To learn more, see our tips on writing great answers. Can read basic directory information. User consent happens when a user attempts to sign into an application. Application Server. The same functions can be accomplished using the. Azure AD organizations for employees and partners:The addition of a federation (e.g. Also during admin consent, applications or services provide direct access to an API, which can be used by the application if there's no signed-in user. Can reset passwords for non-administrators and Helpdesk Administrators. It is important to understand that assigning a user to this role gives them the ability to manage all groups in the organization across various workloads like Teams, SharePoint, Yammer in addition to Outlook. See, Azure Active Directory B2C organizations: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app. Other applications not assigned to the application can't get an access token The following roles should not be used. Users in this role can access the full set of administrative capabilities in the Microsoft Viva Insights app. Ability to update all properties on single-tenant and multi-tenant applications. After users submit the admin consent request, the admins who have been designated as reviewers receive a notification. Grants access to all fields on the application registration authentication page except supported account types: Grants the same permissions as microsoft.directory/applications/authentication/update, but only for single-tenant applications. Let's take a look at a non-technical approach to AAD Application Registrations. The person who signs up for the Azure AD organization becomes a Global Administrator. For example, users can be prompted for consent when they attempt to sign in to an application for the first time. This role can also activate and deactivate custom security attributes. Here, we are going to execute the same steps with the PowerShell script. The AAD Admin of tenant T1 explicitly grants permissions to the application App. App-only access uses app roles instead of delegated scopes. However, they can manage the Microsoft 365 group they create, which is a part of their end-user privileges. After the user has provided sign-in credentials, they're checked to determine whether consent has already been granted. Click on Azure Active Directory on the left-hand side navigation. This permission type requires consent of a Global Administrator in Azure AD. More information at Role-based administration control (RBAC) with Microsoft Intune. (Enterprise Applications = Service principals, Application registrations = Applications). For example, usage reporting can show how sending SMS text messages before appointments can reduce the number of people who don't show up for appointments. Can manage all aspects of the Azure Information Protection product. If you aren't confident that you understand who controls the application and why the application is requesting the permissions, do not grant consent. For more information, see Methods for assigning users and groups. Grants the same permissions as microsoft.directory/applications/allProperties/update, but only for single-tenant applications. Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Azure AD. Granting a specific set of non-admin users access to Azure portal when "Restrict access to Azure AD portal to admins only" is set to "Yes". Can read security information and reports in Azure AD and Office 365. Microsoft Graph, the ResourceAccess includes the permissions you added to the app, the Scope means the Delegated permission, Role means the Application permission. User consent is usually initiated when a user signs in to an application. Under Manage, select App registrations.. Sorted by: 1. Whether a Helpdesk Administrator can reset a user's password and invalidate refresh tokens depends on the role the user is assigned. Permissions. https://graph.windows.net/tenant-id/servicePrincipals/object-id/oauth2PermissionGrants?api-version=1.6. Do not use. Users assigned to this role can also manage communication of new features in Office apps. Can manage all aspects of the Intune product. This role is intended for use by a small number of Microsoft resale partners, and is not intended for general use. This option allows all users to consent to any permissions that don't require admin consent, for any application. Users with this role can access tenant level aggregated data and associated insights in Microsoft 365 admin center for Usage and Productivity Score but cannot access any user level details or insights. Whether a Password Administrator can reset a user's password depends on the role the user is assigned. The following table is for roles assigned at the scope of a tenant. I leveraged an AAD App with Application permission to send email on behalf of any email accounts within a tenant. When your organization purchases a license or subscription for a new application, you might proactively want to set up the application so that all users in the organization can use it. Should we burninate the [variations] tag? Users with this role have permissions to manage security-related features in the Microsoft 365 Defender portal, Azure Active Directory Identity Protection, Azure Active Directory Authentication, Azure