Microsoft Graph Permissions Explorer
Click on a permission below to view the APIs that are enabled and the data objects exposed to the calling application.
Permission Scopes
| Permission | Description |
|---|---|
| AccessReview.Read.All | Read all access reviews that user can access |
| AccessReview.ReadWrite.All | Manage all access reviews that user can access |
| AccessReview.ReadWrite.Membership | Manage access reviews for group and app memberships |
| Acronym.Read.All | Read all acronyms that the user can access |
| AdministrativeUnit.Read.All | Read administrative units |
| AdministrativeUnit.ReadWrite.All | Read and write administrative units |
| AgentApplication.Create | Create agent applications. |
| AgentIdentity.Create | Create agent identities linked to itself. |
| Agreement.Read.All | Read all terms of use agreements |
| Agreement.ReadWrite.All | Read and write all terms of use agreements |
| AgreementAcceptance.Read | Read user terms of use acceptance statuses |
| AgreementAcceptance.Read.All | Read terms of use acceptance statuses that user can access |
| AiEnterpriseInteraction.Read | Read user AI enterprise interactions. |
| AiEnterpriseInteraction.Read.All | Read all AI enterprise interactions. |
| AiEnterpriseInteraction.Read.User | |
| Analytics.Read | Read user activity statistics |
| APIConnectors.Read.All | Read API connectors for authentication flows |
| APIConnectors.ReadWrite.All | Read and write API connectors for authentication flows |
| AppCatalog.Read.All | Read all app catalogs |
| AppCatalog.ReadWrite.All | Read and write to all app catalogs |
| AppCatalog.Submit | Submit application packages to the catalog and cancel pending submissions |
| AppCertTrustConfiguration.Read.All | Read the trusted certificate authority configuration for applications |
| AppCertTrustConfiguration.ReadWrite.All | Read and write the trusted certificate authority configuration for applications |
| Application-RemoteDesktopConfig.ReadWrite.All | Read and write the remote desktop security configuration for apps |
| Application.Read.All | Read applications |
| Application.ReadUpdate.All | Read and update all apps |
| Application.ReadWrite.All | Read and write all applications |
| Application.ReadWrite.OwnedBy | Manage apps that this app creates or owns |
| AppRoleAssignment.ReadWrite.All | Manage app permission grants and app role assignments |
| ApprovalSolution.Read | Read approvals |
| ApprovalSolution.Read.All | Read all approvals |
| ApprovalSolution.ReadWrite | Read, create, and respond to approvals |
| ApprovalSolution.ReadWrite.All | Read all approvals and manage approval subscriptions |
| ApprovalSolutionResponse.ReadWrite | Read and respond to approvals assigned to the current user |
| AttackSimulation.Read.All | Read attack simulation data of an organization |
| AttackSimulation.ReadWrite.All | Read, create, and update attack simulation data of an organization |
| AuditActivity.Read | Read activity audit log from the audit store. |
| AuditActivity.Write | Upload activity audit logs to the audit store. |
| AuditLog.Read.All | Read audit log data |
| AuditLogsQuery-CRM.Read.All | Read audit logs data from Dynamics CRM workload |
| AuditLogsQuery-Endpoint.Read.All | Read audit logs data from Endpoint Data Loss Prevention workload |
| AuditLogsQuery-Entra.Read.All | Read audit logs data from Entra (Azure AD) workload |
| AuditLogsQuery-Exchange.Read.All | Read audit logs data from Exchange workload |
| AuditLogsQuery-OneDrive.Read.All | Read audit logs data from OneDrive workload |
| AuditLogsQuery-SharePoint.Read.All | Read audit logs data from SharePoint workload |
| AuditLogsQuery.Read.All | Read audit logs data from all services |
| AuthenticationContext.Read.All | Read all authentication context information |
| AuthenticationContext.ReadWrite.All | Read and write all authentication context information |
| BackupRestore-Configuration.Read.All | Read backup configuration policies |
| BackupRestore-Configuration.ReadWrite.All | Read and edit backup configuration policies |
| BackupRestore-Control.Read.All | Read the status of the M365 backup service |
| BackupRestore-Control.ReadWrite.All | Update or read the status of the M365 backup service |
| BackupRestore-Monitor.Read.All | Read monitoring, quota and billing information for the tenant |
| BackupRestore-Restore.Read.All | Read restore sessions |
| BackupRestore-Restore.ReadWrite.All | Read restore sessions and start restore sessions from backups |
| BackupRestore-Search.Read.All | Search for metadata properties in backup snapshots |
| BillingConfiguration.ReadWrite.All | Read and write application billing configuration |
| BitlockerKey.Read.All | Read BitLocker keys |
| BitlockerKey.ReadBasic.All | Read BitLocker keys basic information |
| Bookings.Manage.All | Manage bookings information |
| Bookings.Read.All | Read bookings information |
| Bookings.ReadWrite.All | Read and write bookings information |
| BookingsAppointment.ReadWrite.All | Read and write booking appointments |
| Bookmark.Read.All | Read all bookmarks that the user can access |
| BrowserSiteLists.Read.All | Read browser site lists for your organization |
| BrowserSiteLists.ReadWrite.All | Read and write browser site lists for your organization |
| BusinessScenarioConfig.Read.All | Read business scenario configurations |
| BusinessScenarioConfig.Read.OwnedBy | Read business scenario configurations this app creates or owns |
| BusinessScenarioConfig.ReadWrite.All | Read and write business scenario configurations |
| BusinessScenarioConfig.ReadWrite.OwnedBy | Read and write business scenario configurations this app creates or owns |
| BusinessScenarioData.Read.OwnedBy | Read all data for business scenarios this app creates or owns |
| BusinessScenarioData.ReadWrite.OwnedBy | Read and write all data for business scenarios this app creates or owns |
| Calendars.Read | Read user calendars |
| Calendars.Read.Shared | Read user and shared calendars |
| Calendars.ReadBasic | Read basic details of user calendars |
| Calendars.ReadBasic.All | Read basic details of calendars in all mailboxes |
| Calendars.ReadWrite | Have full access to user calendars |
| Calendars.ReadWrite.Shared | Read and write user and shared calendars |
| CallAiInsights.Read.All | Read all AI Insights for calls. |
| CallDelegation.Read | Read delegation settings |
| CallDelegation.Read.All | Read delegation settings |
| CallDelegation.ReadWrite | Read and write delegation settings |
| CallDelegation.ReadWrite.All | Read and write delegation settings |
| CallEvents-Emergency.Read.All | Read all emergency call events |
| CallEvents.Read | Read call event data |
| CallEvents.Read.All | Read all call events |
| CallRecord-PstnCalls.Read.All | Read PSTN and direct routing call log data |
| CallRecordings.Read.All | Read all recordings of calls. |
| CallRecords.Read.All | Read all call records |
| Calls.AccessMedia.All | Access media streams in a call as an app |
| Calls.Initiate.All | Initiate outgoing 1 to 1 calls from the app |
| Calls.InitiateGroupCall.All | Initiate outgoing group calls from the app |
| Calls.JoinGroupCall.All | Join group calls and meetings as an app |
| Calls.JoinGroupCallAsGuest.All | Join group calls and meetings as a guest |
| Calls.JoinGroupCalls.Chat | |
| CallTranscripts.Read.All | Read all transcripts of calls. |
| ChangeManagement.Read.All | Read Change Management items |
| Channel.Create | Create channels |
| Channel.Create.Group | |
| Channel.Delete.All | Delete channels |
| Channel.Delete.Group | |
| Channel.ReadBasic.All | Read the names and descriptions of channels |
| ChannelMember.Read.All | Read the members of channels |
| ChannelMember.Read.Group | |
| ChannelMember.ReadWrite | |
| ChannelMember.ReadWrite.All | Add and remove members from channels |
| ChannelMember.ReadWrite.Group | |
| ChannelMessage.Edit | Edit user's channel messages |
| ChannelMessage.Read.All | Read user channel messages |
| ChannelMessage.Read.Group | |
| ChannelMessage.ReadWrite | Read and write user channel messages |
| ChannelMessage.Send | Send channel messages |
| ChannelMessage.UpdatePolicyViolation.All | Flag channel messages for violating policy |
| ChannelSettings.Read.All | Read the names, descriptions, and settings of channels |
| ChannelSettings.Read.Group | |
| ChannelSettings.ReadWrite.All | Read and write the names, descriptions, and settings of channels |
| ChannelSettings.ReadWrite.Group | |
| Chat.Create | Create chats |
| Chat.Manage.Chat | |
| Chat.ManageDeletion.All | Delete and recover deleted chats |
| Chat.ManageDeletion.Chat | |
