why a recommendation uniquely applies to your directory. Corresponds to the Description section of a recommendation shown in the Microsoft Entra admin center. Inherited from recommendationBase.
lastCheckedDateTime	DateTimeOffset	The most recent date and time a recommendation was deemed applicable to your directory. Inherited from recommendationBase.
lastModifiedBy	String	Name of the user who last updated the status of the recommendation. Inherited from recommendationBase.
lastModifiedDateTime	DateTimeOffset	The date and time the status of a recommendation was last updated. Inherited from recommendationBase.
maxScore	Double	The maximum number of points attainable. Only applies to recommendations with category set to `identitySecureScore`. Inherited from recommendationBase.
postponeUntilDateTime	DateTimeOffset	The future date and time when the status of a postponed recommendation will be `active` again. Inherited from recommendationBase.
priority	recommendationPriority	Indicates the time sensitivity for a recommendation to be completed. Microsoft auto assigns this value. The possible values are: `low`, `medium`, `high`. Inherited from recommendationBase. Read-only. Supports `$filter`(`eq`).
recommendationType	recommendationType	Friendly shortname to identify the recommendation. The possible values are: `adfsAppsMigration`, `enableDesktopSSO`, `enablePHS`, `enableProvisioning`, `switchFromPerUserMFA`, `tenantMFA`, `thirdPartyApps`, `turnOffPerUserMFA`, `useAuthenticatorApp`, `useMyApps`, `staleApps`, `staleAppCreds`, `applicationCredentialExpiry`, `servicePrincipalKeyExpiry`, `adminMFAV2`, `blockLegacyAuthentication`, `integratedApps`, `mfaRegistrationV2`, `pwagePolicyNew`, `passwordHashSync`, `oneAdmin`, `roleOverlap`, `selfServicePasswordReset`, `signinRiskPolicy`, `userRiskPolicy`, `verifyAppPublisher`, `privateLinkForAAD`, `appRoleAssignmentsGroups`, `appRoleAssignmentsUsers`, `managedIdentity`, `overprivilegedApps`, `unknownFutureValue`, `longLivedCredentials`, `aadConnectDeprecated`, `adalToMsalMigration`, `ownerlessApps`, `inactiveGuests`, `aadGraphDeprecationApplication`, `aadGraphDeprecationServicePrincipal`, `mfaServerDeprecation`. Note that you must use the `Prefer: include-unknown-enum-members` request header to get the following value(s) in this evolvable enum: `longLivedCredentials` , `aadConnectDeprecated` , `adalToMsalMigration` , `ownerlessApps` , `inactiveGuests` , `aadGraphDeprecationApplication` , `aadGraphDeprecationServicePrincipal` , `mfaServerDeprecation`. Inherited from recommendationBase. Currently, only a limited number are available. For more information, see Types of recommendations. Supports `$filter`(`eq`).
releaseType	releaseType	The current release type of the recommendation. The possible values are: `preview`, `generallyAvailable`, `unknownFutureValue`. Inherited from recommendationBase.
remediationImpact	String	Description of the impact on users of the remediation. Only applies to recommendations with category set to `identitySecureScore`. Inherited from recommendationBase.
status	recommendationStatus	Indicates the status of the recommendation based on user or system action. The possible values are: `active`, `completedBySystem`, `completedByUser`, `dismissed`, `postponed`, `unknownFutureValue`. By default, a recommendation's **s

Graph reference: secureScore

Property	Type	Description
activeUserCount	Int32	Active user count of the given tenant.
averageComparativeScores	averageComparativeScore collection	Average score by different scopes (for example, average by industry, average by seating) and control category (Identity, Data, Device, Apps, Infrastructure) within the scope.
azureTenantId	String	GUID string for tenant ID.
controlScores	controlScore collection	Contains tenant scores for a set of controls.
createdDateTime	DateTimeOffset	When the report was created.
currentScore	Double	Tenant current attained score on specified date.
enabledServices	String collection	Microsoft-provided services for the tenant (for example, Exchange online, Skype, Sharepoint).
id	String	Provider-generated GUID/unique identifier. Read-only. Required.
licensedUserCount	Int32	Licensed user count of the given tenant.
maxScore	Double	Tenant maximum possible score on specified date.
vendorInformation	securityVendorInformation	Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=SecureScore). Required.

Graph reference: tenantSecureScore

Property	Type	Description
createDateTime	DateTimeOffset	When this Secure Score was created.
tenantMaxScore	Int64	The maximum historical Secure Score for the tenant.
tenantScore	Int64	The Secure Score.

Table of Contents

DirectoryRecommendations.Read.All

Graph Methods

Resources