OAuth 2 Permissions Listing

Last generated 2022-03-13.

AccessReview

Roles Id Type Description
.Read.All ebfcd32b-babb-40f4-a14b-42706e83bd28 Admin User
Allows the app to read information on access reviews, reviewers, decisions and settings that you have access to.

Admin
Allows the app to read access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.
.ReadWrite.All e4aa47b9-9a69-4109-82ed-36ec70d85ff1 Admin User
Allows the app to read, update and perform action on access reviews, reviewers, decisions and settings that you have access to.

Admin
Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings that the signed-in user has access to in the organization.
.ReadWrite.Membership 5af8c3f5-baca-439a-97b0-ea58a435e269 Admin User
Allows the app to read, update and perform action on access reviews, reviewers, decisions and settings that you have access to.

Admin
Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings for group and app memberships that the signed-in user has access to in the organization.

AdministrativeUnit

Roles Id Type Description
.Read.All 3361d15d-be43-4de6-b441-3c746d05163d Admin User
Allows the app to read administrative units and administrative unit membership on your behalf.

Admin
Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user.
.ReadWrite.All 7b8a2d34-6b3f-4542-a343-54651608ad81 Admin User
Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on your behalf.

Admin
Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user.

Agreement

Roles Id Type Description
.Read.All af2819c9-df71-4dd3-ade7-4d7c9dc653b7 Admin User
Allows the app to read terms of use agreements on your behalf.

Admin
Allows the app to read terms of use agreements on behalf of the signed-in user.
.ReadWrite.All ef4b5d93-3104-4664-9053-a5c49ab44218 Admin User
Allows the app to read and write terms of use agreements on your behalf.

Admin
Allows the app to read and write terms of use agreements on behalf of the signed-in user.

AgreementAcceptance

Roles Id Type Description
.Read 0b7643bb-5336-476f-80b5-18fbfbc91806 Admin User
Allows the app to read your terms of use acceptance statuses.

Admin
Allows the app to read terms of use acceptance statuses on behalf of the signed-in user.
.Read.All a66a5341-e66e-4897-9d52-c2df58c2bfb9 Admin User
Allows the app to read terms of use acceptance statuses on your behalf.

Admin
Allows the app to read terms of use acceptance statuses on behalf of the signed-in user.

Analytics

Roles Id Type Description
.Read e03cf23f-8056-446a-8994-7d93dfc8b50e User User
Allows the app to read your activity statistics, such as how much time you’ve spent on emails, in meetings, or in chat sessions.

Admin
Allows the app to read the signed-in user’s activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions.

APIConnectors

Roles Id Type Description
.Read.All 1b6ff35f-31df-4332-8571-d31ea5a4893f Admin User
Allows the app to read the API connectors used in user authentication flows, on your behalf.

Admin
Allows the app to read the API connectors used in user authentication flows, on behalf of the signed-in user.
.ReadWrite.All c67b52c5-7c69-48b6-9d48-7b3af3ded914 Admin User
Allows the app to read, create and manage the API connectors used in user authentication flows, on your behalf.

Admin
Allows the app to read, create and manage the API connectors used in user authentication flows, on behalf of the signed-in user.

AppCatalog

Roles Id Type Description
.Read.All 88e58d74-d3df-44f3-ad47-e89edf4472e4 User User
Allows the app to read apps in the app catalogs.

Admin
Allows the app to read the apps in the app catalogs.
.ReadWrite.All 1ca167d5-1655-44a1-8adf-1414072e1ef9 Admin User
Allows the app to create, read, update, and delete apps in the app catalogs.

Admin
Allows the app to create, read, update, and delete apps in the app catalogs.
.Submit 3db89e36-7fa6-4012-b281-85f3d9d9fd2e User User
Allows the app to submit application packages to the catalog and cancel submissions that are pending review on your behalf.

Admin
Allows the app to submit application packages to the catalog and cancel submissions that are pending review on behalf of the signed-in user.

Application

Roles Id Type Description
.Read.All c79f8feb-a9db-4090-85f9-90d820caa0eb Admin User
Allows the app to read applications and service principals on your behalf.