| Chat.Read | Read user chat messages |
| Chat.Read.All | Read all chat messages |
| Chat.Read.WhereInstalled | Read all chat messages for chats where the associated Teams application is installed. |
| Chat.ReadBasic | Read names and members of user chat threads |
| Chat.ReadBasic.All | Read names and members of all chat threads |
| Chat.ReadBasic.WhereInstalled | Read names and members of all chat threads where the associated Teams application is installed. |
| Chat.ReadWrite | Read and write user chat messages |
| Chat.ReadWrite.All | Read and write all chat messages |
| Chat.ReadWrite.WhereInstalled | Read and write all chat messages for chats where the associated Teams application is installed. |
| Chat.UpdatePolicyViolation.All | Flag chat messages for violating policy |
| ChatMember.Read | Read the members of chats |
| ChatMember.Read.All | Read the members of all chats |
| ChatMember.Read.Chat | |
| ChatMember.Read.WhereInstalled | Read the members of all chats where the associated Teams application is installed. |
| ChatMember.ReadWrite | Add and remove members from chats |
| ChatMember.ReadWrite.All | Add and remove members from all chats |
| ChatMember.ReadWrite.WhereInstalled | Add and remove members from all chats where the associated Teams application is installed. |
| ChatMessage.Read | Read user chat messages |
| ChatMessage.Read.All | Read all chat messages |
| ChatMessage.Read.Chat | |
| ChatMessage.Send | Send user chat messages |
| ChatSettings.Read.Chat | |
| ChatSettings.ReadWrite.Chat | |
| CloudApp-Discovery.Read.All | Read discovered cloud applications data |
| CloudPC.Read.All | Read Cloud PCs |
| CloudPC.ReadWrite.All | Read and write Cloud PCs |
| Community.Read.All | Read all Viva Engage communities |
| Community.ReadWrite.All | Read and write all Viva Engage communities |
| ConfigurationMonitoring.Read.All | Read all Configuration Monitoring entities |
| ConfigurationMonitoring.ReadWrite.All | Read and write all Configuration Monitoring entities |
| ConsentRequest.Create | Create consent requests |
| ConsentRequest.Read | Read consent requests created by the user |
| ConsentRequest.Read.All | Read consent requests |
| ConsentRequest.ReadApprove.All | Read and approve consent requests |
| ConsentRequest.ReadWrite.All | Read and write consent requests |
| Contacts-OnPremisesSyncBehavior.ReadWrite.All | Read and update the on-premises sync behavior of contacts |
| Contacts.Read | Read user contacts |
| Contacts.Read.Shared | Read user and shared contacts |
| Contacts.ReadWrite | Have full access to user contacts |
| Contacts.ReadWrite.Shared | Read and write user and shared contacts |
| Content.Process.All | Process content for data security, governance and compliance |
| Content.Process.User | Process content for data security, governance and compliance |
| ContentActivity.Read | Read contents activity audit log from the audit store. |
| ContentActivity.Write | Upload contents activity audit logs to the audit store. |
| CopilotConversation.Delete | Delete Microsoft 365 Copilot conversations |
| CopilotSettings-LimitedMode.Read | Read organization-wide copilot limited mode setting |
| CopilotSettings-LimitedMode.ReadWrite | Read and write organization-wide copilot limited mode setting |
| CrossTenantInformation.ReadBasic.All | Read cross-tenant basic information |
| CrossTenantUserProfileSharing.Read | Read shared cross-tenant user profile and export data |
| CrossTenantUserProfileSharing.Read.All | Read all shared cross-tenant user profiles and export their data |
| CrossTenantUserProfileSharing.ReadWrite | Read shared cross-tenant user profile and export or delete data |
| CrossTenantUserProfileSharing.ReadWrite.All | Read all shared cross-tenant user profiles and export or delete their data |
| CustomAuthenticationExtension.Read.All | Read your organization's custom authentication extensions |
| CustomAuthenticationExtension.ReadWrite.All | Read and write your organization's custom authentication extensions |
| CustomAuthenticationExtension.Receive.Payload | Receive custom authentication extension HTTP requests |
| CustomDetection.Read.All | Read custom detection rules |
| CustomDetection.ReadWrite.All | Read and write custom detection rules |
| CustomSecAttributeAssignment.Read.All | Read custom security attribute assignments |
| CustomSecAttributeAssignment.ReadWrite.All | Read and write custom security attribute assignments |
| CustomSecAttributeAuditLogs.Read.All | Read custom security attribute audit logs |
| CustomSecAttributeDefinition.Read.All | Read custom security attribute definitions |
| CustomSecAttributeDefinition.ReadWrite.All | Read and write custom security attribute definitions |
| CustomSecAttributeProvisioning.Read.All | Read the provisioning configuration of all active custom security attributes |
| CustomSecAttributeProvisioning.ReadWrite.All | Read and edit the provisioning configuration of all active custom security attributes |
| CustomTags.Read.All | Read all custom tags data |
| CustomTags.ReadWrite.All | Read and write custom tags data |
| DelegatedAdminRelationship.Read.All | Read Delegated Admin relationships with customers |
| DelegatedAdminRelationship.ReadWrite.All | Manage Delegated Admin relationships with customers |
| DelegatedPermissionGrant.Read.All | Read delegated permission grants |
| DelegatedPermissionGrant.ReadWrite.All | Manage all delegated permission grants |
| Device.Command | Communicate with user devices |
| Device.CreateFromOwnedTemplate | Create devices based on owned device templates |
| Device.Read | Read user devices |
| Device.Read.All | Read all devices |
| Device.ReadWrite.All | |
| DeviceLocalCredential.Read.All | Read device local credential passwords |
| DeviceLocalCredential.ReadBasic.All | Read device local credential properties |
| DeviceManagementApps.Read.All | Read Microsoft Intune apps |
| DeviceManagementApps.ReadWrite.All | Read and write Microsoft Intune apps |
| DeviceManagementCloudCA.Read.All | Read Microsoft Cloud PKI objects |
| DeviceManagementCloudCA.ReadWrite.All | Read and write Microsoft Cloud PKI objects |
| DeviceManagementConfiguration.Read.All | Read Microsoft Intune Device Configuration and Policies |
| DeviceManagementConfiguration.ReadWrite.All | Read and write Microsoft Intune Device Configuration and Policies |
| DeviceManagementManagedDevices.PrivilegedOperations.All | Perform user-impacting remote actions on Microsoft Intune devices |
| DeviceManagementManagedDevices.PriviligedOperation.All | |
| DeviceManagementManagedDevices.Read.All | Read Microsoft Intune devices |
| DeviceManagementManagedDevices.ReadWrite.All | Read and write Microsoft Intune devices |
| DeviceManagementRBAC.Read.All | Read Microsoft Intune RBAC settings |
| DeviceManagementRBAC.ReadWrite.All | Read and write Microsoft Intune RBAC settings |
| DeviceManagementScripts.Read.All | Read Microsoft Intune Scripts |
| DeviceManagementScripts.ReadWrite.All | Read and write Microsoft Intune Scripts |
| DeviceManagementServiceConfig.Read.All | Read Microsoft Intune configuration |
| DeviceManagementServiceConfig.ReadWrite.All | Read and write Microsoft Intune configuration |
| DeviceTemplate.Create | Create device templates |
| DeviceTemplate.Read | |
| DeviceTemplate.Read.All | Read all device templates |
| DeviceTemplate.ReadWrite.All | Read and write all device templates |
| Directory.AccessAsUser.All | Access directory as the signed in user |
| Directory.Read.All | Read directory data |
| Directory.ReadWrite.All | Read and write directory data |
| DirectoryRecommendations.Read.All | Read Azure AD recommendations |
| DirectoryRecommendations.ReadWrite.All | Read and update Azure AD recommendations |
| Domain-InternalFederation.Read.All | Read internal federation configuration for a domain. |
| Domain-InternalFederation.ReadWrite.All | Create, read, update and delete internal federation configuration for a domain. |
| Domain.Read.All | Read domains. |
| Domain.ReadWrite.All | Read and write domains |
| EAS.AccessAsUser.All | Access mailboxes via Exchange ActiveSync |
| eDiscovery.Read.All | Read all eDiscovery objects |
| eDiscovery.ReadWrite.All | Read and write all eDiscovery objects |
| EduAdministration.Read | Read education app settings |
| EduAdministration.Read.All | Read Education app settings |
| EduAdministration.ReadWrite | Manage education app settings |
| EduAdministration.ReadWrite.All | Manage education app settings |
| EduAssignments.Read | Read users' class assignments and their grades |
| EduAssignments.Read.All | Read all class assignments with grades |