Information Protection, and Office 365 Security & Compliance Center. There are other ways in which applications can be granted authorization for app-only access. More information about Office 365 permissions is available at Permissions in the Security & Compliance Center. If the Modern Commerce User role is unassigned from a user, they lose access to Microsoft 365 admin center. This user has full rights to topic management actions to confirm a topic, approve edits, or delete a topic. Furthermore, you can find the "Troubleshooting Login Issues" section which can answer your unresolved problems and equip you with a . More information at About admin roles. The deployment service enables users to define settings for when and how updates are deployed, and specify which updates are offered to groups of devices in their tenant. LoginAsk is here to help you access Aad Pass Through Authentication quickly and handle each specific case you encounter. Delete or restore any users, including Global Administrators. A user assigned to the Reports Reader role can access only relevant usage and adoption metrics. It is "Power BI Administrator" in the Azure portal. For a detailed example that uses Microsoft Graph PowerShell, see Grant consent on behalf of a single user by using PowerShell. Those questions are always pretty similar and most of the time the problem lies in some misconception, so I thought it might be a good idea to try to . Message Center Privacy Readers get email notifications including those related to data privacy and they can unsubscribe using Message Center Preferences. There are two permissions available for granting the ability to create application registrations, each with different behavior: Assigning this permission results in the creator being added as the first owner of the created app registration, and the created app registration will count against the creator's 250 created objects quota. The final piece of the puzzle is the id for the API app's . To indicate the level of access required, an application requests the API permissions it requires. They can also read all connector information. This role has no access to view, create, or manage support tickets. Users with this role have read access to recipients and write access to the attributes of those recipients in Exchange Online. A Privileged Administrator can configure whether non-administrator users are allowed to grant user consent to an application. Some advanced customers might want more control over the conditions that govern when users are allowed to consent. Can approve Microsoft support requests to access customer organizational data. Users in this role can create and manage all aspects of attack simulation creation, launch/scheduling of a simulation, and the review of simulation results. This role gives an extra layer of protection on individual user identifiable data, which was requested by both customers and legal teams. Normally it should sync the service principal in the same tenant, multi-tenant apps' service principals in other tenants don't sync. Can create and manage all aspects of user flows. They have a general understanding of the suite of products, licensing details and has responsibility to control access. Is God worried about Adam eating once or in an on-going pattern from the Tree of Life at Genesis 3:22? You can still request these permissions as part of the app registration, but granting (that is, consenting to) these permissions requires a more privileged administrator, such as Global Administrator. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation. In many cases, an admin may be required to grant consent on behalf of the user. Admin permissions for Microsoft Graph API The B2 IEF Policy Administrator is a highly sensitive role which should be assigned on a very limited basis for organizations in production.Activities by these users should be closely audited, especially for organizations in production. Register an Azure AD application with the following permission. Can manage domain names in cloud and on-premises. When you turn on role-based access control in Microsoft Defender for Endpoint, users with read-only permissions such as the Azure AD Security Reader role lose access until they are assigned to a Microsoft Defender for Endpoint role. Can manage Azure DevOps policies and settings. The content available in these areas is controlled by commerce-specific roles assigned to users to manage products that they bought for themselves or your organization. Users with this role can create and manage user flows (also called "built-in" policies) in the Azure portal. Specific properties or aspects of the entity for which access is being granted. What is the effect of cycling on weight loss? Users with this role have global permissions within Microsoft Power BI, when the service is present, as well as the ability to manage support tickets and monitor service health. The AAD Graph API Azure AD application identity has 3 user permissions and 6 admin permissions. I have published my last blog to describe to PowerShell script to register the App in the Azure AD, In this blog, we will discuss the PowerShell script to assign the necessary permissions for the App.. More information at About admin roles. Those apps