App Roles Listing

Last generated 2022-03-13.

AccessReview

Roles ID Purpose Description
.Read.All d07a8cc0-3d51-4b77-b3b0-32704d1f69fa Read all access reviews Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user.
.ReadWrite.All ef5f7d5c-338f-44b0-86c3-351f46c8bb5f Manage all access reviews Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user.
.ReadWrite.Membership 18228521-a591-40f1-b215-5fad4488c117 Manage access reviews for group and app memberships Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization for group and app memberships, without a signed-in user.

AdministrativeUnit

Roles ID Purpose Description
.Read.All 134fd756-38ce-4afd-ba33-e9623dbe66c2 Read all administrative units Allows the app to read administrative units and administrative unit membership without a signed-in user.
.ReadWrite.All 5eb59dd3-1da2-4329-8733-9dabdc435916 Read and write all administrative units Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user.

Agreement

Roles ID Purpose Description
.Read.All 2f3e6f8c-093b-4c57-a58b-ba5ce494a169 Read all terms of use agreements Allows the app to read terms of use agreements, without a signed in user.
.ReadWrite.All c9090d00-6101-42f0-a729-c41074260d47 Read and write all terms of use agreements Allows the app to read and write terms of use agreements, without a signed in user.

AgreementAcceptance

Roles ID Purpose Description
.Read.All d8e4ec18-f6c0-4620-8122-c8b1f2bf400e Read all terms of use acceptance statuses Allows the app to read terms of use acceptance statuses, without a signed in user.

APIConnectors

Roles ID Purpose Description
.Read.All b86848a7-d5b1-41eb-a9b4-54a4e6306e97 Read API connectors for authentication flows Allows the app to read the API connectors used in user authentication flows, without a signed-in user.
.ReadWrite.All 1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171 Read and write API connectors for authentication flows Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user.

AppCatalog

Roles ID Purpose Description
.Read.All e12dae10-5a57-4817-b79d-dfbec5348930 Read all app catalogs Allows the app to read apps in the app catalogs without a signed-in user.
.ReadWrite.All dc149144-f292-421e-b185-5953f2e98d7f Read and write to all app catalogs Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user.

Application

Roles ID Purpose Description
.Read.All 9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30 Read all applications Allows the app to read all applications and service principals without a signed-in user.
.ReadWrite.All 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 Read and write all applications Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants.
.ReadWrite.OwnedBy 18a4783c-866b-4cc7-a460-3d5e5662c884 Manage apps that this app creates or owns Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of.

AppRoleAssignment

Roles ID Purpose Description
.ReadWrite.All 06b708a9-e830-4db3-a914-8e69da51d44f Manage app permission grants and app role assignments Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.

AuditLog

Roles ID Purpose Description
.Read.All b0afded3-3588-46d8-8b3d-9842eff778da Read all audit log data Allows the app to read and query your audit log activities, without a signed-in user.

BitlockerKey

Roles ID Purpose Description
.Read.All 57f1cf28-c0c4-4ec3-9a30-19a2eaaf2f6e Read all BitLocker keys Allows an app to read BitLocker keys for all devices, without a signed-in user. Allows read of the recovery key.
.ReadBasic.All f690d423-6b29-4d04-98c6-694c42282419 Read all BitLocker keys basic information Allows an app to read basic BitLocker key properties for all devices, without a signed-in user. Does not allow read of the recovery key.

Calendars

Roles ID Purpose Description
.Read 798ee544-9d2d-430c-a058-570e29e34338 Read calendars in all mailboxes Allows the app to read events of all calendars without a signed-in user.
.ReadWrite ef54d2bf-783f-4e0f-bca1-3210c0444d99 Read and write calendars in all mailboxes Allows the app to create, read, update, and delete events of all calendars without a signed-in user.

CallRecord-PstnCalls

Roles ID Purpose Description
.Read.All a2611786-80b3-417e-adaa-707d4261a5f0 Read PSTN and direct routing call log data Allows the app to read all PSTN and direct routing call log data without a signed-in user.

CallRecords

Roles ID Purpose Description
.Read.All 45bbb07e-7321-4fd7-a8f6-3ff27e6a81c8 Read all call records Allows the app to read call records for all calls and online meetings without a signed-in user.

Calls

Roles ID Purpose Description
.AccessMedia.All a7a681dc-756e-4909-b988-f160edc6655f Access media streams in a call as an app Allows the app to get direct access to media streams in a call, without a signed-in user.
.Initiate.All 284383ee-7f6e-4e40-a2a8-e85dcb029101 Initiate outgoing 1 to 1 calls from the app Allows the app to place outbound calls to a single user and transfer calls to users in your organizations directory, without a signed-in user.
.InitiateGroupCall.All 4c277553-8a09-487b-8023-29ee378d8324 Initiate outgoing group calls from the app Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user.
.JoinGroupCall.All f6b49018-60ab-4f81-83bd-22caeabfed2d Join group calls and meetings as an app Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your organization.
.JoinGroupCallAsGuest.All fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4 Join group calls and meetings as a guest Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined as a guest to meetings in your organization.

Channel

Roles ID Purpose Description
.Create f3a65bd4-b703-46df-8f7e-0174fea562aa Create channels Create channels in any team, without a signed-in user.
.Delete.All 6a118a39-1227-45d4-af0c-ea7b40d210bc Delete channels Delete channels in any team, without a signed-in user.
.ReadBasic.All 59a6b24b-4225-4393-8165-ebaec5f55d7a Read the names and descriptions of all channels Read all channel names and channel descriptions, without a signed-in user.

ChannelMember

Roles ID Purpose Description
.Read.All 3b55498e-47ec-484f-8136-9013221c06a9 Read the members of all channels Read the members of all channels, without a signed-in user.
.ReadWrite.All 35930dcf-aceb-4bd1-b99a-8ffed403c974 Add and remove members from all channels Add and remove members from all channels, without a signed-in user. Also allows changing a member’s role, for example from owner to non-owner.

ChannelMessage

Roles ID Purpose Description
.Read.All 7b2449af-6ccd-4f4d-9f78-e550c193f0d1 Read all channel messages Allows the app to read all channel messages in Microsoft Teams
.UpdatePolicyViolation.All 4d02b0cc-d90b-441f-8d82-4fb55c34d6bb Flag channel messages for violating policy Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

ChannelSettings

Roles ID Purpose Description
.Read.All c97b873f-f59f-49aa-8a0e-52b32d762124 Read the names, descriptions, and settings of all channels Read all channel names, channel descriptions, and channel settings, without a signed-in user.
.ReadWrite.All 243cded2-bd16-4fd6-a953-ff8177894c3d Read and write the names, descriptions, and settings of all channels Read and write the names, descriptions, and settings of all channels, without a signed-in user.