| EduAssignments.ReadBasic | Read users' class assignments without grades |
| EduAssignments.ReadBasic.All | Read all class assignments without grades |
| EduAssignments.ReadWrite | Read and write users' class assignments and their grades |
| EduAssignments.ReadWrite.All | Create, read, update and delete all class assignments with grades |
| EduAssignments.ReadWriteBasic | Read and write users' class assignments without grades |
| EduAssignments.ReadWriteBasic.All | Create, read, update and delete all class assignments without grades |
| EduCurricula.Read | Read the user's class modules and resources |
| EduCurricula.Read.All | Read all class modules and resources |
| EduCurricula.ReadWrite | Read and write the user's class modules and resources |
| EduCurricula.ReadWrite.All | Read and write all class modules and resources |
| EduReports-Reading.Read.All | Read all tenant reading assignments submissions data |
| EduReports-Reading.ReadAnonymous.All | Read all tenant reading assignments submissions data |
| EduReports-Reflect.Read.All | Read all tenant reflect check-ins submissions data |
| EduReports-Reflect.ReadAnonymous.All | Read all tenant reflect check-ins submissions data |
| EduRoster.Read | Read users' view of the roster |
| EduRoster.Read.All | Read the organization's roster |
| EduRoster.ReadBasic | Read a limited subset of users' view of the roster |
| EduRoster.ReadBasic.All | Read a limited subset of the organization's roster |
| EduRoster.ReadWrite | Read and write users' view of the roster |
| EduRoster.ReadWrite.All | Read and write the organization's roster |
| EduRoster.Write | |
| EduRoster.WriteWrite.All | |
| View users' email address | |
| EngagementConversation.Migration.All | Read and write all Viva Engage conversations |
| EngagementConversation.Read.All | Read all Viva Engage conversations |
| EngagementConversation.ReadWrite.All | Read and write all Viva Engage conversations |
| EngagementMeetingConversation.Read.All | Read all Viva Engage Teams QA conversations |
| EngagementRole.Read | Read a user's Viva Engage roles |
| EngagementRole.Read.All | Read all Viva Engage roles and role memberships |
| EngagementRole.ReadWrite.All | Modify Viva Engage role membership |
| EntitlementManagement.Read.All | Read all entitlement management resources |
| EntitlementManagement.ReadWrite.All | Read and write entitlement management resources |
| EntitlementMgmt-SubjectAccess.ReadWrite | Read and write entitlement management resources related to self-service operations |
| EventListener.Read.All | Read your organization's authentication event listeners |
| EventListener.ReadWrite.All | Read and write your organization's authentication event listeners |
| EWS.AccessAsUser.All | Access mailboxes as the signed-in user via Exchange Web Services |
| ExternalConnection.Read.All | Read all external connections |
| ExternalConnection.ReadWrite.All | Read and write all external connections |
| ExternalConnection.ReadWrite.OwnedBy | Read and write external connections |
| ExternalItem.Read.All | Read items in external datasets |
| ExternalItem.ReadWrite.All | Read and write all external items |
| ExternalItem.ReadWrite.OwnedBy | Read and write external items |
| ExternalUserProfile.Read.All | Read external user profiles |
| ExternalUserProfile.ReadWrite.All | Read and write external user profiles |
| Family.Read | Read your family info |
| File.Read.Group | |
| FileIngestion.Ingest | Ingest SharePoint and OneDrive content to make it available in the search index |
| FileIngestionHybridOnboarding.Manage | Manage onboarding for a Hybrid Cloud tenant |
| Files.Read | Read user files |
| Files.Read.All | Read all files that user can access |
| Files.Read.Selected | Read files that the user selects (preview) |
| Files.ReadWrite | Have full access to user files |
| Files.ReadWrite.All | Have full access to all files user can access |
| Files.ReadWrite.AppFolder | Have full access to the application's folder (preview) |
| Files.ReadWrite.Selected | Read and write files that the user selects (preview) |
| Files.SelectedOperations.Selected | Access selected Files, on behalf of the signed-in user |
| FileStorageContainer.Manage.All | Manage all file storage containers |
| FileStorageContainer.Selected | Access selected file storage containers |
| FileStorageContainerType.Manage.All | Manage file storage container types on behalf of the signed in user |
| FileStorageContainerTypeReg.Manage.All | Manage file storage container type registrations on behalf of the signed in user |
| FileStorageContainerTypeReg.Selected | Access selected file storage container type registrations. |
| Financials.ReadWrite.All | Read and write financials data |
| Goals-Export.Read.All | Read all goals and export jobs that a user can access |
| Goals-Export.ReadWrite.All | Have full access to all goals and export jobs a user can access |
| Group-CloudLicensing.Read | |
| Group-CloudLicensing.Read.All | |
| Group-Conversation.Read.All | Read group conversations |
| Group-Conversation.ReadWrite.All | Read and write group conversations |
| Group-OnPremisesSyncBehavior.ReadWrite.All | Read and update the on-premises sync behavior of groups |
| Group-UsageRight.Read.All | |
| Group.Create | Create groups |
| Group.Read.All | Read all groups |
| Group.ReadWrite.All | Read and write all groups |
| GroupMember.Read.All | Read group memberships |
| GroupMember.ReadWrite.All | Read and write group memberships |
| GroupSettings.Read.All | Read all group settings that user can access |
| GroupSettings.ReadWrite.All | Read and write all group settings that user can access |
| HealthMonitoringAlert.Read.All | Read all scenario health monitoring alerts |
| HealthMonitoringAlert.ReadWrite.All | Read and write all scenario monitoring alerts |
| HealthMonitoringAlertConfig.Read.All | Read all scenario health monitoring alert configurations |
| HealthMonitoringAlertConfig.ReadWrite.All | Read and write all scenario monitoring alert configurations. |
| IdentityProvider.Read.All | Read identity providers |
| IdentityProvider.ReadWrite.All | Read and write identity providers |
| IdentityRiskEvent.Read.All | Read identity risk event information |
| IdentityRiskEvent.ReadWrite.All | Read and write risk event information |
| IdentityRiskyServicePrincipal.Read.All | Read all identity risky service principal information |
| IdentityRiskyServicePrincipal.ReadWrite.All | Read and write all identity risky service principal information |
| IdentityRiskyUser.Read.All | Read identity risky user information |
| IdentityRiskyUser.ReadWrite.All | Read and write risky user information |
| IdentityUserFlow.Read.All | Read all identity user flows |
| IdentityUserFlow.ReadWrite.All | Read and write all identity user flows |
| IMAP.AccessAsUser.All | Read and write access to mailboxes via IMAP. |
| IndustryData-DataConnector.Read.All | View data connector definitions |
| IndustryData-DataConnector.ReadWrite.All | Manage data connector definitions |
| IndustryData-DataConnector.Upload | Upload files to a data connector |
| IndustryData-InboundFlow.Read.All | View inbound flow definitions |
| IndustryData-InboundFlow.ReadWrite.All | Manage inbound flow definitions |
| IndustryData-OutboundFlow.Read.All | View outbound flow definitions |
| IndustryData-OutboundFlow.ReadWrite.All | Manage outbound flow definitions |
| IndustryData-ReferenceDefinition.Read.All | View reference definitions |
| IndustryData-ReferenceDefinition.ReadWrite.All | Manage reference definitions |
| IndustryData-Run.Read.All | View current and previous runs |
| IndustryData-Run.Start | View and start runs |
| IndustryData-SourceSystem.Read.All | View source system definitions |
| IndustryData-SourceSystem.ReadWrite.All | Manage source system definitions |
| IndustryData-TimePeriod.Read.All | Read time period definitions |
| IndustryData-TimePeriod.ReadWrite.All | Manage time period definitions |
| IndustryData.ReadBasic.All | Read basic Industry Data service and resource definitions |
| InformationProtectionConfig.Read | Read configurations for protecting organizational data applicable to the user |
| InformationProtectionConfig.Read.All | Read all configurations for protecting organizational data applicable to users |
| InformationProtectionContent.Sign.All | Sign digests for data |
| InformationProtectionContent.Write.All | Create protected content |
| InformationProtectionPolicy.Read | Read user sensitivity labels and label policies. |
| InformationProtectionPolicy.Read.All | Read all published labels and label policies for an organization. |