may have privileged permissions in Azure AD and elsewhere not granted to Helpdesk Administrators. Assign the Privileged Authentication Administrator role to users who need to do the following: Users with this role can manage role assignments in Azure Active Directory, as well as within Azure AD Privileged Identity Management. Can create and manage the editorial content such as bookmarks, Q and As, locations, floorplan. Learn more. It is "Dynamics 365 Administrator" in the Azure portal. In the Azure portal, go to "Azure Active Directory > Enterprise application > your application > Permissions" and click the "Grant admin consent" button. For example, application permissions and many high-privilege delegated permissions can only be consented to by an administrator. It does not include any other permissions. Has administrative access in the Microsoft 365 Insights app. Users in this role can only view user details in the call for the specific user they have looked up. rev2022.11.3.43005. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names. Sign in to the Azure portal as a global administrator or application administrator.. Search for and select Azure Active Directory.. In order to assign permissions to our Azure AD Application we will need to write a bit of code. To work with custom security attributes, you must be assigned one of the custom security attribute roles. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Grants the ability to delete app registrations restricted to those that are accessible only to accounts in your organization or single-tenant applications (myOrganization subtype). I would manually update the service principal through Graph API, or delete it and re-create it altogether. . This role was previously called "Password Administrator" in the Azure portal. For example, the user could be authorized to access directory resources by Azure Active Directory (Azure AD) role-based access control (RBAC) or to access mail and calendar resources by Exchange Online RBAC. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. Users can consent to all applications. Users with this role can manage all enterprise Azure DevOps policies, applicable to all Azure DevOps organizations backed by the Azure AD. This involves hand-editing a JSON file in the Azure AD Admin Center. Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management. That means administrators cannot update owners or memberships of Microsoft 365 groups in the organization. Application Not Registered With Aad will sometimes glitch and take you a long time to try different solutions. Also I thought the oauth2PermissionGrant represents the delegated permissions (not the application permissions). The account must also be licensed for Teams or it can't run Teams PowerShell cmdlets. Key task a Printer Technician cannot do is set user permissions on printers and sharing printers. Ability to update the supported account type (signInAudience) property on single-tenant and multi-tenant applications. To avoid the need for user consent, an administrator can grant consent for the application on behalf of all users in the organization. Generally speaking, if an app is configured with application permissions, then the user gets redirected to AAD for authentication. Delegated access requires delegated permissions. Security Group and Microsoft 365 group owners, who can manage group membership. Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. By default, Global Administrator and other administrator roles do not have permissions to read, define, or assign custom security attributes. microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks, Manage admin consent request policies in Azure AD, microsoft.directory/appConsent/appConsentRequests/allProperties/read, Read all properties of consent requests for applications registered with Azure AD, microsoft.directory/applications/applicationProxy/read, microsoft.directory/applications/applicationProxy/update, microsoft.directory/applications/applicationProxyAuthentication/update, Update authentication on all types of applications, microsoft.directory/applications/applicationProxySslCertificate/update, Update SSL certificate settings for application proxy, microsoft.directory/applications/applicationProxyUrlSettings/update, Update URL settings for application proxy, microsoft.directory/applications/appRoles/update, Update the appRoles property on all types of applications, microsoft.directory/applications/audience/update, Update the audience property for applications, microsoft.directory/applications/authentication/update, microsoft.directory/applications/basic/update, microsoft.directory/applications/extensionProperties/update, Update extension properties on applications, microsoft.directory/applications/notes/update, microsoft.directory/applications/owners/update, microsoft.directory/applications/permissions/update, Update exposed permissions and required permissions on all types of applications, microsoft.directory/applications/policies/update, microsoft.directory/applications/tag/update, microsoft.directory/applications/verification/update, microsoft.directory/applications/synchronization/standard/read, Read provisioning settings associated with the application