Chat

Roles ID Purpose Description
.Create d9c48af6-9ad9-47ad-82c3-63757137b9af Create chats Allows the app to create chats without a signed-in user.
.Read.All 6b7d71aa-70aa-4810-a8d9-5d9fb2830017 Read all chat messages Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.
.ReadBasic.All b2e060da-3baf-4687-9611-f4ebc0f0cbde Read names and members of all chat threads Read names and members of all one-to-one and group chats in Microsoft Teams, without a signed-in user.
.ReadWrite.All 294ce7c9-31ba-490a-ad7d-97a7d075e4ed Read and write all chat messages Allows an app to read and write all chat messages in Microsoft Teams, without a signed-in user.
.UpdatePolicyViolation.All 7e847308-e030-4183-9899-5235d7270f58 Flag chat messages for violating policy Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing.

ChatMember

Roles ID Purpose Description
.Read.All a3410be2-8e48-4f32-8454-c29a7465209d Read the members of all chats Read the members of all chats, without a signed-in user.
.ReadWrite.All 57257249-34ce-4810-a8a2-a03adf0c5693 Add and remove members from all chats Add and remove members from all chats, without a signed-in user.

ChatMessage

Roles ID Purpose Description
.Read.All b9bb2381-47a4-46cd-aafb-00cb12f68504 Read all chat messages Allows the app to read all one-to-one and group chats messages in Microsoft Teams, without a signed-in user.

CloudPC

Roles ID Purpose Description
.Read.All a9e09520-8ed4-4cde-838e-4fdea192c227 Read Cloud PCs Allows the app to read the properties of Cloud PCs, without a signed-in user.
.ReadWrite.All 3b4349e1-8cf5-45a3-95b7-69d1751d3e6a Read and write Cloud PCs Allows the app to read and write the properties of Cloud PCs, without a signed-in user.

ConsentRequest

Roles ID Purpose Description
.Read.All 1260ad83-98fb-4785-abbb-d6cc1806fd41 Read all consent requests Allows the app to read consent requests and approvals without a signed-in user.
.ReadWrite.All 9f1b81a7-0223-4428-bfa4-0bcb5535f27d Read and write all consent requests Allows the app to read app consent requests and approvals, and deny or approve those requests without a signed-in user.

Contacts

Roles ID Purpose Description
.Read 089fe4d0-434a-44c5-8827-41ba8a0b17f5 Read contacts in all mailboxes Allows the app to read all contacts in all mailboxes without a signed-in user.
.ReadWrite 6918b873-d17a-4dc1-b314-35f528134491 Read and write contacts in all mailboxes Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.

CrossTenantInformation

Roles ID Purpose Description
.ReadBasic.All cac88765-0581-4025-9725-5ebc13f729ee Read cross-tenant basic information Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem without a signed-in user.

CrossTenantUserProfileSharing

Roles ID Purpose Description
.Read.All 8b919d44-6192-4f3d-8a3b-f86f8069ae3c Read all shared cross-tenant user profiles and export their data Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user.
.ReadWrite.All 306785c5-c09b-4ba0-a4ee-023f3da165cb Read all shared cross-tenant user profiles and export or delete their data Allows the application to list and query any shared user profile information associated with the current tenant without a signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant without a signed-in user.

CustomSecAttributeAssignment

Roles ID Purpose Description
.Read.All 3b37c5a4-1226-493d-bec3-5d6c6b866f3f Read custom security attribute assignments Allows the app to read custom security attribute assignments for all principals in the tenant without a signed in user.
.ReadWrite.All de89b5e4-5b8f-48eb-8925-29c2b33bd8bd Read and write custom security attribute assignments Allows the app to read and write custom security attribute assignments for all principals in the tenant without a signed in user.

CustomSecAttributeDefinition

Roles ID Purpose Description
.Read.All b185aa14-d8d2-42c1-a685-0f5596613624 Read custom security attribute definitions Allows the app to read custom security attribute definitions for the tenant without a signed in user.
.ReadWrite.All 12338004-21f4-4896-bf5e-b75dfaf1016d Read and write custom security attribute definitions Allows the app to read and write custom security attribute definitions for the tenant without a signed in user.

DelegatedAdminRelationship

Roles ID Purpose Description
.Read.All f6e9e124-4586-492f-adc0-c6f96e4823fd Read Delegated Admin relationships with customers Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups without a signed-in user.
.ReadWrite.All cc13eba4-8cd8-44c6-b4d4-f93237adce58 Manage Delegated Admin relationships with customers Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships without a signed-in user.

DelegatedPermissionGrant

Roles ID Purpose Description
.ReadWrite.All 8e8e4742-1d95-4f68-9d56-6ee75648c72a Manage all delegated permission grants Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user.

Device

Roles ID Purpose Description
.Read.All 7438b122-aefc-4978-80ed-43db9fcc7715 Read all devices Allows the app to read your organization’s devices’ configuration information without a signed-in user.
.ReadWrite.All 1138cb37-bd11-4084-a2b7-9f71582aeddb Read and write devices Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers.

DeviceManagementApps

Roles ID Purpose Description
.Read.All 7a6ee1e7-141e-4cec-ae74-d9db155731ff Read Microsoft Intune apps Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.
.ReadWrite.All 78145de6-330d-4800-a6ce-494ff2d33d07 Read and write Microsoft Intune apps Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.

DeviceManagementConfiguration

Roles ID Purpose Description
.Read.All dc377aa6-52d8-4e23-b271-2a7ae04cedf3 Read Microsoft Intune device configuration and policies Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.
.ReadWrite.All 9241abd9-d0e6-425a-bd4f-47ba86e767a4 Read and write Microsoft Intune device configuration and policies Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.