| Insights-UserMetric.Read.All | Read user metrics insights |
| LearningAssignedCourse.Read | Read user's assignments |
| LearningAssignedCourse.Read.All | |
| LearningAssignedCourse.ReadWrite.All | Read and write all assignments |
| LearningContent.Read.All | Read learning content |
| LearningContent.ReadWrite.All | Manage learning content |
| LearningProvider.Read | Read learning provider |
| LearningProvider.ReadWrite | Manage learning provider |
| LearningSelfInitiatedCourse.Read | Read user's self-initiated courses |
| LearningSelfInitiatedCourse.Read.All | |
| LearningSelfInitiatedCourse.ReadWrite.All | Read and write all self-initiated courses |
| LicenseAssignment.Read.All | Read all license assignments. |
| LicenseAssignment.ReadWrite.All | Manage all license assignments |
| LifecycleWorkflows-CustomExt.Read.All | Read all Lifecycle workflows custom task extensions |
| LifecycleWorkflows-CustomExt.ReadWrite.All | Read and write all Lifecycle workflows custom task extensions |
| LifecycleWorkflows-Reports.Read.All | Read all Lifecycle workflows reports |
| LifecycleWorkflows-Workflow.Activate | Run workflows on-demand in Lifecycle workflows |
| LifecycleWorkflows-Workflow.Read.All | Read all workflows in Lifecycle workflows |
| LifecycleWorkflows-Workflow.ReadBasic.All | List all workflows in Lifecycle workflows |
| LifecycleWorkflows-Workflow.ReadWrite.All | Read and write all workflows in Lifecycle workflows |
| LifecycleWorkflows.Read.All | Read all lifecycle workflows resources |
| LifecycleWorkflows.ReadWrite.All | Read and write all lifecycle workflows resources |
| ListItems.SelectedOperations.Selected | Access selected ListItems, on behalf of the signed-in user |
| Lists.SelectedOperations.Selected | Access selected Lists, on behalf of the signed-in user |
| Mail-Advanced.ReadWrite | Read and write the user's mail, including modifying existing non-draft mails |
| Mail-Advanced.ReadWrite.All | Read and write mail in all mailboxes, including modifying existing non-draft mails |
| Mail-Advanced.ReadWrite.Shared | Read and write all mail the user can access, including modifying existing non-draft mails |
| Mail.Read | Read user mail |
| Mail.Read.Shared | Read user and shared mail |
| Mail.ReadBasic | Read user basic mail |
| Mail.ReadBasic.All | Read basic mail in all mailboxes |
| Mail.ReadBasic.Shared | Read user and shared basic mail |
| Mail.ReadWrite | Read and write access to user mail |
| Mail.ReadWrite.Shared | Read and write user and shared mail |
| Mail.Send | Send mail as a user |
| Mail.Send.Shared | Send mail on behalf of others |
| MailboxFolder.Read | Read a user's mailbox folders |
| MailboxFolder.Read.All | Read all the users' mailbox folders |
| MailboxFolder.ReadWrite | Read and write a user's mailbox folders |
| MailboxFolder.ReadWrite.All | Read and write all the users' mailbox folders |
| MailboxItem.ImportExport | Allows the app to perform backup and restore of mailbox items |
| MailboxItem.ImportExport.All | Allows the app to perform backup and restore for all mailbox items |
| MailboxItem.Read | Read a user's mailbox items |
| MailboxItem.Read.All | Read all the users' mailbox items |
| MailboxSettings.Read | Read user mailbox settings |
| MailboxSettings.ReadWrite | Read and write user mailbox settings |
| ManagedTenant.Read.All | |
| ManagedTenant.ReadWrite.All | |
| ManagedTenants.Read.All | Read all managed tenant information |
| ManagedTenants.ReadWrite.All | Read and write all managed tenant information |
| Member.Read.Hidden | Read hidden memberships |
| MultiTenantOrganization.Read.All | Read multi-tenant organization details and tenants |
| MultiTenantOrganization.ReadBasic.All | Read multi-tenant organization basic details and active tenants |
| MultiTenantOrganization.ReadWrite.All | Read and write multi-tenant organization details and tenants |
| MutualTlsOauthConfiguration.Read.All | Read all configurations used for mutual-TLS client authentication. |
| MutualTlsOauthConfiguration.ReadWrite.All | Read and write all configurations used for mutual-TLS client authentication. |
| NetworkAccess-Reports.Read.All | Read all network access reports |
| NetworkAccess.Read.All | Read all network access information |
| NetworkAccess.ReadWrite.All | Read and write all network access information |
| NetworkAccessBranch.Read.All | Read properties of branches for network access |
| NetworkAccessBranch.ReadWrite.All | Read and write properties of branches for network access |
| NetworkAccessPolicy.Read.All | Read security and routing policies for network access |
| NetworkAccessPolicy.ReadWrite.All | Read and write security and routing policies for network access |
| Notes.Create | Create user OneNote notebooks |
| Notes.Read | Read user OneNote notebooks |
| Notes.Read.All | Read all OneNote notebooks that user can access |
| Notes.ReadWrite | Read and write user OneNote notebooks |
| Notes.ReadWrite.All | Read and write all OneNote notebooks that user can access |
| Notes.ReadWrite.CreatedByApp | Limited notebook access (deprecated) |
| Notifications.ReadWrite.CreatedByApp | Deliver and manage user notifications for this app |
| offline_access | Maintain access to data you have given it access to |
| OnlineMeetingAiInsight.Read.All | Read all AI Insights for online meetings. |
| OnlineMeetingAiInsight.Read.Chat | Read all AI Insights for online meetings where the Teams application is installed. |
| OnlineMeetingArtifact.Read.All | Read user's online meeting artifacts |
| OnlineMeetingArtifact.Read.Chat | |
| OnlineMeetingRecording.Read.All | Read all recordings of online meetings. |
| OnlineMeetingRecording.Read.All (for online meetings) CallRecording.Read.All (for ad hoc calls) | |
| OnlineMeetingRecording.Read.Chat | |
| OnlineMeetingRecording.Read.Chat (for online meetings) CallRecordings.Read.All (for ad hoc calls) | |
| OnlineMeetings.Read | Read user's online meetings |
| OnlineMeetings.Read.All | Read online meeting details |
| OnlineMeetings.ReadWrite | Read and create user's online meetings |
| OnlineMeetings.ReadWrite.All | Read and create online meetings |
| OnlineMeetingTranscript.Read.All | Read all transcripts of online meetings. |
| OnlineMeetingTranscript.Read.All (for online meetings) CallTranscripts.Read.All (for ad hoc calls) | |
| OnlineMeetingTranscript.Read.Chat | |
| OnlineMeetingTranscript.Read.Chat (for online meetings) CallTranscripts.Read.All (for ad hoc calls) | |
| OnPremDirectorySynchronization.Read.All | Read all on-premises directory synchronization information |
| OnPremDirectorySynchronization.ReadWrite.All | Read and write all on-premises directory synchronization information |
| OnPremisesPublishingProfiles.ReadWrite.All | Manage on-premises published resources |
| openid | Sign users in |
| Organization.Read.All | Read organization information |
| Organization.ReadWrite.All | Read and write organization information |
| OrganizationalBranding.Read.All | Read organizational branding information |
| OrganizationalBranding.ReadWrite.All | Read and write organizational branding information |
| OrgContact.Read | |
| OrgContact.Read.All | Read organizational contacts |
| OrgSettings-AppsAndServices.Read.All | Read organization-wide apps and services settings |
| OrgSettings-AppsAndServices.ReadWrite.All | Read and write organization-wide apps and services settings |
| OrgSettings-DynamicsVoice.Read.All | Read organization-wide Dynamics customer voice settings |
| OrgSettings-DynamicsVoice.ReadWrite.All | Read and write organization-wide Dynamics customer voice settings |
| OrgSettings-Forms.Read.All | Read organization-wide Microsoft Forms settings |
| OrgSettings-Forms.ReadWrite.All | Read and write organization-wide Microsoft Forms settings |
| OrgSettings-Microsoft365Install.Read.All | Read organization-wide Microsoft 365 apps installation settings |
| OrgSettings-Microsoft365Install.ReadWrite.All | Read and write organization-wide Microsoft 365 apps installation settings |
| OrgSettings-MicrosoftInstall.Read.All | |
| OrgSettings-MicrosoftInstall.ReadWrite.All | |
| OrgSettings-Todo.Read.All | Read organization-wide Microsoft To Do settings |
| OrgSettings-Todo.ReadWrite.All | Read and write organization-wide Microsoft To Do settings |
| PartnerBilling.Read.All | Read all billing data for your company's tenant |
| PartnerSecurity.Read.All | Read security alerts of customer with CSP relationship |
| PartnerSecurity.ReadWrite.All | Read security alerts and update status of security alerts of customer with CSP relationship |
| PendingExternalUserProfile.Read.All | Read pending external user profiles |