Admin
Allows the app to read applications and service principals on behalf of the signed-in user.
.ReadWrite.All bdfbf15f-ee85-4955-8675-146e8e5296b5 Admin User
Allows the app to create, read, update and delete applications and service principals on your behalf. Does not allow management of consent grants.

Admin
Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Does not allow management of consent grants.

AppRoleAssignment

Roles Id Type Description
.ReadWrite.All 84bccea3-f856-4a8a-967b-dbe0a3d53a64 Admin User
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on your behalf.

Admin
Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.

Approval

Roles Id Type Description
.Read.All 1196552e-b226-4363-b01e-b8901fe10a11 Admin User
Allows the app to read approvals on your behalf.

Admin
Allows the app to read approvals on behalf of the signed-in user.
.ReadWrite.All 1d3d0bc7-4b3a-427a-ae9f-6de4e1edc95f Admin User
Allows the app to read and write approvals on your behalf.

Admin
Allows the app to read and write approvals on behalf of the signed-in user.

AuditLog

Roles Id Type Description
.Read.All e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 Admin User
Allows the app to read and query your audit log activities, on your behalf.

Admin
Allows the app to read and query your audit log activities, on behalf of the signed-in user.

BitlockerKey

Roles Id Type Description
.Read.All b27a61ec-b99c-4d6a-b126-c4375d08ae30 Admin User
Allows the app to read BitLocker keys for your owned devices. Allows read of the recovery key.

Admin
Allows the app to read BitLocker keys on behalf of the signed-in user, for their owned devices. Allows read of the recovery key.
.ReadBasic.All 5a107bfc-4f00-4e1a-b67e-66451267bc68 Admin User
Allows the app to read basic BitLocker key properties for your owned devices. Does not allow read of the recovery key itself.

Admin
Allows the app to read basic BitLocker key properties on behalf of the signed-in user, for their owned devices. Does not allow read of the recovery key itself.

Bookings

Roles Id Type Description
.Manage.All 7f36b48e-542f-4d3b-9bcb-8406f0ab9fdb User User
Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on your behalf.

Admin
Allows an app to read, write and manage bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user.
.Read.All 33b1df99-4b29-4548-9339-7a7b83eaeebc User User
Allows an app to read bookings appointments, businesses, customers, services, and staff on your behalf.

Admin
Allows an app to read bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user.
.ReadWrite.All 948eb538-f19d-4ec5-9ccc-f059e1ea4c72 User User
Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on your behalf. Does not allow create, delete and publish of booking businesses.

Admin
Allows an app to read and write bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Does not allow create, delete and publish of booking businesses.

BookingsAppointment

Roles Id Type Description
.ReadWrite.All 02a5a114-36a6-46ff-a102-954d89d9ab02 User User
Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on your behalf.

Admin
Allows an app to read and write bookings appointments and customers, and additionally allows read businesses information, services, and staff on behalf of the signed-in user.

Calendars

Roles Id Type Description
.Read 465a38f9-76ea-45b9-9f34-9e8b0d4b0b42 User User
Allows the app to read events in your calendars.

Admin
Allows the app to read events in user calendars .
.Read.Shared 2b9c4092-424d-4249-948d-b43879977640 User User
Allows the app to read events in all calendars that you can access, including delegate and shared calendars.

Admin
Allows the app to read events in all calendars that the user can access, including delegate and shared calendars.
.ReadWrite 1ec239c2-d7c9-4623-a91a-a9775856bb36 User User
Allows the app to read, update, create and delete events in your calendars.

Admin
Allows the app to create, read, update, and delete events in user calendars.
.ReadWrite.Shared 12466101-c9b8-439a-8589-dd09ee67e8e9 User User
Allows the app to read, update, create and delete events in all calendars in your organization you have permissions to access. This includes delegate and shared calendars.

Admin
Allows the app to create, read, update and delete events in all calendars in the organization user has permissions to access. This includes delegate and shared calendars.

Channel

Roles Id Type Description
.Create 101147cf-4178-4455-9d58-02b5c164e759 Admin User
Create channels in any team, on your behalf.