DeviceManagementManagedDevices

Roles ID Purpose Description
.PrivilegedOperations.All 5b07b0dd-2377-4e44-a38d-703f09a0dc3c Perform user-impacting remote actions on Microsoft Intune devices Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user.
.Read.All 2f51be20-0bb4-4fed-bf7b-db946066c75e Read Microsoft Intune devices Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.
.ReadWrite.All 243333ab-4d21-40cb-a475-36241daa0842 Read and write Microsoft Intune devices Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the devices owner

DeviceManagementRBAC

Roles ID Purpose Description
.Read.All 58ca0d9a-1575-47e1-a3cb-007ef2e4583b Read Microsoft Intune RBAC settings Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.
.ReadWrite.All e330c4f0-4170-414e-a55a-2f022ec2b57b Read and write Microsoft Intune RBAC settings Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.

DeviceManagementServiceConfig

Roles ID Purpose Description
.Read.All 06a5fe6d-c49d-46a7-b082-56b1b14103c7 Read Microsoft Intune configuration Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user.
.ReadWrite.All 5ac13192-7ace-4fcf-b828-1a26f28068ee Read and write Microsoft Intune configuration Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user.

Directory

Roles ID Purpose Description
.Read.All 7ab1d382-f21e-4acd-a863-ba3e13f7da61 Read directory data Allows the app to read data in your organization’s directory, such as users, groups and apps, without a signed-in user.
.ReadWrite.All 19dbc75e-c2e2-444c-a770-ec69d8559fc7 Read and write directory data Allows the app to read and write data in your organization’s directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.
.Write.Restricted f20584af-9290-4153-9280-ff8bb2c0ea7f Manage restricted resources in the directory Allows the app to manage restricted resources based on the other permissions granted to the app, without a signed-in user.

DirectoryRecommendations

Roles ID Purpose Description
.Read.All ae73097b-cb2a-4447-b064-5d80f6093921 Read all Azure AD recommendations Allows the app to read all Azure AD recommendations, without a signed-in user.
.ReadWrite.All 0e9eea12-4f01-45f6-9b8d-3ea4c8144158 Read and update all Azure AD recommendations Allows the app to read and update all Azure AD recommendations, without a signed-in user.

Domain

Roles ID Purpose Description
.Read.All dbb9058a-0e50-45d7-ae91-66909b5d4664 Read domains Allows the app to read all domain properties without a signed-in user.
.ReadWrite.All 7e05723c-0bb0-42da-be95-ae9f08a6e53c Read and write domains Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains.

eDiscovery

Roles ID Purpose Description
.Read.All 50180013-6191-4d1e-a373-e590ff4e66af Read all eDiscovery objects Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user.
.ReadWrite.All b2620db1-3bf7-4c5b-9cb9-576d29eac736 Read and write all eDiscovery objects Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects without a signed-in user.

EduAdministration

Roles ID Purpose Description
.Read.All 7c9db06a-ec2d-4e7b-a592-5a1e30992566 Read Education app settings Read the state and settings of all Microsoft education apps.
.ReadWrite.All 9bc431c3-b8bc-4a8d-a219-40f10f92eff6 Manage education app settings Manage the state and settings of all Microsoft education apps.

EduAssignments

Roles ID Purpose Description
.Read.All 4c37e1b6-35a1-43bf-926a-6f30f2cdf585 Read class assignments with grades Allows the app to read assignments and their grades for all users.
.ReadBasic.All 6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e Read class assignments without grades Allows the app to read assignments without grades for all users.
.ReadWrite.All 0d22204b-6cad-4dd0-8362-3e3f2ae699d9 Read and write class assignments with grades Allows the app to read and write assignments and their grades for all users.
.ReadWriteBasic.All f431cc63-a2de-48c4-8054-a34bc093af84 Read and write class assignments without grades Allows the app to read and write assignments without grades for all users.

EduRoster

Roles ID Purpose Description
.Read.All e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648 Read the organization’s roster Allows the app to read the structure of schools and classes in the organization’s roster and education-specific information about all users to be read.
.ReadBasic.All 0d412a8c-a06c-439f-b3ec-8abcf54d2f96 Read a limited subset of the organization’s roster Allows the app to read a limited subset of properties from both the structure of schools and classes in the organization’s roster and education-specific information about all users. Includes name, status, role, email address and photo.
.ReadWrite.All d1808e82-ce13-47af-ae0d-f9b254e6d58a Read and write the organization’s roster Allows the app to read and write the structure of schools and classes in the organization’s roster and education-specific information about all users to be read and written.

EntitlementManagement

Roles ID Purpose Description
.Read.All c74fd47d-ed3c-45c3-9a9e-b8676de685d2 Read all entitlement management resources Allows the app to read access packages and related entitlement management resources without a signed-in user.
.ReadWrite.All 9acd699f-1e81-4958-b001-93b1d2506e19 Read and write all entitlement management resources Allows the app to read and write access packages and related entitlement management resources without a signed-in user.

ExternalConnection

Roles ID Purpose Description
.Read.All 1914711b-a1cb-4793-b019-c2ce0ed21b8c Read all external connections Allows the app to read all external connections without a signed-in user.
.ReadWrite.All 34c37bc0-2b40-4d5e-85e1-2365cd256d79 Read and write all external connections Allows the app to read and write all external connections without a signed-in user.
.ReadWrite.OwnedBy f431331c-49a6-499f-be1c-62af19c34a9d Read and write external connections Allows the app to read and write external connections without a signed-in user. The app can only read and write external connections that it is authorized to, or it can create new external connections.

ExternalItem

Roles ID Purpose Description
.Read.All 7a7cffad-37d2-4f48-afa4-c6ab129adcc2 Read all external items Allows the app to read all external items without a signed-in user.
.ReadWrite.All 38c3d6ee-69ee-422f-b954-e17819665354 Read and write items in external datasets Allow the app to read or write items in all external datasets that the app is authorized to access
.ReadWrite.OwnedBy 8116ae0f-55c2-452d-9944-d18420f5b2c8 Read and write external items Allows the app to read and write external items without a signed-in user. The app can only read external items of the connection that it is authorized to.

Files

Roles ID Purpose Description
.Read.All 01d4889c-1287-42c6-ac1f-5d1e02578ef6 Read files in all site collections Allows the app to read all files in all site collections without a signed in user.
.ReadWrite.All 75359482-378d-4052-8f01-80520e7db3cd Read and write files in all site collections Allows the app to read, create, update and delete all files in all site collections without a signed in user.