| PendingExternalUserProfile.ReadWrite.All | Read and write pending external user profiles |
| People.Read | Read users' relevant people lists |
| People.Read.All | Read all users' relevant people lists |
| PeopleSettings.Read.All | Read tenant-wide people settings |
| PeopleSettings.ReadWrite.All | Read and write tenant-wide people settings |
| Permissions (from least to most privileged) | |
| PermissionsAnalytics.Read.OwnedBy | |
| Place.Read.All | Read all company places |
| Place.ReadWrite.All | Read and write organization places |
| PlaceDevice.Read.All | Read all workplace devices |
| PlaceDevice.ReadWrite.All | Read and write all workplace devices |
| PlaceDeviceTelemetry.ReadWrite.All | Read and write telemetry for all workplace devices. |
| Policy.Read.All | Read your organization's policies |
| Policy.Read.ApplicationConfiguration | |
| Policy.Read.AuthenticationMethod | Read authentication method policies |
| Policy.Read.ConditionalAccess | Read your organization's conditional access policies |
| Policy.Read.DeviceConfiguration | Read your organization's device configuration policies |
| Policy.Read.HybridAuthentication | |
| Policy.Read.IdentityProtection | Read your organization’s identity protection policy |
| Policy.Read.PermissionGrant | Read consent and permission grant policies |
| Policy.ReadWrite.AccessReview | Read and write your organization's directory access review default policy |
| Policy.ReadWrite.ApplicationConfiguration | Read and write your organization's application configuration policies |
| Policy.ReadWrite.AuthenticationFlows | Read and write authentication flow policies |
| Policy.ReadWrite.AuthenticationMethod | Read and write authentication method policies |
| Policy.ReadWrite.Authorization | Read and write your organization's authorization policy |
| Policy.ReadWrite.ConditionalAccess | Read and write your organization's conditional access policies |
| Policy.ReadWrite.ConsentRequest | Read and write consent request policy |
| Policy.ReadWrite.CrossTenantAccess | Read and write your organization's cross tenant access policies |
| Policy.ReadWrite.CrossTenantCapability | Read and write your organization's M365 cross tenant access capabilities |
| Policy.ReadWrite.DeviceConfiguration | Read and write your organization's device configuration policies |
| Policy.ReadWrite.ExternalIdentities | Read and write your organization's external identities policy |
| Policy.ReadWrite.FeatureRollout | Read and write your organization's feature rollout policies |
| Policy.ReadWrite.FedTokenValidation | Read and write your organization's federated token validation policy |
| Policy.ReadWrite.HybridAuthentication | |
| Policy.ReadWrite.IdentityProtection | Read and write your organization’s identity protection policy |
| Policy.ReadWrite.MobilityManagement | Read and write your organization's mobility management policies |
| Policy.ReadWrite.PermissionGrant | Manage consent and permission grant policies |
| Policy.ReadWrite.SecurityDefaults | Read and write your organization's security defaults policy |
| Policy.ReadWrite.TrustFramework | Read and write your organization's trust framework policies |
| POP.AccessAsUser.All | Read and write access to mailboxes via POP. |
| Presence.Read | Read user's presence information |
| Presence.Read.All | Read presence information of all users in your organization |
| Presence.ReadWrite | Read and write a user's presence information |
| Presence.ReadWrite.All | Read and write presence information for all users |
| PrintAlertSettings.Read.All | |
| PrintConnector.Read.All | Read print connectors |
| PrintConnector.ReadWrite.All | Read and write print connectors |
| Printer.Create | Register printers |
| Printer.FullControl.All | Register, read, update, and unregister printers |
| Printer.Read.All | Read printers |
| Printer.ReadWrite.All | Read and update printers |
| PrinterShare.Read.All | Read printer shares |
| PrinterShare.ReadBasic.All | Read basic information about printer shares |
| PrinterShare.ReadWrite.All | Read and write printer shares |
| PrintJob.Create | Create print jobs |
| PrintJob.Manage.All | Perform advanced operations on print jobs |
| PrintJob.Read | Read user's print jobs |
| PrintJob.Read.All | Read print jobs |
| PrintJob.ReadBasic | Read basic information of user's print jobs |
| PrintJob.ReadBasic.All | Read basic information of print jobs |
| PrintJob.ReadWrite | Read and write user's print jobs |
| PrintJob.ReadWrite.All | Read and write print jobs |
| PrintJob.ReadWriteBasic | Read and write basic information of user's print jobs |
| PrintJob.ReadWriteBasic.All | Read and write basic information of print jobs |
| PrintSettings.Read.All | Read tenant-wide print settings |
| PrintSettings.ReadWrite.All | Read and write tenant-wide print settings |
| PrintTaskDefinition.ReadWrite.All | Read, write and update print task definitions |
| PrivilegedAccess.Read.AzureAD | Read privileged access to Azure AD |
| PrivilegedAccess.Read.AzureADGroup | Read privileged access to Azure AD groups |
| PrivilegedAccess.Read.AzureResources | Read privileged access to Azure resources |
| PrivilegedAccess.ReadWrite.AzureAD | Read and write privileged access to Azure AD |
| PrivilegedAccess.ReadWrite.AzureADGroup | Read and write privileged access to Azure AD groups |
| PrivilegedAccess.ReadWrite.AzureResources | Read and write privileged access to Azure resources |
| PrivilegedAssignmentSchedule.Read.AzureADGroup | Read assignment schedules for access to Azure AD groups |
| PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup | Read, create, and delete assignment schedules for access to Azure AD groups |
| PrivilegedAssignmentSchedule.Remove.AzureADGroup | Delete assignment schedules for access to Azure AD groups |
| PrivilegedEligibilitySchedule.Read.AzureADGroup | Read eligibility schedules for access to Azure AD groups |
| PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup | Read, create, and delete eligibility schedules for access to Azure AD groups |
| PrivilegedEligibilitySchedule.Remove.AzureADGroup | Delete eligibility schedules for access to Azure AD groups |
| profile | View users' basic profile |
| ProfilePhoto.Read.All | Read profile photo of a user or group |
| ProfilePhoto.ReadWrite.All | Read and write profile photo of a user or group |
| ProgramControl.Read.All | Read all programs that user can access |
| ProgramControl.ReadWrite.All | Manage all programs that user can access |
| ProtectionScopes.Compute.All | Compute Purview policies at tenant scope |
| ProtectionScopes.Compute.User | Compute Purview policies for an individual user |
| ProvisioningLog.Read.All | Read provisioning log data |
| PublicKeyInfrastructure.Read.All | Read certificate based authentication configurations |
| PublicKeyInfrastructure.ReadWrite.All | Read and write certificate based authentication configurations |
| QnA.Read.All | Read all Questions and Answers that the user can access. |
| RealTimeActivityFeed.Read.All | Access real-time enriched data in a meeting |
| RecordsManagement.Read.All | Read Records Management configuration, labels, and policies |
| RecordsManagement.ReadWrite.All | Read and write Records Management configuration, labels, and policies |
| Reports.Read.All | Read all usage reports |
| ReportSettings.Read.All | Read admin report settings |
| ReportSettings.ReadWrite.All | Read and write admin report settings |
| ResourceSpecificPermissionGrant.ReadForChat | Read resource specific permissions granted on a chat |
| ResourceSpecificPermissionGrant.ReadForChat.All | Read resource specific permissions granted on a chat |
| ResourceSpecificPermissionGrant.ReadForTeam | Read resource specific permissions granted on a team |
| ResourceSpecificPermissionGrant.ReadForTeam.All | Read resource specific permissions granted on a team |
| ResourceSpecificPermissionGrant.ReadForUser | Read resource specific permissions granted on a user account |
| ResourceSpecificPermissionGrant.ReadForUser.All | Read all resource specific permissions granted on user accounts |
| RiskPreventionProviders.Read.All | Read all identity risk prevention providers |
| RiskPreventionProviders.ReadWrite.All | Read and write all identity risk prevention providers |
| RoleAssignmentSchedule.Read.Directory | Read all active role assignments for your company's directory |
| RoleAssignmentSchedule.ReadWrite.Directory | Read, update, and delete all active role assignments for your company's directory |
| RoleAssignmentSchedule.Remove.Directory | Delete all active role assignments for your company's directory |
