Zone.Read.All

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Zone.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	-	-
DisplayText	-	-
Description	-	-
AdminConsentRequired	Yes	No

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /security/zones
	GET /security/zones/{zoneId}
	GET /security/zones/{zoneId}/environments
	GET /security/zones/{zoneId}/environments/{environmentId}

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

environment
zone

Graph reference: environment

Property	Type	Description
id	String	Environment identifier. Inherited from entity. Supports `$orderby` and `$filter` (`eq`, `contains`). For example, `$filter=contains(id, '123')`. For Azure subscriptions, use the `/subscriptions/{subscription-id}` format for the id property. For example, `/subscriptions/02687862-a843-4846-81f0-efe9ef244daa`. For other environment types, use the native identifier - for example, AWS account number (`181994123251`) or GCP project number (`69483221284`).
kind	microsoft.graph.security.environmentKind	Environment type. The possible values are: `azureSubscription`, `awsOrganization`, `awsAccount`, `gcpOrganization`, `gcpProject`, `dockersHubOrganization`, `devOpsConnection`, `azureDevOpsOrganization`, `gitHubOrganization`, `gitLabGroup`, `jFrogArtifactory`, `unknownFutureValue`. Supports `orderby` and `$filter` (`eq`, `in`). For example, `$filter=kind eq 'azureSubscription'` or `$filter=kind in ('azureSubscription', 'awsAccount')`.

Graph reference: zone

Property	Type	Description
created	microsoft.graph.security.auditInfo	Creation metadata, including user and timestamp. Supports `$orderby` (dateTime property only). Supports `$filter` (`ge`, `le`, `gt`, `lt`) on the dateTime property. For example, `$filter=created/dateTime ge 2023-01-01T00:00:00Z`.
description	String	Optional description of the zone. Up to 255 characters. Supports `$filter` (`eq`, `contains`). For example, `$filter=contains(description, 'production')`.
displayName	String	Human-readable name of the zone. Up to 1,024 characters. Supports `$filter` (`eq`, `contains`), and `$orderby`. For example, `$filter=displayName eq 'Production Zone'` or `$orderby=displayName asc`.
id	String	Unique identifier for the zone. Inherited from entity. Supports `$filter` (`eq`).
modified	microsoft.graph.security.auditInfo	Last modification metadata, including user and timestamp. Supports `$orderby` (**d

Table of Contents

Zone.Read.All

Graph Methods

Resources