object, microsoft.directory/applicationTemplates/instantiate, Instantiate gallery applications from application templates, microsoft.directory/auditLogs/allProperties/read, Read all properties on audit logs, including privileged properties, microsoft.directory/connectors/allProperties/read, Read all properties of application proxy connectors, microsoft.directory/connectorGroups/create, Create application proxy connector groups, microsoft.directory/connectorGroups/delete, Delete application proxy connector groups, microsoft.directory/connectorGroups/allProperties/read, Read all properties of application proxy connector groups, microsoft.directory/connectorGroups/allProperties/update, Update all properties of application proxy connector groups, microsoft.directory/customAuthenticationExtensions/allProperties/allTasks, Create and manage custom authentication extensions, microsoft.directory/deletedItems.applications/delete, Permanently delete applications, which can no longer be restored, microsoft.directory/deletedItems.applications/restore, Restore soft deleted applications to original state, microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks, Create and delete OAuth 2.0 permission grants, and read and update all properties, microsoft.directory/applicationPolicies/create, microsoft.directory/applicationPolicies/delete, microsoft.directory/applicationPolicies/standard/read, Read standard properties of application policies, microsoft.directory/applicationPolicies/owners/read, microsoft.directory/applicationPolicies/policyAppliedTo/read, Read application policies applied to objects list, microsoft.directory/applicationPolicies/basic/update, Update standard properties of application policies, microsoft.directory/applicationPolicies/owners/update, Update the owner property of application policies, microsoft.directory/provisioningLogs/allProperties/read, microsoft.directory/servicePrincipals/create, microsoft.directory/servicePrincipals/delete, microsoft.directory/servicePrincipals/disable, microsoft.directory/servicePrincipals/enable, microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials, Manage password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/synchronizationCredentials/manage, Manage application provisioning secrets and credentials, microsoft.directory/servicePrincipals/synchronizationJobs/manage, Start, restart, and pause application provisioning syncronization jobs, microsoft.directory/servicePrincipals/synchronizationSchema/manage, Create and manage application provisioning syncronization jobs and schema, microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials, Read password single sign-on credentials on service principals, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin, Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph, microsoft.directory/servicePrincipals/appRoleAssignedTo/update, Update service principal role assignments, microsoft.directory/servicePrincipals/audience/update, Update audience properties on service principals, microsoft.directory/servicePrincipals/authentication/update, Update authentication properties on service principals, microsoft.directory/servicePrincipals/basic/update, Update basic properties on service principals, microsoft.directory/servicePrincipals/credentials/update, microsoft.directory/servicePrincipals/notes/update, microsoft.directory/servicePrincipals/owners/update, microsoft.directory/servicePrincipals/permissions/update, microsoft.directory/servicePrincipals/policies/update, microsoft.directory/servicePrincipals/tag/update, Update the tag property for service principals, microsoft.directory/servicePrincipals/synchronization/standard/read, Read provisioning settings associated with your service principal, microsoft.directory/signInReports/allProperties/read, Read all properties on sign-in reports, including privileged properties, microsoft.azure.serviceHealth/allEntities/allTasks, microsoft.azure.supportTickets/allEntities/allTasks, microsoft.office365.serviceHealth/allEntities/allTasks, Read and configure Service Health in the Microsoft 365 admin center, microsoft.office365.supportTickets/allEntities/allTasks, Create and manage Microsoft 365 service requests, microsoft.office365.webPortal/allEntities/standard/read, Read basic properties on all resources in the Microsoft 365 admin center, microsoft.directory/applications/createAsOwner, Create all types of applications, and creator is added as the first owner, microsoft.directory/oAuth2PermissionGrants/createAsOwner, Create OAuth 2.0 permission grants, with creator as the first owner, microsoft.directory/servicePrincipals/createAsOwner, Create service principals, with creator as the first owner, microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks, Create and manage attack payloads in Attack Simulator, microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read, Read reports of attack simulation responses and associated training, microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks, Create and manage attack simulation templates in Attack Simulator, microsoft.directory/attributeSets/allProperties/read, microsoft.directory/customSecurityAttributeDefinitions/allProperties/read, Read all properties of custom security attribute definitions, microsoft.directory/devices/customSecurityAttributes/read, Read