| RoleEligibilitySchedule.Read.Directory | Read all eligible role assignments for your company's directory |
| RoleEligibilitySchedule.ReadWrite.Directory | Read, update, and delete all eligible role assignments for your company's directory |
| RoleEligibilitySchedule.Remove.Directory | Delete all eligible role assignments for your company's directory |
| RoleManagement.Read.All | Read role management data for all RBAC providers |
| RoleManagement.Read.CloudPC | Read Cloud PC RBAC settings |
| RoleManagement.Read.Defender | Read M365 Defender RBAC configuration |
| RoleManagement.Read.Directory | Read directory RBAC settings |
| RoleManagement.Read.Exchange | Read Exchange Online RBAC configuration |
| RoleManagement.ReadWrite.CloudPC | Read and write Cloud PC RBAC settings |
| RoleManagement.ReadWrite.Defender | Read M365 Defender RBAC configuration |
| RoleManagement.ReadWrite.Directory | Read and write directory RBAC settings |
| RoleManagement.ReadWrite.Exchange | Read and write Exchange Online RBAC configuration |
| RoleManagementAlert.Read.Directory | Read all alert data for your company's directory |
| RoleManagementAlert.ReadWrite.Directory | Read all alert data, configure alerts, and take actions on all alerts for your company's directory |
| RoleManagementPolicy.Read.AzureADGroup | Read all policies in PIM for Groups |
| RoleManagementPolicy.Read.Directory | Read all policies for privileged role assignments of your company's directory |
| RoleManagementPolicy.ReadWrite.AzureADGroup | Read, update, and delete all policies in PIM for Groups |
| RoleManagementPolicy.ReadWrite.Directory | Read, update, and delete all policies for privileged role assignments of your company's directory |
| Schedule-WorkingTime.ReadWrite.All | Trigger working time policies and read the working time status |
| Schedule.Read.All | Read user schedule items |
| Schedule.ReadWrite.All | Read and write user schedule items |
| ScheduledPermissions.ReadWrite.All | |
| SchedulePermissions.ReadWrite.All | Read/Write schedule permissions for a role. |
| SearchConfiguration.Read.All | Read your organization's search configuration |
| SearchConfiguration.ReadWrite.All | Read and write your organization's search configuration |
| SecurityActions.Read.All | Read your organization's security actions |
| SecurityActions.ReadWrite.All | Read and update your organization's security actions |
| SecurityAlert.Read.All | Read all security alerts |
| SecurityAlert.ReadWrite.All | Read and write to all security alerts |
| SecurityAnalyzedMessage.Read.All | Read metadata and detection details for emails in your organization |
| SecurityAnalyzedMessage.ReadWrite.All | Read metadata, detection details, and execute remediation actions on emails in your organization |
| SecurityCopilotWorkspaces.Read.All | Read all Security Copilot resources for the signed-in user |
| SecurityCopilotWorkspaces.ReadWrite.All | Read and write individually owned Security Copilot resources of the signed-in user |
| SecurityEvents.Read.All | Read your organization’s security events |
| SecurityEvents.ReadWrite.All | Read and update your organization’s security events |
| SecurityIdentitiesAccount.Read.All | Read identity security available identity accounts |
| SecurityIdentitiesActions.ReadWrite.All | Read and perform identity security available actions |
| SecurityIdentitiesAutoConfig.Read.All | Read sensors window auditing configuration |
| SecurityIdentitiesAutoConfig.ReadWrite.All | Read and write sensors window auditing configuration |
| SecurityIdentitiesHealth.Read.All | Read identity security health issues |
| SecurityIdentitiesHealth.ReadWrite.All | Read and write identity security health issues |
| SecurityIdentitiesSensors.Read.All | Read identity security sensors |
| SecurityIdentitiesSensors.ReadWrite.All | Read and write identity security sensors |
| SecurityIdentitiesUserActions.Read.All | Read identity security available user actions |
| SecurityIdentitiesUserActions.ReadWrite.All | Read and perform identity security available user actions |
| SecurityIncident.Read.All | Read incidents |
| SecurityIncident.ReadWrite.All | Read and write to incidents |
| SensitivityLabel.Evaluate | Evaluate sensitivity labels |
| SensitivityLabel.Evaluate.All | Evaluate labels tenant scope. |
| SensitivityLabel.Read | Get labels user scope. |
| SensitivityLabels.Read.All | Get labels app scope. |
| ServiceActivity-Exchange.Read.All | Read all Exchange service activity |
| ServiceActivity-Microsoft365Web.Read.All | Read all Microsoft 365 Web service activity |
| ServiceActivity-MicrosoftWeb.Read.All | |
| ServiceActivity-OneDrive.Read.All | Read all One Drive service activity |
| ServiceActivity-Teams.Read.All | Read all Teams service activity |
| ServiceHealth.Read.All | Read service health |
| ServiceMessage.Read.All | Read service announcement messages |
| ServiceMessageViewpoint.Write | Update user status on service announcement messages |
| ServicePrincipalEndpoint.Read.All | Read service principal endpoints |
| ServicePrincipalEndpoint.ReadWrite.All | Read and update service principal endpoints |
| SharePointCrossTenantMigration.Manage.All | Read, write and manage SharePoint Cross-Tenant migration settings and tasks |
| SharePointCrossTenantMigration.Read.All | Read SharePoint Cross-Tenant migration settings and tasks |
| SharePointTenantSettings.Read.All | Read SharePoint and OneDrive tenant settings |
| SharePointTenantSettings.ReadWrite.All | Read and change SharePoint and OneDrive tenant settings |
| ShortNotes.Read | Read short notes of the signed-in user |
| ShortNotes.Read.All | Read all users' short notes |
| ShortNotes.ReadWrite | Read, create, edit, and delete short notes of the signed-in user |
| ShortNotes.ReadWrite.All | Read, create, edit, and delete all users' short notes |
| SignInIdentifier.Read.All | Read SignInIdentifiers |
| SignInIdentifier.ReadWrite.All | Read and write all sign-in identifiers |
| Site.FullControl.All | |
| Site.Manage.All | |
| Sites.Archive.All | |
| Sites.FullControl.All | Have full control of all site collections |
| Sites.Manage.All | Create, edit, and delete items and lists in all site collections |
| Sites.Read.All | Read items in all site collections |
| Sites.ReadWrite.All | Edit or delete items in all site collections |
| Sites.Selected | Access selected Sites, on behalf of the signed-in user |
| SMTP.Send | Send emails from mailboxes using SMTP AUTH. |
| SpiffeTrustDomain.Read.All | Read SPIFFE trust domains and child resources |
| SpiffeTrustDomain.ReadWrite.All | Read and write SPIFFE trust domains and child resources |
| Storyline.ReadWrite.All | Read and write all Viva Engage storylines |
| SubjectRightsRequest.Read.All | Read subject rights requests |
| SubjectRightsRequest.ReadWrite.All | Read and write subject rights requests |
| Subscription.Read.All | Read all webhook subscriptions |
| Synchronization.Read.All | Read all Azure AD synchronization data |
| Synchronization.ReadWrite.All | Read and write all Azure AD synchronization data |
| SynchronizationData-User.Upload | Upload user data to the identity synchronization service |
| SynchronizationData-User.Upload.OwnedBy | Upload user data to the identity sync service for apps that this application creates or owns |
| Tasks.Read | Read user's tasks and task lists |
| Tasks.Read.All | Read all users’ tasks and tasklist |
| Tasks.Read.Shared | Read user and shared tasks |
| Tasks.ReadWrite | Create, read, update, and delete user’s tasks and task lists |
| Tasks.ReadWrite.All | Read and write all users’ tasks and tasklists |
| Tasks.ReadWrite.Shared | Read and write user and shared tasks |
| Team.Create | Create teams |
| Team.ReadBasic.All | Read the names and descriptions of teams |
| TeamMember.Read.All | Read the members of teams |
| TeamMember.Read.Group | |
| TeamMember.ReadWrite.All | Add and remove members from teams |
| TeamMember.ReadWriteNonOwnerRole.All | Add and remove members with non-owner role for all teams |
| TeamsActivity.Read | Read user's teamwork activity feed |
| TeamsActivity.Read.All | Read all users' teamwork activity feed |
| TeamsActivity.Send | Send a teamwork activity as the user |
| TeamsActivity.Send.Chat | |
| TeamsActivity.Send.Group | |
| TeamsActivity.Send.User | |
| TeamsApp.Read.Group | |
| TeamsAppInstallation.ManageSelectedForChat | Manage installation and permission grants of selected Teams apps in chats |
| TeamsAppInstallation.ManageSelectedForChat.All | Manage installation and permission grants of selected Teams apps in all chats |
| TeamsAppInstallation.ManageSelectedForTeam | Manage installation and permission grants of selected Teams apps in teams |
