Table of Contents

User.Read.All

Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the User.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier df021288-bdef-4463-88db-98f22de89214 a154be20-db9c-4678-8ab7-66f6cc099a59
DisplayText Read all users' full profiles Read all users' full profiles
Description Allows the app to read user profiles without a signed in user. Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods
User.Export.All and User.Read.All

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: administrativeUnit

Property Type Description
description String An optional description for the administrative unit. Supports $filter (eq, ne, in, startsWith), $search.
displayName String Display name for the administrative unit. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderby.
id String Unique identifier for the administrative unit. Read-only. Supports $filter (eq).
visibility String Controls whether the administrative unit and its members are hidden or public. Can be set to HiddenMembership. If not set (value is null), the default behavior is public. When set to HiddenMembership, only members of the administrative unit can list other members of the administrative unit.