Group

Roles ID Purpose Description
.Create bf7b1a76-6e77-406b-b258-bf5c7720e98f Create groups Allows the app to create groups without a signed-in user.
.Read.All 5b567255-7703-4780-807c-7be8301ae99b Read all groups Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.
.ReadWrite.All 62a82d76-70ea-41e2-9197-370581804d09 Read and write all groups Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

GroupMember

Roles ID Purpose Description
.Read.All 98830695-27a2-44f7-8c18-0c3ebc9698f6 Read all group memberships Allows the app to read memberships and basic group properties for all groups without a signed-in user.
.ReadWrite.All dbaae8cf-10b5-4b86-a4a1-f871c94c6695 Read and write all group memberships Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.

IdentityProvider

Roles ID Purpose Description
.Read.All e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0 Read identity providers Allows the app to read your organizations identity (authentication) providers properties without a signed in user.
.ReadWrite.All 90db2b9a-d928-4d33-a4dd-8442ae3d41e4 Read and write identity providers Allows the app to read and write your organizations identity (authentication) providers properties without a signed in user.

IdentityRiskEvent

Roles ID Purpose Description
.Read.All 6e472fd1-ad78-48da-a0f0-97ab2c6b769e Read all identity risk event information Allows the app to read the identity risk event information for your organization without a signed in user.
.ReadWrite.All db06fb33-1953-4b7b-a2ac-f1e2c854f7ae Read and write all risk detection information Allows the app to read and update identity risk detection information for your organization without a signed-in user. Update operations include confirming risk event detections.

IdentityRiskyServicePrincipal

Roles ID Purpose Description
.Read.All 607c7344-0eed-41e5-823a-9695ebe1b7b0 Read all identity risky service principal information Allows the app to read all risky service principal information for your organization, without a signed-in user.
.ReadWrite.All cb8d6980-6bcb-4507-afec-ed6de3a2d798 Read and write all identity risky service principal information Allows the app to read and update identity risky service principal for your organization, without a signed-in user.

IdentityRiskyUser

Roles ID Purpose Description
.Read.All dc5007c0-2d7d-4c42-879c-2dab87571379 Read all identity risky user information Allows the app to read the identity risky user information for your organization without a signed in user.
.ReadWrite.All 656f6061-f9fe-4807-9708-6a2e0934df76 Read and write all risky user information Allows the app to read and update identity risky user information for your organization without a signed-in user. Update operations include dismissing risky users.

IdentityUserFlow

Roles ID Purpose Description
.Read.All 1b0c317f-dd31-4305-9932-259a8b6e8099 Read all identity user flows Allows the app to read your organization’s user flows, without a signed-in user.
.ReadWrite.All 65319a09-a2be-469d-8782-f6b07debf789 Read and write all identity user flows Allows the app to read or write your organization’s user flows, without a signed-in user.

InformationProtectionPolicy

Roles ID Purpose Description
.Read.All 19da66cb-0fb0-4390-b071-ebc76a349482 Read all published labels and label policies for an organization. Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user.

Mail

Roles ID Purpose Description
.Read 810c84a8-4a9e-49e6-bf7d-12d183f40d01 Read mail in all mailboxes Allows the app to read mail in all mailboxes without a signed-in user.
.ReadBasic 6be147d2-ea4f-4b5a-a3fa-3eab6f3c140a Read basic mail in all mailboxes Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties.
.ReadBasic.All 693c5e45-0940-467d-9b8a-1022fb9d42ef Read basic mail in all mailboxes Allows the app to read basic mail properties in all mailboxes without a signed-in user. Includes all properties except body, previewBody, attachments and any extended properties.
.ReadWrite e2a3a72e-5f79-4c64-b1b1-878b674786c9 Read and write mail in all mailboxes Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.
.Send b633e1c5-b582-4048-a93e-9f11b44c7e96 Send mail as any user Allows the app to send mail as any user without a signed-in user.

MailboxSettings

Roles ID Purpose Description
.Read 40f97065-369a-49f4-947c-6a255697ae91 Read all user mailbox settings Allows the app to read user’s mailbox settings without a signed-in user. Does not include permission to send mail.
.ReadWrite 6931bccd-447a-43d1-b442-00a195474933 Read and write all user mailbox settings Allows the app to create, read, update, and delete user’s mailbox settings without a signed-in user. Does not include permission to send mail.

Member

Roles ID Purpose Description
.Read.Hidden 658aa5d8-239f-45c4-aa12-864f4fc7e490 Read all hidden memberships Allows the app to read the memberships of hidden groups and administrative units without a signed-in user.

Notes

Roles ID Purpose Description
.Read.All 3aeca27b-ee3a-4c2b-8ded-80376e2134a4 Read all OneNote notebooks Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.
.ReadWrite.All 0c458cef-11f3-48c2-a568-c66751c238c0 Read and write all OneNote notebooks Allows the app to read all the OneNote notebooks in your organization, without a signed-in user.

OnlineMeetingArtifact

Roles ID Purpose Description
.Read.All df01ed3b-eb61-4eca-9965-6b3d789751b2 Read online meeting artifacts Allows the app to read online meeting artifacts in your organization, without a signed-in user.

OnlineMeetings

Roles ID Purpose Description
.Read.All c1684f21-1984-47fa-9d61-2dc8c296bb70 Read online meeting details Allows the app to read online meeting details in your organization, without a signed-in user.
.ReadWrite.All b8bb2037-6e08-44ac-a4ea-4674e010e2a4 Read and create online meetings Allows the app to read and create online meetings as an application in your organization.

OnPremisesPublishingProfiles

Roles ID Purpose Description
.ReadWrite.All 0b57845e-aa49-4e6f-8109-ce654fffa618 Manage on-premises published resources Allows the app to create, view, update and delete on-premises published resources, on-premises agents and agent groups, as part of a hybrid identity configuration, without a signed in user.

Organization

Roles ID Purpose Description
.Read.All 498476ce-e0fe-48b0-b801-37ba7e2685c6 Read organization information Allows the app to read the organization and related resources, without a signed-in user.Related resources include things like subscribed skus and tenant branding information.
.ReadWrite.All 292d869f-3427-49a8-9dab-8c70152b74e9 Read and write organization information Allows the app to read and write the organization and related resources, without a signed-in user.Related resources include things like subscribed skus and tenant branding information.

OrgContact

Roles ID Purpose Description
.Read.All e1a88a34-94c4-4418-be12-c87b00e26bea Read organizational contacts Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user’s personal contacts.