custom security attribute values for devices, microsoft.directory/devices/customSecurityAttributes/update, Update custom security attribute values for devices, microsoft.directory/servicePrincipals/customSecurityAttributes/read, Read custom security attribute values for service principals, microsoft.directory/servicePrincipals/customSecurityAttributes/update, Update custom security attribute values for service principals, microsoft.directory/users/customSecurityAttributes/read, Read custom security attribute values for users, microsoft.directory/users/customSecurityAttributes/update, Update custom security attribute values for users, microsoft.directory/attributeSets/allProperties/allTasks, microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks, Manage all aspects of custom security attribute definitions, microsoft.directory/users/authenticationMethods/create, microsoft.directory/users/authenticationMethods/delete, microsoft.directory/users/authenticationMethods/standard/restrictedRead, Read standard properties of authentication methods that do not include personally identifiable information for users, microsoft.directory/users/authenticationMethods/basic/update, Update basic properties of authentication methods for users, microsoft.directory/deletedItems.users/restore, Restore soft deleted users to original state, microsoft.directory/users/invalidateAllRefreshTokens, Force sign-out by invalidating user refresh tokens, microsoft.directory/users/password/update, microsoft.directory/users/userPrincipalName/update, microsoft.directory/organization/strongAuthentication/allTasks, Manage all aspects of strong authentication properties of an organization, microsoft.directory/userCredentialPolicies/create, microsoft.directory/userCredentialPolicies/delete, microsoft.directory/userCredentialPolicies/standard/read, Read standard properties of credential policies for users, microsoft.directory/userCredentialPolicies/owners/read, Read owners of credential policies for users, microsoft.directory/userCredentialPolicies/policyAppliedTo/read, microsoft.directory/userCredentialPolicies/basic/update, microsoft.directory/userCredentialPolicies/owners/update, Update owners of credential policies for users, microsoft.directory/userCredentialPolicies/tenantDefault/update, Update policy.isOrganizationDefault property, microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke, microsoft.directory/verifiableCredentials/configuration/contracts/create, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read, microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update, microsoft.directory/verifiableCredentials/configuration/create, Create configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/delete, Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/read, Read configuration required to create and manage verifiable credentials, microsoft.directory/verifiableCredentials/configuration/allProperties/update, Update configuration required to create and manage verifiable credentials, microsoft.directory/groupSettings/standard/read, microsoft.directory/groupSettingTemplates/standard/read, Read basic properties on group setting templates, microsoft.azure.devOps/allEntities/allTasks, microsoft.directory/authorizationPolicy/standard/read, Read standard properties of authorization policy, microsoft.azure.informationProtection/allEntities/allTasks, Manage all aspects of Azure Information Protection, microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks, Read and configure key sets inAzure Active Directory B2C, microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks, Read and configure custom policies inAzure Active Directory B2C, microsoft.directory/organization/basic/update, microsoft.commerce.billing/allEntities/allProperties/allTasks, microsoft.directory/cloudAppSecurity/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Microsoft Defender for Cloud Apps, microsoft.directory/bitlockerKeys/key/read, Read bitlocker metadata and key on devices, microsoft.directory/deletedItems.devices/delete, Permanently delete devices, which can no longer be restored, microsoft.directory/deletedItems.devices/restore, Restore soft deleted devices to original state, microsoft.directory/deviceManagementPolicies/standard/read, Read standard properties on device management application policies, microsoft.directory/deviceManagementPolicies/basic/update, Update basic properties on device management application policies, microsoft.directory/deviceRegistrationPolicy/standard/read, Read standard properties on device registration policies, microsoft.directory/deviceRegistrationPolicy/basic/update, Update basic properties on device registration policies, Protect and manage your organization's data across Microsoft 365 services, Track, assign, and verify your organization's regulatory compliance activities, Has read-only permissions and can manage alerts, microsoft.directory/entitlementManagement/allProperties/read, Read all properties in Azure AD entitlement management, microsoft.office365.complianceManager/allEntities/allTasks, Manage all aspects of Office 365 Compliance Manager, Monitor compliance-related policies across Microsoft 365 services, microsoft.directory/namedLocations/create, Create custom rules that