Table of Contents

Group.Read.All

Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.

For Microsoft 365 groups, Group.* permissions grant the app access to the contents of the group; for example, conversations, files, notes, and so on.

In some cases, an app might need extra permissions to read some group properties like member and memberOf. For example, if a group has one or more service principals as members, the app also needs permissions to read service principals, otherwise Microsoft Graph returns an error or limited information. To read the full information, the app also needs permissions in the organization to read service principals. For more information, see Limited information returned for inaccessible member objects.

Group.* permissions are used to control access to Microsoft Teams resources and APIs. Personal Microsoft accounts are not supported.

Group.* permissions are also used to control access to Microsoft Planner resources and APIs. Only delegated permissions are supported for Microsoft Planner APIs; application permissions are not supported. Personal Microsoft accounts are not supported.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Group.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 5b567255-7703-4780-807c-7be8301ae99b 5f8c59db-677d-491f-a6b8-5f174b11ec1d
DisplayText Read all groups Read all groups
Description Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods
OrgContact.Read.All and Group.Read.All

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: administrativeUnit

Property Type Description
description String An optional description for the administrative unit. Supports $filter (eq, ne, in, startsWith), $search.
displayName String Display name for the administrative unit. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby.
id String Unique identifier for the administrative unit. Read-only. Supports $filter (eq).
visibility String Controls whether the administrative unit and its members are hidden or public. Can be set to HiddenMembership. If not set (value is null), the default behavior is public. When set to HiddenMembership, only members of the administrative unit can list other members of the administrative unit.