People

Roles ID Purpose Description
.Read.All b528084d-ad10-4598-8b93-929746b4d7d6 Read all users’ relevant people lists Allows the app to read any user’s scored list of relevant people, without a signed-in user. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype).

Place

Roles ID Purpose Description
.Read.All 913b9306-0ce1-42b8-9137-6a7df690a760 Read all company places Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user.

Policy

Roles ID Purpose Description
.Read.All 246dd0d5-5bd0-4def-940b-0421030a5b68 Read your organization’s policies Allows the app to read all your organization’s policies without a signed in user.
.Read.ConditionalAccess 37730810-e9ba-4e46-b07e-8ca78d182097 Read your organization’s conditional access policies Allows the app to read your organization’s conditional access policies, without a signed-in user.
.Read.PermissionGrant 9e640839-a198-48fb-8b9a-013fd6f6cbcd Read consent and permission grant policies Allows the app to read policies related to consent and permission grants for applications, without a signed-in user.
.ReadWrite.ApplicationConfiguration be74164b-cff1-491c-8741-e671cb536e13 Read and write your organization’s application configuration policies Allows the app to read and write your organization’s application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.
.ReadWrite.AuthenticationFlows 25f85f3c-f66c-4205-8cd5-de92dd7f0cec Read and write authentication flow policies Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user.
.ReadWrite.AuthenticationMethod 29c18626-4985-4dcd-85c0-193eef327366 Read and write all authentication method policies Allows the app to read and write all authentication method policies for the tenant, without a signed-in user.
.ReadWrite.Authorization fb221be6-99f2-473f-bd32-01c6a0e9ca3b Read and write your organization’s authorization policy Allows the app to read and write your organization’s authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.
.ReadWrite.ConditionalAccess 01c0a623-fc9b-48e9-b794-0756f8e8f067 Read and write your organization’s conditional access policies Allows the app to read and write your organization’s conditional access policies, without a signed-in user.
.ReadWrite.ConsentRequest 999f8c63-0a38-4f1b-91fd-ed1947bdd1a9 Read and write your organization’s consent request policy Allows the app to read and write your organization’s consent requests policy without a signed-in user.
.ReadWrite.CrossTenantAccess 338163d7-f101-4c92-94ba-ca46fe52447c Read and write your organization’s cross tenant access policies Allows the app to read and write your organization’s cross tenant access policies without a signed-in user.
.ReadWrite.FeatureRollout 2044e4f1-e56c-435b-925c-44cd8f6ba89a Read and write feature rollout policies Allows the app to read and write feature rollout policies without a signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature.
.ReadWrite.PermissionGrant a402ca1c-2696-4531-972d-6e5ee4aa11ea Manage consent and permission grant policies Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user.
.ReadWrite.TrustFramework 79a677f7-b79d-40d0-a36a-3e6f8688dd7a Read and write your organization’s trust framework policies Allows the app to read and write your organization’s trust framework policies without a signed in user.

Presence

Roles ID Purpose Description
.ReadWrite.All 83cded22-8297-4ff6-a7fa-e97e9545a259 Read and write presence information for all users Allows the app to read all presence information and write activity and availability of all users in the directory without a signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, time zone and location.

Printer

Roles ID Purpose Description
.Read.All 9709bb33-4549-49d4-8ed9-a8f65e45bb0f Read printers Allows the application to read printers without a signed-in user.
.ReadWrite.All f5b3f73d-6247-44df-a74c-866173fddab0 Read and update printers Allows the application to read and update printers without a signed-in user. Does not allow creating (registering) or deleting (unregistering) printers.

PrintJob

Roles ID Purpose Description
.Manage.All 58a52f47-9e36-4b17-9ebe-ce4ef7f3e6c8 Perform advanced operations on print jobs Allows the application to perform advanced operations like redirecting a print job to another printer without a signed-in user. Also allows the application to read and update the metadata of print jobs.
.Read.All ac6f956c-edea-44e4-bd06-64b1b4b9aec9 Read print jobs Allows the application to read the metadata and document content of print jobs without a signed-in user.
.ReadBasic.All fbf67eee-e074-4ef7-b965-ab5ce1c1f689 Read basic information for print jobs Allows the application to read the metadata of print jobs without a signed-in user.Does not allow access to print job document content.
.ReadWrite.All 5114b07b-2898-4de7-a541-53b0004e2e13 Read and write print jobs Allows the application to read and update the metadata and document content of print jobs without a signed-in user.
.ReadWriteBasic.All 57878358-37f4-4d3a-8c20-4816e0d457b1 Read and write basic information for print jobs Allows the application to read and update the metadata of print jobs without a signed-in user.Does not allow access to print job document content.

PrintSettings

Roles ID Purpose Description
.Read.All b5991872-94cf-4652-9765-29535087c6d8 Read tenant-wide print settings Allows the application to read tenant-wide print settings without a signed-in user.

PrintTaskDefinition

Roles ID Purpose Description
.ReadWrite.All 456b71a7-0ee0-4588-9842-c123fcc8f664 Read, write and update print task definitions Allows the application to read and update print task definitions without a signed-in user.

PrivilegedAccess

Roles ID Purpose Description
.Read.AzureAD 4cdc2547-9148-4295-8d11-be0db1391d6b Read privileged access to Azure AD roles Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user.
.Read.AzureADGroup 01e37dc9-c035-40bd-b438-b2879c4870a6 Read privileged access to Azure AD groups Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user.
.Read.AzureResources 5df6fe86-1be0-44eb-b916-7bd443a71236 Read privileged access to Azure resources Allows the app to read time-based assignment and just-in-time elevation of user privileges to audit Azure resources in your organization, without a signed-in user.
.ReadWrite.AzureAD 854d9ab1-6657-4ec8-be45-823027bcd009 Read and write privileged access to Azure AD roles Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles in your organization, without a signed-in user.
.ReadWrite.AzureADGroup 2f6817f8-7b12-4f0f-bc18-eeaf60705a9e Read and write privileged access to Azure AD groups Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user.
.ReadWrite.AzureResources 6f9d5abc-2db6-400b-a267-7de22a40fb87 Read and write privileged access to Azure resources Allows the app to request and manage time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) in your organization, without a signed-in user.

ProgramControl

Roles ID Purpose Description
.Read.All eedb7fdd-7539-4345-a38b-4839e4a84cbd Read all programs Allows the app to read programs and program controls in the organization, without a signed-in user.
.ReadWrite.All 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36 Manage all programs Allows the app to read, update, delete and perform actions on programs and program controls in the organization, without a signed-in user.