define network locations, microsoft.directory/namedLocations/delete, Delete custom rules that define network locations, microsoft.directory/namedLocations/standard/read, Read basic properties of custom rules that define network locations, microsoft.directory/namedLocations/basic/update, Update basic properties of custom rules that define network locations, microsoft.directory/conditionalAccessPolicies/create, microsoft.directory/conditionalAccessPolicies/delete, microsoft.directory/conditionalAccessPolicies/standard/read, microsoft.directory/conditionalAccessPolicies/owners/read, Read the owners of conditional access policies, microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read, Read the "applied to" property for conditional access policies, microsoft.directory/conditionalAccessPolicies/basic/update, Update basic properties for conditional access policies, microsoft.directory/conditionalAccessPolicies/owners/update, Update owners for conditional access policies, microsoft.directory/conditionalAccessPolicies/tenantDefault/update, Update the default tenant for conditional access policies, microsoft.office365.lockbox/allEntities/allTasks, microsoft.office365.desktopAnalytics/allEntities/allTasks, microsoft.directory/administrativeUnits/standard/read, Read basic properties on administrative units, microsoft.directory/administrativeUnits/members/read, microsoft.directory/applications/standard/read, microsoft.directory/applications/owners/read, microsoft.directory/applications/policies/read, microsoft.directory/contacts/standard/read, Read basic properties on contacts in Azure AD, microsoft.directory/contacts/memberOf/read, Read the group membership for all contacts in Azure AD, microsoft.directory/contracts/standard/read, Read basic properties on partner contracts, microsoft.directory/devices/standard/read, microsoft.directory/devices/memberOf/read, microsoft.directory/devices/registeredOwners/read, microsoft.directory/devices/registeredUsers/read, microsoft.directory/directoryRoles/standard/read, microsoft.directory/directoryRoles/eligibleMembers/read, Read the eligible members of Azure AD roles, microsoft.directory/directoryRoles/members/read, microsoft.directory/domains/standard/read, Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups/appRoleAssignments/read, Read application role assignments of groups, Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups, Read members of Security groups and Microsoft 365 groups, including role-assignable groups, Read owners of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/oAuth2PermissionGrants/standard/read, Read basic properties on OAuth 2.0 permission grants, microsoft.directory/organization/standard/read, microsoft.directory/organization/trustedCAsForPasswordlessAuth/read, Read trusted certificate authorities for passwordless authentication, microsoft.directory/roleAssignments/standard/read, Read basic properties on role assignments, microsoft.directory/roleDefinitions/standard/read, Read basic properties on role definitions, microsoft.directory/servicePrincipals/appRoleAssignedTo/read, microsoft.directory/servicePrincipals/appRoleAssignments/read, Read role assignments assigned to service principals, microsoft.directory/servicePrincipals/standard/read, Read basic properties of service principals, microsoft.directory/servicePrincipals/memberOf/read, Read the group memberships on service principals, microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read, Read delegated permission grants on service principals, microsoft.directory/servicePrincipals/owners/read, microsoft.directory/servicePrincipals/ownedObjects/read, microsoft.directory/servicePrincipals/policies/read, microsoft.directory/subscribedSkus/standard/read, microsoft.directory/users/appRoleAssignments/read, Read application role assignments for users, microsoft.directory/users/deviceForResourceAccount/read, microsoft.directory/users/directReports/read, microsoft.directory/users/licenseDetails/read, microsoft.directory/users/oAuth2PermissionGrants/read, Read delegated permission grants on users, microsoft.directory/users/ownedDevices/read, microsoft.directory/users/ownedObjects/read, microsoft.directory/users/registeredDevices/read, microsoft.directory/users/scopedRoleMemberOf/read, Read user's membership of an Azure AD role, that is scoped to an administrative unit, microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks, Manage hybrid authentication policy in Azure AD, microsoft.directory/organization/dirSync/update, Update the organization directory sync property, microsoft.directory/passwordHashSync/allProperties/allTasks, Manage all aspects of Password Hash Synchronization (PHS) in Azure AD, microsoft.directory/policies/standard/read, microsoft.directory/policies/policyAppliedTo/read, microsoft.directory/policies/basic/update, microsoft.directory/policies/owners/update, microsoft.directory/policies/tenantDefault/update, Assign product licenses to groups for group-based licensing, Create Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/reprocessLicenseAssignment, Reprocess license assignments for group-based