Table of Contents

GroupMember.ReadWrite.All

Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the GroupMember.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier dbaae8cf-10b5-4b86-a4a1-f871c94c6695 f81125ac-d3b7-4573-a3b2-7099cc39df9e
DisplayText Read and write all group memberships Read and write group memberships
Description Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods
GroupMember.ReadWrite.All and Application.ReadWrite.All ▪️ GroupMember.ReadWrite.All and Device.ReadWrite.All ▪️ GroupMember.ReadWrite.All and OrgContact.Read.All
GroupMember.ReadWrite.All and Application.ReadWrite.All ▪️ GroupMember.ReadWrite.All and Device.ReadWrite.All ▪️ GroupMember.ReadWrite.All and OrgContact.Read.All

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: device

Property Type Description
accountEnabled Boolean true if the account is enabled; otherwise, false. Required. Default is true.

Supports $filter (eq, ne, not, in). Only callers with at least the Cloud Device Administrator role can set this property.
alternativeSecurityIds alternativeSecurityId collection For internal use only. Not nullable. Supports $filter (eq, not, ge, le).
approximateLastSignInDateTime DateTimeOffset The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter (eq, ne, not, ge, le, and eq on null values) and $orderby.
complianceExpirationDateTime DateTimeOffset The timestamp when the device is no longer deemed compliant. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.
deviceCategory String User-defined property set by Intune to automatically add devices to groups and simplify managing devices.
deviceId String Unique identifier set by Azure Device Registration Service at the time of registration. This alternate key can be used to reference the device object. Supports $filter (eq, ne, not, startsWith).
deviceMetadata String For internal use only. Set to null.
deviceOwnership String Ownership of the device. Intune sets this property. Possible values are: unknown, company, personal.
deviceVersion Int32 For internal use only.
displayName String The display name for the device. Required. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby.
enrollmentProfileName String Enrollment profile applied to the device. For example, Apple Device Enrollment Profile, Device enrollment - Corporate device identifiers, or Windows Autopilot profile name. This property is set by Intune.
enrollmentType String Enrollment type of the device. Intune sets this property. Possible values are: unknown, userEnrollment, deviceEnrollmentManager, appleBulkWithUser, appleBulkWithoutUser, windowsAzureADJoin, windowsBulkUserless, windowsAutoEnrollment, windowsBulkAzureDomainJoin, windowsCoManagement, windowsAzureADJoinUsingDeviceAuth,appleUserEnrollment, appleUserEnrollmentWithServiceAccount.

NOTE: This property might return other values apart from those listed.
extensionAttributes onPremisesExtensionAttributes Contains extension attributes 1-15 for the device. The individual extension attributes aren't selectable. These properties are mastered in the cloud and can be set during creation or update of a device object in Microsoft Entra ID.

Supports $filter (eq, not, startsWith, and eq on null values).
id String The unique identifier for the device. Inherited from directoryObject. Key, Not nullable. Read-only. Supports $filter (eq, ne, not, in).
isCompliant Boolean true if the device complies with Mobile Device Management (MDM) policies; otherwise, false. Read-only. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. Supports $filter (eq, ne, not).
isManaged Boolean true if the device is managed by a Mobile Device Management (MDM) app; otherwise, false. This can only be updated by Intune for any device OS type or by an approved MDM app for Windows OS devices. Supports $filter (eq, ne, not).
manufacturer String Manufacturer of the device. Read-only.
isRooted Boolean true if the device is rooted or jail-broken. This property can only be updated by Intune.
managementType String The management channel of the device. This property is set by Intune. Possible values are: eas, mdm, easMdm, intuneClient, easIntuneClient, configurationManagerClient, configurationManagerClientMdm, configurationManagerClientMdmEas, unknown, jamf, googleCloudDevicePolicyController.
mdmAppId String Application identifier used to register device into MDM. Read-only. Supports $filter (eq, ne, not, startsWith).
model String Model of the device. Read-only.
onPremisesLastSyncDateTime DateTimeOffset The last time at which the object was synced with the on-premises directory. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z Read-only. Supports $filter (eq, ne, not, ge, le, in).
onPremisesSecurityIdentifier String The on-premises security identifier (SID) for the user who was synchronized from on-premises to the cloud. Read-only. Returned only on $select. Supports $filter (eq).
onPremisesSyncEnabled Boolean true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). Read-only. Supports $filter (eq, ne, not, in, and eq on null values).
operatingSystem String The type of operating system on the device. Required. Supports $filter (eq, ne, not, ge, le, startsWith, and eq on null values).
operatingSystemVersion String The version of the operating system on the device. Required. Supports $filter (eq, ne, not, ge, le, startsWith, and eq on null values).
physicalIds String collection For internal use only. Not nullable. Supports $filter (eq, not, ge, le, startsWith,/$count eq 0, /$count ne 0).
profileType deviceProfileType The profile type of the device. Possible values: RegisteredDevice (default), SecureVM, Printer, Shared, IoT.
registrationDateTime DateTimeOffset Date and time of when the device was registered. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only.
systemLabels String collection List of labels applied to the device by the system. Supports $filter (/$count eq 0, /$count ne 0).
trustType String Type of trust for the joined device. Read-only. Possible values: Workplace (indicates *b