Reports

Roles ID Purpose Description
.Read.All 230c1aed-a721-4c5d-9cb4-a90514e508ef Read all usage reports Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.

RoleManagement

Roles ID Purpose Description
.Read.All c7fbd983-d9aa-4fa7-84b8-17382c103bc4 Read role management data for all RBAC providers Allows the app to read role-based access control (RBAC) settings for all RBAC providers without a signed-in user. This includes reading role definitions and role assignments.
.Read.CloudPC 031a549a-bb80-49b6-8032-2068448c6a3c Read Cloud PC RBAC settings Allows the app to read the Cloud PC role-based access control (RBAC) settings, without a signed-in user.
.Read.Directory 483bed4a-2ad3-4361-a73b-c83ccdbdc53c Read all directory RBAC settings Allows the app to read the role-based access control (RBAC) settings for your company’s directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships.
.ReadWrite.CloudPC 274d0592-d1b6-44bd-af1d-26d259bcb43a Read and write all Cloud PC RBAC settings Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, without a signed-in user. This includes reading and managing Cloud PC role definitions and memberships.
.ReadWrite.Directory 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8 Read and write all directory RBAC settings Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Schedule

Roles ID Purpose Description
.Read.All 7b2ebf90-d836-437f-b90d-7b62722c4456 Read all schedule items Allows the app to read all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user.
.ReadWrite.All b7760610-0545-4e8a-9ec3-cce9e63db01c Read and write all schedule items Allows the app to manage all schedules, schedule groups, shifts and associated entities in the Teams or Shifts application without a signed-in user.

SearchConfiguration

Roles ID Purpose Description
.Read.All ada977a5-b8b1-493b-9a91-66c206d76ecf Read your organization’s search configuration Allows the app to read search configurations, without a signed-in user.
.ReadWrite.All 0e778b85-fefa-466d-9eec-750569d92122 Read and write your organization’s search configuration Allows the app to read and write search configurations, without a signed-in user.

SecurityActions

Roles ID Purpose Description
.Read.All 5e0edab9-c148-49d0-b423-ac253e121825 Read your organization’s security actions Allows the app to read security actions, without a signed-in user.
.ReadWrite.All f2bf083f-0179-402a-bedb-b2784de8a49b Read and update your organization’s security actions Allows the app to read or update security actions, without a signed-in user.

SecurityAlert

Roles ID Purpose Description
.Read.All 472e4a4d-bb4a-4026-98d1-0b0d74cb74a5 Read all security alerts Allows the app to read all security alerts, without a signed-in user.
.ReadWrite.All ed4fca05-be46-441f-9803-1873825f8fdb Read and write to all security alerts Allows the app to read and write to all security alerts, without a signed-in user.

SecurityEvents

Roles ID Purpose Description
.Read.All bf394140-e372-4bf9-a898-299cfc7564e5 Read your organizations security events Allows the app to read your organizations security events without a signed-in user.
.ReadWrite.All d903a879-88e0-4c09-b0c9-82f6a1333f84 Read and update your organizations security events Allows the app to read your organizations security events without a signed-in user. Also allows the app to update editable properties in security events.

SecurityIncident

Roles ID Purpose Description
.Read.All 45cc0394-e837-488b-a098-1918f48d186c Read all security incidents Allows the app to read all security incidents, without a signed-in user.
.ReadWrite.All 34bf0e97-1971-4929-b999-9e2442d941d7 Read and write to all security incidents Allows the app to read and write to all security incidents, without a signed-in user.

ServiceHealth

Roles ID Purpose Description
.Read.All 79c261e0-fe76-4144-aad5-bdc68fbe4037 Read service health Allows the app to read your tenant’s service health information, without a signed-in user. Health information may include service issues or service health overviews.

ServiceMessage

Roles ID Purpose Description
.Read.All 1b620472-6534-4fe6-9df2-4680e8aa28ec Read service messages Allows the app to read your tenant’s service announcement messages, without a signed-in user. Messages may include information about new or changed features.

ServicePrincipalEndpoint

Roles ID Purpose Description
.Read.All 5256681e-b7f6-40c0-8447-2d9db68797a0 Read service principal endpoints Allows the app to read service principal endpoints
.ReadWrite.All 89c8469c-83ad-45f7-8ff2-6e3d4285709e Read and update service principal endpoints Allows the app to update service principal endpoints

SharePointTenantSettings

Roles ID Purpose Description
.Read.All 83d4163d-a2d8-4d3b-9695-4ae3ca98f888 Read SharePoint and OneDrive tenant settings Allows the application to read the tenant-level settings of SharePoint and OneDrive, without a signed-in user.
.ReadWrite.All 19b94e34-907c-4f43-bde9-38b1909ed408 Read and change SharePoint and OneDrive tenant settings Allows the application to read and change the tenant-level settings of SharePoint and OneDrive, without a signed-in user.

ShortNotes

Roles ID Purpose Description
.Read.All 0c7d31ec-31ca-4f58-b6ec-9950b6b0de69 Read all users’ short notes Allows the app to read all the short notes without a signed-in user.
.ReadWrite.All 842c284c-763d-4a97-838d-79787d129bab Read, create, edit, and delete all users’ short notes Allows the app to read, create, edit, and delete all the short notes without a signed-in user.

Sites

Roles ID Purpose Description
.FullControl.All a82116e5-55eb-4c41-a434-62fe8a61c773 Have full control of all site collections Allows the app to have full control of all site collections without a signed in user.
.Manage.All 0c0bf378-bf22-4481-8f81-9e89a9b4960a Create, edit, and delete items and lists in all site collections Allows the app to create or delete document libraries and lists in all site collections without a signed in user.
.Read.All 332a536c-c7ef-4017-ab91-336970924f0d Read items in all site collections Allows the app to read documents and list items in all site collections without a signed in user.
.ReadWrite.All 9492366f-7969-46a4-8d15-ed1a20078fff Read and write items in all site collections Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user.
.Selected 883ea226-0bf2-4a8f-9f9d-92c9162a727d Access selected site collections Allow the application to access a subset of site collections without a signed in user.The specific site collections and the permissions granted will be configured in SharePoint Online.