licensing, Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/classification/update, Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/dynamicMembershipRule/update, Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/groupType/update, Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/members/update, Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/onPremWriteBack/update, Update Azure Active Directory groups to be written back to on-premises with Azure AD Connect, Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups/settings/update, microsoft.directory/groups/visibility/update, Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groupSettings/basic/update, Update basic properties on group settings, microsoft.directory/oAuth2PermissionGrants/create, microsoft.directory/oAuth2PermissionGrants/basic/update, microsoft.directory/users/reprocessLicenseAssignment, microsoft.directory/domains/allProperties/allTasks, Create and delete domains, and read and update all properties, microsoft.dynamics365/allEntities/allTasks, microsoft.edge/allEntities/allProperties/allTasks, microsoft.directory/groups/hiddenMembers/read, Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups, microsoft.directory/groups.unified/create, Create Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/delete, Delete Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/restore, Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups, microsoft.directory/groups.unified/basic/update, Update basic properties on Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/members/update, Update members of Microsoft 365 groups, excluding role-assignable groups, microsoft.directory/groups.unified/owners/update, Update owners of Microsoft 365 groups, excluding role-assignable groups, microsoft.office365.exchange/allEntities/basic/allTasks, microsoft.office365.network/performance/allProperties/read, Read all network performance properties in the Microsoft 365 admin center, microsoft.office365.usageReports/allEntities/allProperties/read, microsoft.office365.exchange/allRecipients/allProperties/allTasks, Create and delete all recipients, and read and update all properties of recipients in Exchange Online, microsoft.office365.exchange/migration/allProperties/allTasks, Manage all tasks related to migration of recipients in Exchange Online, microsoft.directory/b2cUserFlow/allProperties/allTasks, Read and configure user flow in Azure Active Directory B2C, microsoft.directory/b2cUserAttribute/allProperties/allTasks, Read and configure user attribute in Azure Active Directory B2C, microsoft.directory/domains/federation/update, microsoft.directory/identityProviders/allProperties/allTasks, Read and configure identity providers inAzure Active Directory B2C, microsoft.directory/accessReviews/allProperties/allTasks, (Deprecated) Create and delete access reviews, read and update all properties of access reviews, and manage access reviews of groups in Azure AD, microsoft.directory/accessReviews/definitions/allProperties/allTasks, Manage access reviews of all reviewable resources in Azure AD, microsoft.directory/administrativeUnits/allProperties/allTasks, Create and manage administrative units (including members), microsoft.directory/applications/allProperties/allTasks, Create and delete applications, and read and update all properties, microsoft.directory/users/authenticationMethods/standard/read, Read standard properties of authentication methods for users, microsoft.directory/authorizationPolicy/allProperties/allTasks, Manage all aspects of authorization policy, microsoft.directory/contacts/allProperties/allTasks, Create and delete contacts, and read and update all properties, microsoft.directory/contracts/allProperties/allTasks, Create and delete partner contracts, and read and update all properties, Permanently delete objects, which can no longer be restored, Restore soft deleted objects to original state, microsoft.directory/devices/allProperties/allTasks, Create and delete devices, and read and update all properties, microsoft.directory/directoryRoles/allProperties/allTasks, Create and delete directory roles, and read and update all properties, microsoft.directory/directoryRoleTemplates/allProperties/allTasks, Create and delete Azure AD role templates, and read and update all properties, microsoft.directory/entitlementManagement/allProperties/allTasks, Create and delete resources, and read and update all properties in Azure AD entitlement management, microsoft.directory/groups/allProperties/allTasks, Create and delete groups, and read and update all properties, microsoft.directory/groupsAssignableToRoles/create, microsoft.directory/groupsAssignableToRoles/delete, microsoft.directory/groupsAssignableToRoles/restore, microsoft.directory/groupsAssignableToRoles/allProperties/update, microsoft.directory/groupSettings/allProperties/allTasks, Create and delete group settings, and read and update all properties, microsoft.directory/groupSettingTemplates/allProperties/allTasks, Create and delete group setting templates, and read and update all properties, microsoft.directory/identityProtection/allProperties/allTasks, Create and delete all resources, and read and update standard properties in Azure AD Identity Protection, microsoft.directory/loginOrganizationBranding/allProperties/allTasks, Create and delete loginTenantBranding, and read and update all properties, microsoft.directory/organization/allProperties/allTasks, Read