Admin
Create channels in any team, on behalf of the signed-in user.
.Delete.All cc83893a-e232-4723-b5af-bd0b01bcfe65 Admin User
Delete channels in any team, on your behalf.

Admin
Delete channels in any team, on behalf of the signed-in user.
.ReadBasic.All 9d8982ae-4365-4f57-95e9-d6032a4c0b87 User User
Read channel names and channel descriptions, on your behalf.

Admin
Read channel names and channel descriptions, on behalf of the signed-in user.

ChannelMember

Roles Id Type Description
.Read.All 2eadaff8-0bce-4198-a6b9-2cfc35a30075 Admin User
Read the members of channels, on your behalf.

Admin
Read the members of channels, on behalf of the signed-in user.
.ReadWrite.All 0c3e411a-ce45-4cd1-8f30-f99a3efa7b11 Admin User
Add and remove members from channels, on your behalf. Also allows changing a member’s role, for example from owner to non-owner.

Admin
Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member’s role, for example from owner to non-owner.

ChannelMessage

Roles Id Type Description
.Delete 32ea53ac-4a89-4cde-bac4-727c6fb9ac29 User User
Allows the app to delete channel messages in Microsoft Teams, on your behalf.

Admin
Allows an app to delete channel messages in Microsoft Teams, on behalf of the signed-in user.
.Edit 2b61aa8a-6d36-4b2f-ac7b-f29867937c53 User User
Allows the app to edit channel messages in Microsoft Teams, on your behalf.

Admin
Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user.
.Read.All 767156cb-16ae-4d10-8f8b-41b657c8c8c8 Admin User
Allows the app to read a channel’s messages in Microsoft Teams, on your behalf.

Admin
Allows an app to read a channel’s messages in Microsoft Teams, on behalf of the signed-in user.
.Send ebf0f66e-9fb1-49e4-a278-222f76911cf4 User User
Allows the app to send channel messages in Microsoft Teams, on your behalf.

Admin
Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user.

ChannelSettings

Roles Id Type Description
.Read.All 233e0cf1-dd62-48bc-b65b-b38fe87fcf8e Admin User
Read all channel names, channel descriptions, and channel settings, on your behalf.

Admin
Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user.
.ReadWrite.All d649fb7c-72b4-4eec-b2b4-b15acf79e378 Admin User
Read and write the names, descriptions, and settings of all channels, on your behalf.

Admin
Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user.

Chat

Roles Id Type Description
.Create 38826093-1258-4dea-98f0-00003be2b8d0 User User
Allows the app to create chats on your behalf.

Admin
Allows the app to create chats on behalf of the signed-in user.
.Read f501c180-9344-439a-bca0-6cbf209fd270 User User
Allows an app to read your 1 on 1 or group chat messages in Microsoft Teams, on your behalf.

Admin
Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user.
.ReadBasic 9547fcb5-d03f-419d-9948-5928bbf71b0f User User
Allows an app to read the members and descriptions of one-to-one and group chat threads, on your behalf.

Admin
Allows an app to read the members and descriptions of one-to-one and group chat threads, on behalf of the signed-in user.
.ReadWrite 9ff7295e-131b-4d94-90e1-69fde507ac11 User User
Allows an app to read and write your 1 on 1 or group chat messages in Microsoft Teams, on your behalf.

Admin
Allows an app to read and write 1 on 1 or group chats threads, on behalf of the signed-in user.

ChatMember

Roles Id Type Description
.Read c5a9e2b1-faf6-41d4-8875-d381aa549b24 Admin User
Read the members of chats, on your behalf.

Admin
Read the members of chats, on behalf of the signed-in user.
.ReadWrite dea13482-7ea6-488f-8b98-eb5bbecf033d Admin User
Add and remove members from chats, on your behalf.

Admin
Add and remove members from chats, on behalf of the signed-in user.

ChatMessage

Roles Id Type Description
.Read cdcdac3a-fd45-410d-83ef-554db620e5c7 User User
Allows an app to read one-to-one or group chat messages in Microsoft Teams, on your behalf.