| TeamsAppInstallation.ManageSelectedForTeam.All | Manage installation and permission grants of selected Teams apps in all teams |
| TeamsAppInstallation.ManageSelectedForUser | Manage installation and permission grants of selected Teams apps in users' personal scope |
| TeamsAppInstallation.ManageSelectedForUser.All | Manage installation and permission grants of selected Teams apps for all user accounts |
| TeamsAppInstallation.Read.All | Read installed Teams apps for all installation scopes |
| TeamsAppInstallation.Read.Chat | |
| TeamsAppInstallation.Read.Group | |
| TeamsAppInstallation.Read.User | |
| TeamsAppInstallation.ReadForChat | Read installed Teams apps in chats |
| TeamsAppInstallation.ReadForChat.All | Read installed Teams apps for all chats |
| TeamsAppInstallation.ReadForTeam | Read installed Teams apps in teams |
| TeamsAppInstallation.ReadForTeam.All | Read installed Teams apps for all teams |
| TeamsAppInstallation.ReadForUser | Read user's installed Teams apps |
| TeamsAppInstallation.ReadForUser.All | Read installed Teams apps for all users |
| TeamsAppInstallation.ReadSelectedForChat | Read selected installed Teams apps in chats |
| TeamsAppInstallation.ReadSelectedForChat.All | Read selected installed Teams apps in all chats |
| TeamsAppInstallation.ReadSelectedForTeam | Read selected installed Teams apps in teams |
| TeamsAppInstallation.ReadSelectedForTeam.All | Read selected installed Teams apps in all teams |
| TeamsAppInstallation.ReadSelectedForUser | Read user's selected installed Teams apps |
| TeamsAppInstallation.ReadSelectedForUser.All | Read selected installed Teams apps for all users |
| TeamsAppInstallation.ReadWriteAndConsentForChat | Manage installed Teams apps in chats |
| TeamsAppInstallation.ReadWriteAndConsentForChat.All | Manage installation and permission grants of Teams apps for all chats |
| TeamsAppInstallation.ReadWriteAndConsentForTeam | Manage installed Teams apps in teams |
| TeamsAppInstallation.ReadWriteAndConsentForTeam.All | Manage installation and permission grants of Teams apps for all teams |
| TeamsAppInstallation.ReadWriteAndConsentForUser | Manage installation and permission grants of Teams apps in users' personal scope |
| TeamsAppInstallation.ReadWriteAndConsentForUser.All | Manage installation and permission grants of Teams apps in a user account |
| TeamsAppInstallation.ReadWriteAndConsentSelfForChat | Allow the Teams app to manage itself and its permission grants in chats |
| TeamsAppInstallation.ReadWriteAndConsentSelfForChat.All | Allow the Teams app to manage itself and its permission grants for all chats |
| TeamsAppInstallation.ReadWriteAndConsentSelfForTeam | Allow the Teams app to manage itself and its permission grants in teams |
| TeamsAppInstallation.ReadWriteAndConsentSelfForTeam.All | Allow the Teams app to manage itself and its permission grants for all teams |
| TeamsAppInstallation.ReadWriteAndConsentSelfForUser | Allow the Teams app to manage itself and its permission grants in user accounts |
| TeamsAppInstallation.ReadWriteAndConsentSelfForUser.All | Allow the Teams app to manage itself and its permission grants in all user accounts |
| TeamsAppInstallation.ReadWriteForChat | Manage installed Teams apps in chats |
| TeamsAppInstallation.ReadWriteForChat.All | Manage Teams apps for all chats |
| TeamsAppInstallation.ReadWriteForTeam | Manage installed Teams apps in teams |
| TeamsAppInstallation.ReadWriteForTeam.All | Manage Teams apps for all teams |
| TeamsAppInstallation.ReadWriteForUser | Manage user's installed Teams apps |
| TeamsAppInstallation.ReadWriteForUser.All | Manage Teams apps for all users |
| TeamsAppInstallation.ReadWriteSelectedForChat | Manage selected Teams apps installed in chats |
| TeamsAppInstallation.ReadWriteSelectedForChat.All | Manage selected installed Teams apps in all chats |
| TeamsAppInstallation.ReadWriteSelectedForTeam | Manage selected Teams apps installed in teams |
| TeamsAppInstallation.ReadWriteSelectedForTeam.All | Manage selected installed Teams apps in all teams |
| TeamsAppInstallation.ReadWriteSelectedForUser | Manage selected Teams apps installed for a user |
| TeamsAppInstallation.ReadWriteSelectedForUser.All | Manage selected Teams apps installed for all users |
| TeamsAppInstallation.ReadWriteSelfForChat | Allow the Teams app to manage itself in chats |
| TeamsAppInstallation.ReadWriteSelfForChat.All | Allow the Teams app to manage itself for all chats |
| TeamsAppInstallation.ReadWriteSelfForTeam | Allow the app to manage itself in teams |
| TeamsAppInstallation.ReadWriteSelfForTeam.All | Allow the Teams app to manage itself for all teams |
| TeamsAppInstallation.ReadWriteSelfForUser | Allow the Teams app to manage itself for a user |
| TeamsAppInstallation.ReadWriteSelfForUser.All | Allow the app to manage itself for all users |
| TeamSettings.Read.All | Read teams' settings |
| TeamSettings.Read.Group | |
| TeamSettings.ReadWrite.All | Read and change teams' settings |
| TeamSettings.ReadWrite.Group | |
| TeamsPolicyUserAssign.ReadWrite.All | Read and Write Teams policy user assignment and unassigment for all policy types. |
| TeamsResourceAccount.Read.All | Read Teams resource accounts |
| TeamsTab.Create | Create tabs in Microsoft Teams. |
| TeamsTab.Create.Chat | |
| TeamsTab.Create.Group | |
| TeamsTab.Delete.Chat | |
| TeamsTab.Delete.Group | |
| TeamsTab.Read.All | Read tabs in Microsoft Teams. |
| TeamsTab.Read.Chat | |
| TeamsTab.Read.Group | |
| TeamsTab.ReadWrite.All | Read and write tabs in Microsoft Teams. |
| TeamsTab.ReadWrite.Chat | |
| TeamsTab.ReadWrite.Group | |
| TeamsTab.ReadWriteForChat | Allow the Teams app to manage all tabs in chats |
| TeamsTab.ReadWriteForChat.All | Allow the Teams app to manage all tabs for all chats |
| TeamsTab.ReadWriteForTeam | Allow the Teams app to manage all tabs in teams |
| TeamsTab.ReadWriteForTeam.All | Allow the Teams app to manage all tabs for all teams |
| TeamsTab.ReadWriteForUser | Allow the Teams app to manage all tabs for a user |
| TeamsTab.ReadWriteForUser.All | Allow the app to manage all tabs for all users |
| TeamsTab.ReadWriteSelfForChat | Allow the Teams app to manage only its own tabs in chats |
| TeamsTab.ReadWriteSelfForChat.All | Allow the Teams app to manage only its own tabs for all chats |
| TeamsTab.ReadWriteSelfForTeam | Allow the Teams app to manage only its own tabs in teams |
| TeamsTab.ReadWriteSelfForTeam.All | Allow the Teams app to manage only its own tabs for all teams |
| TeamsTab.ReadWriteSelfForUser | Allow the Teams app to manage only its own tabs for a user |
| TeamsTab.ReadWriteSelfForUser.All | Allow the Teams app to manage only its own tabs for all users |
| TeamsTelephoneNumber.Read.All | Read Tenant-Acquired Telephone Number Details |
| TeamsTelephoneNumber.ReadWrite.All | Read and Modify Tenant-Acquired Telephone Number Details |
| TeamsUserConfiguration.Read.All | Read Teams user configurations |
| TeamTemplates.Read | Read available Teams templates |
| TeamTemplates.Read.All | Read all available Teams Templates |
| Teamwork.Migrate.All | Create chat and channel messages with anyone's identity and with any timestamp |
| Teamwork.Read.All | Read organizational teamwork settings |
| TeamworkAppSettings.Read.All | Read Teams app settings |
| TeamworkAppSettings.ReadWrite.All | Read and write Teams app settings |
| TeamworkDevice.Read.All | Read Teams devices |
| TeamworkDevice.ReadWrite.All | Read and write Teams devices |
| TeamworkTag.Read | Read tags in Teams |
| TeamworkTag.Read.All | Read tags in Teams |
| TeamworkTag.ReadWrite | Read and write tags in Teams |
| TeamworkTag.ReadWrite.All | Read and write tags in Teams |
| TeamworkUserInteraction.Read.All | Read all of the possible Teams interactions between the user and other users |
| TermStore.Read.All | Read term store data |
| TermStore.ReadWrite.All | Read and write term store data |
| ThreatAssessment.Read.All | Read threat assessment requests |
| ThreatAssessment.ReadWrite.All | Read and write threat assessment requests |
| ThreatHunting.Read.All | Run hunting queries |
| ThreatIndicators.Read.All | Read all threat indicators |
| ThreatIndicators.ReadWrite.OwnedBy | Manage threat indicators this app creates or owns |
| ThreatIntelligence.Read.All | Read all threat intelligence information |
| ThreatSubmission.Read | Read threat submissions |
| ThreatSubmission.Read.All | Read all threat submissions |
| ThreatSubmission.ReadWrite | Read and write threat submissions |
| ThreatSubmission.ReadWrite.All | Read and write all threat submissions |