Team

Roles ID Purpose Description
.Create 23fc2474-f741-46ce-8465-674744c5c361 Create teams Allows the app to create teams without a signed-in user.
.ReadBasic.All 2280dda6-0bfd-44ee-a2f4-cb867cfc4c1e Get a list of all teams Get a list of all teams, without a signed-in user.

TeamMember

Roles ID Purpose Description
.Read.All 660b7406-55f1-41ca-a0ed-0b035e182f3e Read the members of all teams Read the members of all teams, without a signed-in user.
.ReadWrite.All 0121dc95-1b9f-4aed-8bac-58c5ac466691 Add and remove members from all teams Add and remove members from all teams, without a signed-in user. Also allows changing a team member’s role, for example from owner to non-owner.
.ReadWriteNonOwnerRole.All 4437522e-9a86-4a41-a7da-e380edd4a97d Add and remove members with non-owner role for all teams Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.

TeamsActivity

Roles ID Purpose Description
.Read.All 70dec828-f620-4914-aa83-a29117306807 Read all users’ teamwork activity feed Allows the app to read all users’ teamwork activity feed, without a signed-in user.
.Send a267235f-af13-44dc-8385-c1dc93023186 Send a teamwork activity to any user Allows the app to create new notifications in users’ teamwork activity feeds without a signed in user. These notifications may not be discoverable or be held or governed by compliance policies.

TeamsApp

Roles ID Purpose Description
.Read.All afdb422a-4b2a-4e07-a708-8ceed48196bf Read all users’ installed Teams apps Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings.
.ReadWrite.All eb6b3d76-ed75-4be6-ac36-158d04c0a555 Manage all users’ Teams apps Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read or write application-specific settings.

TeamsAppInstallation

Roles ID Purpose Description
.ReadForChat.All cc7e7635-2586-41d6-adaa-a8d3bcad5ee5 Read installed Teams apps for all chats Allows the app to read the Teams apps that are installed in any chat, without a signed-in user. Does not give the ability to read application-specific settings.
.ReadForTeam.All 1f615aea-6bf9-4b05-84bd-46388e138537 Read installed Teams apps for all teams Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings.
.ReadForUser.All 9ce09611-f4f7-4abd-a629-a05450422a97 Read installed Teams apps for all users Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings.
.ReadWriteForChat.All 9e19bae1-2623-4c4f-ab6e-2664615ff9a0 Manage Teams apps for all chats Allows the app to read, install, upgrade, and uninstall Teams apps in any chat, without a signed-in user. Does not give the ability to read application-specific settings.
.ReadWriteForTeam.All 5dad17ba-f6cc-4954-a5a2-a0dcc95154f0 Manage Teams apps for all teams Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings.
.ReadWriteForUser.All 74ef0291-ca83-4d02-8c7e-d2391e6a444f Manage Teams apps for all users Allows the app to read, install, upgrade, and uninstall Teams apps for any user, without a signed-in user. Does not give the ability to read application-specific settings.
.ReadWriteSelfForChat.All 73a45059-f39c-4baf-9182-4954ac0e55cf Allow the Teams app to manage itself for all chats Allows a Teams app to read, install, upgrade, and uninstall itself for any chat, without a signed-in user.
.ReadWriteSelfForTeam.All 9f67436c-5415-4e7f-8ac1-3014a7132630 Allow the Teams app to manage itself for all teams Allows a Teams app to read, install, upgrade, and uninstall itself in any team, without a signed-in user.
.ReadWriteSelfForUser.All 908de74d-f8b2-4d6b-a9ed-2a17b3b78179 Allow the app to manage itself for all users Allows a Teams app to read, install, upgrade, and uninstall itself to any user, without a signed-in user.

TeamSettings

Roles ID Purpose Description
.Read.All 242607bd-1d2c-432c-82eb-bdb27baa23ab Read all teams’ settings Read all team’s settings, without a signed-in user.
.ReadWrite.All bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f Read and change all teams’ settings Read and change all teams’ settings, without a signed-in user.

TeamsTab

Roles ID Purpose Description
.Create 49981c42-fd7b-4530-be03-e77b21aed25e Create tabs in Microsoft Teams. Allows the app to create tabs in any team in Microsoft Teams, without a signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.
.Read.All 46890524-499a-4bb2-ad64-1476b4f3e1cf Read tabs in Microsoft Teams. Read the names and settings of tabs inside any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs.
.ReadWrite.All a96d855f-016b-47d7-b51c-1218a98d791c Read and write tabs in Microsoft Teams. Read and write tabs in any team in Microsoft Teams, without a signed-in user. This does not give access to the content inside the tabs.
.ReadWriteForChat.All fd9ce730-a250-40dc-bd44-8dc8d20f39ea Allow the Teams app to manage all tabs for all chats Allows a Teams app to read, install, upgrade, and uninstall all tabs for any chat, without a signed-in user.
.ReadWriteForTeam.All 6163d4f4-fbf8-43da-a7b4-060fe85ed148 Allow the Teams app to manage all tabs for all teams Allows a Teams app to read, install, upgrade, and uninstall all tabs in any team, without a signed-in user.
.ReadWriteForUser.All 425b4b59-d5af-45c8-832f-bb0b7402348a Allow the app to manage all tabs for all users Allows a Teams app to read, install, upgrade, and uninstall all tabs for any user, without a signed-in user.
.ReadWriteSelfForChat.All 9f62e4a2-a2d6-4350-b28b-d244728c4f86 Allow the Teams app to manage only its own tabs for all chats Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any chat, without a signed-in user.
.ReadWriteSelfForTeam.All 91c32b81-0ef0-453f-a5c7-4ce2e562f449 Allow the Teams app to manage only its own tabs for all teams Allows a Teams app to read, install, upgrade, and uninstall its own tabs in any team, without a signed-in user.
.ReadWriteSelfForUser.All 3c42dec6-49e8-4a0a-b469-36cff0d9da93 Allow the Teams app to manage only its own tabs for all users Allows a Teams app to read, install, upgrade, and uninstall its own tabs for any user, without a signed-in user.

Teamwork

Roles ID Purpose Description
.Migrate.All dfb0dd15-61de-45b2-be36-d6a69fba3c79 Create chat and channel messages with anyone’s identity and with any timestamp Allows the app to create chat and channel messages, without a signed in user. The app specifies which user appears as the sender, and can backdate the message to appear as if it was sent long ago. The messages can be sent to any chat or channel in the organization.