and update all properties for an organization, microsoft.directory/policies/allProperties/allTasks, Create and delete policies, and read and update all properties, microsoft.directory/conditionalAccessPolicies/allProperties/allTasks, Manage all properties of conditional access policies, microsoft.directory/crossTenantAccessPolicy/standard/read, Read basic properties of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update, Update allowed cloud endpoints of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/basic/update, Update basic settings of cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/standard/read, Read basic properties of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update, Update Azure AD B2B collaboration settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update, Update tenant restrictions of the default cross-tenant access policy, microsoft.directory/crossTenantAccessPolicy/partners/create, Create cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/delete, Delete cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/standard/read, Read basic properties of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update, Update Azure AD B2B collaboration settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update, Update Azure AD B2B direct connect settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update, Update cross-cloud Teams meeting settings of cross-tenant access policy for partners, microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update, Update tenant restrictions of cross-tenant access policy for partners, microsoft.directory/privilegedIdentityManagement/allProperties/read, Read all resources in Privileged Identity Management, microsoft.directory/roleAssignments/allProperties/allTasks, Create and delete role assignments, and read and update all role assignment properties, microsoft.directory/roleDefinitions/allProperties/allTasks, Create and delete role definitions, and read and update all properties, microsoft.directory/scopedRoleMemberships/allProperties/allTasks, Create and delete scopedRoleMemberships, and read and update all properties, microsoft.directory/serviceAction/activateService, Can perform the "activate service" action for a service, microsoft.directory/serviceAction/disableDirectoryFeature, Can perform the "disable directory feature" service action, microsoft.directory/serviceAction/enableDirectoryFeature, Can perform the "enable directory feature" service action, microsoft.directory/serviceAction/getAvailableExtentionProperties, Can perform the getAvailableExtentionProperties service action, microsoft.directory/servicePrincipals/allProperties/allTasks, Create and delete service principals, and read and update all properties, microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin, Grant consent for any permission to any application, microsoft.directory/subscribedSkus/allProperties/allTasks, Buy and manage subscriptions and delete subscriptions, microsoft.directory/users/allProperties/allTasks, Create and delete users, and read and update all properties, microsoft.directory/permissionGrantPolicies/create, microsoft.directory/permissionGrantPolicies/delete, microsoft.directory/permissionGrantPolicies/standard/read, Read standard properties of permission grant policies, microsoft.directory/permissionGrantPolicies/basic/update, Update basic properties of permission grant policies, microsoft.directory/servicePrincipalCreationPolicies/create, Create service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/delete, Delete service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/standard/read, Read standard properties of service principal creation policies, microsoft.directory/servicePrincipalCreationPolicies/basic/update, Update basic properties of service principal creation policies, microsoft.directory/tenantManagement/tenants/create, Create new tenants in Azure Active Directory, microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks, Manage all aspects of lifecycle workflows and tasks in Azure AD, microsoft.azure.advancedThreatProtection/allEntities/allTasks, Manage all aspects of Azure Advanced Threat Protection, microsoft.cloudPC/allEntities/allProperties/allTasks, Manage all aspects of Microsoft Power Automate, microsoft.insights/allEntities/allProperties/allTasks, microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks, Read and update all properties of content understanding in Microsoft 365 admin center, microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read, Read analytics reports of content understanding in Microsoft 365 admin center, microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks, Read and update all properties of knowledge network in Microsoft 365 admin center, microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks, Manage topic visibility of knowledge network in Microsoft 365 admin center, microsoft.office365.knowledge/learningSources/allProperties/allTasks.
Player Speed Parity Scale Madden 22, Asian Language Crossword Clue 6 Letters, Intellij Cannot Add Certificate, Wickham H Ggplot2 Elegant Graphics For Data Analysis, Best Dessert Places In Amsterdam, Angularjs Controller Template, Razer Blackwidow Mini Hyperspeed, Unavoidable Crossword Clue 10 Letters,