| ThreatSubmissionPolicies.ReadWrite.All | |
| ThreatSubmissionPolicy.ReadWrite.All | Read and write all threat submission policies |
| Topic.Read.All | Read topic items |
| TrustFrameworkKeySet.Read.All | Read trust framework key sets |
| TrustFrameworkKeySet.ReadWrite.All | Read and write trust framework key sets |
| UnifiedGroupMember.Read.AsGuest | Read unified group memberships as guest |
| User-CloudLicensing.Read | |
| User-CloudLicensing.Read.All | |
| User-ConvertToInternal.ReadWrite.All | Convert an external user to internal memeber user |
| User-LifeCycleInfo.Read.All | Read all users' lifecycle information |
| User-LifeCycleInfo.ReadWrite.All | Read and write all users' lifecycle information |
| User-Mail.ReadWrite.All | Read and write secondary mail addresses for users |
| User-OnPremisesSyncBehavior.ReadWrite.All | Read and update the on-premises sync behavior of users |
| User-PasswordProfile.ReadWrite.All | Read and write password profiles and reset user passwords |
| User-Phone.ReadWrite.All | Read and write user mobile phone and business phones |
| User-UsageRight.Read | |
| User-UsageRight.Read.All | |
| User.DeleteRestore.All | Delete and restore users |
| User.EnableDisableAccount.All | Enable and disable user accounts |
| User.Export.All | Export user's data |
| User.Invite.All | Invite guest users to the organization |
| User.ManageIdentities.All | Manage user identities |
| User.Read | Sign in and read user profile |
| User.Read.All | Read all users' full profiles |
| User.ReadBasic.All | Read all users' basic profiles |
| User.ReadWrite | Read and write access to user profile |
| User.ReadWrite.All | Read and write all users' full profiles |
| User.ReadWrite.CrossCloud | Read and write profiles of users that originate from an external cloud. |
| User.RevokeSessions.All | Revoke all sign in sessions for a user |
| UserActivity.ReadWrite.CreatedByApp | Read and write app activity to users' activity feed |
| UserAuthenticationMethod.Read | Read user authentication methods. |
| UserAuthenticationMethod.Read.All | Read all users' authentication methods |
| UserAuthenticationMethod.ReadWrite | Read and write user authentication methods |
| UserAuthenticationMethod.ReadWrite.All | Read and write all users' authentication methods. |
| UserAuthMethod-Email.Read | Read the signed-in user's email authentication methods |
| UserAuthMethod-Email.Read.All | Read all users' email methods |
| UserAuthMethod-Email.ReadWrite.All | Read and write all users' email methods. |
| UserAuthMethod-External.Read | Read the signed-in user's external authentication methods |
| UserAuthMethod-External.Read.All | Read all users' external authentication methods |
| UserAuthMethod-External.ReadWrite.All | Read and write all users' external methods. |
| UserAuthMethod-HardwareOATH.Read | Read the signed-in user's HardwareOATH authentication methods |
| UserAuthMethod-HardwareOATH.Read.All | Read all users' HardwareOATH authentication methods |
| UserAuthMethod-HardwareOATH.ReadWrite | Read and write the signed-in user's HardwareOATH authentication methods |
| UserAuthMethod-HardwareOATH.ReadWrite.All | Read and write all users' HardwareOATH methods. |
| UserAuthMethod-MicrosoftAuthApp.Read | Read the signed-in user's Microsoft Authenticator authentication methods |
| UserAuthMethod-MicrosoftAuthApp.Read.All | Read all users' Microsoft authentication methods |
| UserAuthMethod-MicrosoftAuthApp.ReadWrite | Read and write the signed-in user's Microsoft Authenticator authentication methods |
| UserAuthMethod-MicrosoftAuthApp.ReadWrite.All | Read and write all users' Microsoft Authentication methods. |
| UserAuthMethod-Passkey.Read | Read the signed-in user's passkey authentication methods |
| UserAuthMethod-Passkey.Read.All | Read all users' passkey authentication methods |
| UserAuthMethod-Passkey.ReadWrite | Read and write the signed-in user's passkey authentication methods |
| UserAuthMethod-Passkey.ReadWrite.All | Read and write all users' passkey methods. |
| UserAuthMethod-Password.Read | Read the signed-in user's password authentication methods |
| UserAuthMethod-Password.Read.All | Read all users' password authentication methods |
| UserAuthMethod-Password.ReadWrite | Read and write the signed-in user's password authentication methods |
| UserAuthMethod-Password.ReadWrite.All | Read and write all users' password methods. |
| UserAuthMethod-Phone.Read | Read the signed-in user's phone authentication methods |
| UserAuthMethod-Phone.Read.All | Read all users' phone authentication methods |
| UserAuthMethod-Phone.ReadWrite | Read and write the signed-in user's phone authentication methods |
| UserAuthMethod-Phone.ReadWrite.All | Read and write all users' phone methods. |
| UserAuthMethod-PlatformCred.Read | Read the signed-in user's platform credential authentication methods |
| UserAuthMethod-PlatformCred.Read.All | Read all users' platform credentials methods |
| UserAuthMethod-PlatformCred.ReadWrite | Read and write the signed-in user's platform credential authentication methods |
| UserAuthMethod-PlatformCred.ReadWrite.All | Read and write all users' platform credentials methods. |
| UserAuthMethod-QR.Read | Read the signed-in user's QR authentication methods |
| UserAuthMethod-QR.Read.All | Read all users' QR methods |
| UserAuthMethod-QR.ReadWrite | Read and write the signed-in user's QR authentication methods |
| UserAuthMethod-QR.ReadWrite.All | Read and write all users' QR methods. |
| UserAuthMethod-SoftwareOATH.Read | Read the signed-in user's SoftwareOATH authentication methods |
| UserAuthMethod-SoftwareOATH.Read.All | Read all users' SoftwareOATH methods |
| UserAuthMethod-SoftwareOATH.ReadWrite | Read and write the signed-in user's SoftwareOATH authentication methods |
| UserAuthMethod-SoftwareOATH.ReadWrite.All | Read and write all users' SoftwareOATH methods. |
| UserAuthMethod-TAP.Read | Read the signed-in user's Temporary Access Pass authentication methods |
| UserAuthMethod-TAP.Read.All | Read all users' Temporary Access Pass methods |
| UserAuthMethod-TAP.ReadWrite | Read and write the signed-in user's Temporary Access Pass authentication methods |
| UserAuthMethod-TAP.ReadWrite.All | Read and write all users' Temporary Access Pass methods. |
| UserAuthMethod-WindowsHello.Read | Read the signed-in user's Windows Hello methods |
| UserAuthMethod-WindowsHello.Read.All | Read all users' Windows Hello methods |
| UserAuthMethod-WindowsHello.ReadWrite | Read and write the signed-in user's Windows Hello authentication methods |
| UserAuthMethod-WindowsHello.ReadWrite.All | Read and write all users' Windows Hello methods. |
| UserCloudClipboard.Read | Read cloud clipboard items |
| UserNotification.ReadWrite.CreatedByApp | Deliver and manage user's notifications |
| UserShiftPreferences.Read.All | Read all user shift preferences |
| UserShiftPreferences.ReadWrite.All | Read and write all user shift preferences |
| UserTeamwork.Read | Read user teamwork settings |
| UserTeamwork.Read.All | Read all user teamwork settings |
| UserTimelineActivity.Write.CreatedByApp | Write app activity to users' timeline |
| UserWindowsSettings.Read | |
| UserWindowsSettings.Read.All | Read windows settings for all devices |
| UserWindowsSettings.ReadWrite.All | Read and write windows settings for all devices |
| VerifiedId-Profile.Read.All | Read Verified Id profiles |
| VerifiedId-Profile.ReadWrite.All | Read and write Verified Id profiles |
| VirtualAppointment.Read | Read a user's virtual appointments |
| VirtualAppointment.Read.All | Read all virtual appointments for users, as authorized by online meetings application access policy |
| VirtualAppointment.ReadWrite | Read and write a user's virtual appointments |
| VirtualAppointment.ReadWrite.All | Read-write all virtual appointments for users, as authorized by online meetings app access policy |
| VirtualAppointmentNotification.Send | Send notification regarding virtual appointments for the signed-in user |
| VirtualEvent.Read | Read your virtual events |
| VirtualEvent.Read.All | Read all users' virtual events |
| VirtualEvent.Read.Chat | |
| VirtualEvent.ReadWrite | Read and write your virtual events |
| VirtualEventRegistration-Anon.ReadWrite.All | Read and write anonymous users' virtual event registrations |
| VirtualEventRegistration-Anon.ReadWrite.Chat | |
| WindowsUpdates.ReadWrite.All | Read and write all Windows update deployment settings |
| WorkforceIntegration.Read.All | Read workforce integrations |
| WorkforceIntegration.ReadWrite.All | Read and write workforce integrations |