TeamworkDevice

Roles ID Purpose Description
.Read.All 0591bafd-7c1c-4c30-a2a5-2b9aacb1dfe8 Read Teams devices Allow the app to read the management data for Teams devices, without a signed-in user.
.ReadWrite.All 79c02f5b-bd4f-4713-bc2c-a8a4a66e127b Read and write Teams devices Allow the app to read and write the management data for Teams devices, without a signed-in user.

TeamworkTag

Roles ID Purpose Description
.Read.All b74fd6c4-4bde-488e-9695-eeb100e4907f Read tags in Teams Allows the app to readtags in Teamswithout a signed-in user.
.ReadWrite.All a3371ca5-911d-46d6-901c-42c8c7a937d8 Read and write tags in Teams Allows the app to read and write tags in Teams without a signed-in user.

TermStore

Roles ID Purpose Description
.Read.All ea047cc2-df29-4f3e-83a3-205de61501ca Read all term store data Allows the app to read all term store data, without a signed-in user. This includes all sets, groups and terms in the term store.
.ReadWrite.All f12eb8d6-28e3-46e6-b2c0-b7e4dc69fc95 Read and write all term store data Allows the app to read, edit or write all term store data, without a signed-in user. This includes all sets, groups and terms in the term store.

ThreatAssessment

Roles ID Purpose Description
.Read.All f8f035bb-2cce-47fb-8bf5-7baf3ecbee48 Read threat assessment requests Allows an app to read your organization’s threat assessment requests, without a signed-in user.

ThreatHunting

Roles ID Purpose Description
.Read.All dd98c7f5-2d42-42d3-a0e4-633161547251 Run hunting queries Allows the app to run hunting queries, without a signed-in user.

ThreatIndicators

Roles ID Purpose Description
.Read.All 197ee4e9-b993-4066-898f-d6aecc55125b Read all threat indicators Allows the app to read all the indicators for your organization, without a signed-in user.
.ReadWrite.OwnedBy 21792b6c-c986-4ffc-85de-df9da54b52fa Manage threat indicators this app creates or owns Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), without a signed-in user. It cannot update any threat indicators it does not own.

TrustFrameworkKeySet

Roles ID Purpose Description
.Read.All fff194f1-7dce-4428-8301-1badb5518201 Read trust framework key sets Allows the app to read trust framework key set properties without a signed-in user.
.ReadWrite.All 4a771c9a-1cf2-4609-b88e-3d3e02d539cd Read and write trust framework key sets Allows the app to read and write trust framework key set properties without a signed-in user.

User

Roles ID Purpose Description
.Export.All 405a51b5-8d8d-430b-9842-8be4b0e9f324 Export user’s data Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator).
.Invite.All 09850681-111b-4a89-9bed-3f2cae46d706 Invite guest users to the organization Allows the app to invite guest users to the organization, without a signed-in user.
.ManageIdentities.All c529cfca-c91b-489c-af2b-d92990b66ce6 Manage all users’ identities Allows the app to read, update and delete identities that are associated with a user’s account, without a signed in user. This controls the identities users can sign-in with.
.Read.All df021288-bdef-4463-88db-98f22de89214 Read all users’ full profiles Allows the app to read user profiles without a signed in user.
.ReadWrite.All 741f803b-c850-494e-b5df-cde7c675a1ca Read and write all users’ full profiles Allows the app to read and update user profiles without a signed in user.

UserAuthenticationMethod

Roles ID Purpose Description
.Read.All 38d9df27-64da-44fd-b7c5-a6fbac20248f Read all users’ authentication methods Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
.ReadWrite.All 50483e42-d915-4231-9639-7fdb7fd190e5 Read and write all users’ authentication methods Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods

UserNotification

Roles ID Purpose Description
.ReadWrite.CreatedByApp 4e774092-a092-48d1-90bd-baad67c7eb47 Deliver and manage all user’s notifications Allows the app to send, read, update and delete users notifications, without a signed-in user.

UserShiftPreferences

Roles ID Purpose Description
.Read.All de023814-96df-4f53-9376-1e2891ef5a18 Read all user shift preferences Allows the app to read all users’ shift schedule preferences without a signed-in user.
.ReadWrite.All d1eec298-80f3-49b0-9efb-d90e224798ac Read and write all user shift preferences Allows the app to manage all users’ shift schedule preferences without a signed-in user.

WindowsUpdates

Roles ID Purpose Description
.ReadWrite.All 7dd1be58-6e76-4401-bf8d-31d1e8180d5b Read and write all Windows update deployment settings Allows the app to read and write all Windows update deployment settings for the organization without a signed-in user.

WorkforceIntegration

Roles ID Purpose Description
.ReadWrite.All 202bf709-e8e6-478e-bcfd-5d63c50b68e3 Read and write workforce integrations Allows the app to manage workforce integrations to synchronize data from Microsoft Teams Shifts, without a signed-in user.

Code

using namespace System.Collections.Generic
$ErrorActionPreference = 'stop'

az login --allow-no-subscriptions
$microsoftGraph = az ad sp list --query "[?appDisplayName=='Microsoft Graph']" --all | ConvertFrom-Json

$apps = [Dictionary[String, [List[Object]]]]::new()

$microsoftGraph.appRoles | Sort-Object Value | ForEach-Object {
    $appName = $_.value.Split('.')[0]
    if ($apps.ContainsKey($appName)) {
        $apps[$appName].Add($_)
    } else {
        $roleList = [List[Object]]::new()
        $roleList.Add($_)
        $apps.Add($appName, $roleList)
    }
}

$output = [System.Text.StringBuilder]::new()
foreach ($appName in $apps.Keys) {
    $output.AppendLine("### $appName") | Out-Null
    $output.AppendLine() | Out-Null
    $roles = $apps[$appName]
    $output.AppendLine("| Roles | ID | Purpose | Description |") | Out-Null
    $output.AppendLine("|-------|----|---------|-------------|") | Out-Null
    $roles | ForEach-Object { 
        $role = $_.value.Substring($_.value.indexOf('.'), $_.value.length - $_.value.indexOf('.'))
        $row = "| $role | $($_.id) | $($_.displayName) | $($_.description -replace '\s+', ' ') |"
        $output.AppendLine($row) | Out-Null
    }
    $output.AppendLine() | Out-Null
    
}
$output.ToString()