Admin
Allows an app to read one-to-one and group chat messages, on behalf of the signed-in user.
.Send 116b7235-7cc6-461e-b163-8e55691d839e User User
Allows an app to send one-to-one and group chat messages in Microsoft Teams, on your behalf.

Admin
Allows an app to send one-to-one and group chat messages in Microsoft Teams, on behalf of the signed-in user.

CloudPC

Roles Id Type Description
.Read.All 5252ec4e-fd40-4d92-8c68-89dd1d3c6110 User User
Allows the app to read the properties of Cloud PCs, on your behalf.

Admin
Allows the app to read the properties of Cloud PCs on behalf of the signed-in user.
.ReadWrite.All 9d77138f-f0e2-47ba-ab33-cd246c8b79d1 Admin User
Allows the app to read and write the properties of Cloud PCs, on your behalf.

Admin
Allows the app to read and write the properties of Cloud PCs on behalf of the signed-in user.

ConsentRequest

Roles Id Type Description
.Read.All f3bfad56-966e-4590-a536-82ecf548ac1e Admin User
Allows the app to read consent requests and approvals, on your behalf.

Admin
Allows the app to read consent requests and approvals on behalf of the signed-in user.
.ReadWrite.All 497d9dfa-3bd1-481a-baab-90895e54568c Admin User
Allows the app to read app consent requests for your approval, and deny or approve those request on your behalf.

Admin
Allows the app to read app consent requests and approvals, and deny or approve those requests on behalf of the signed-in user.

Contacts

Roles Id Type Description
.Read ff74d97f-43af-4b68-9f2a-b77ee6968c5d User User
Allows the app to read contacts in your contact folders.

Admin
Allows the app to read user contacts.
.Read.Shared 242b9d9e-ed24-4d09-9a52-f43769beb9d4 User User
Allows the app to read contacts you have permissions to access, including your own and shared contacts.

Admin
Allows the app to read contacts a user has permissions to access, including their own and shared contacts.
.ReadWrite d56682ec-c09e-4743-aaf4-1a3aac4caa21 User User
Allows the app to read, update, create and delete contacts in your contact folders.

Admin
Allows the app to create, read, update, and delete user contacts.
.ReadWrite.Shared afb6c84b-06be-49af-80bb-8f3f77004eab User User
Allows the app to read, update, create, and delete contacts you have permissions to access, including your own and shared contacts.

Admin
Allows the app to create, read, update, and delete contacts a user has permissions to, including their own and shared contacts.

CrossTenantInformation

Roles Id Type Description
.ReadBasic.All 81594d25-e88e-49cf-ac8c-fecbff49f994 Admin User
Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem on your behalf.

Admin
Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem on behalf of the signed-in user.

CrossTenantUserProfileSharing

Roles Id Type Description
.Read cb1ba48f-d22b-4325-a07f-74135a62ee41 Admin User
Allows the application to list and query shared user profile information associated with the current tenant on your behalf. It also permits the application to export your external user data (e.g. customer content or system-generated logs), associated with the current tenant on your behalf.

Admin
Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user.
.Read.All 759dcd16-3c90-463c-937e-abf89f991c18 Admin User
Allows the application to list and query any shared user profile information associated with the current tenant on your behalf. It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on your behalf.

Admin
Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.
.ReadWrite eed0129d-dc60-4f30-8641-daf337a39ffd Admin User
Allows the application to list and query shared user profile information associated with the current tenant on your behalf. It also permits the application to export and remove your external user data (e.g. customer content or system-generated logs), associated with the current tenant on your behalf.

Admin
Allows the application to list and query user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), associated with the current tenant on behalf of the signed-in user.
.ReadWrite.All 64dfa325-cbf8-48e3-938d-51224a0cac01 Admin User
Allows the application to list and query any shared user profile information associated with the current tenant on your behalf. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on your behalf.

Admin
Allows the application to list and query any shared user profile information associated with the current tenant on behalf of the signed-in user. It also permits the application to export and remove external user data (e.g. customer content or system-generated logs), for any user associated with the current tenant on behalf of the signed-in user.

CustomSecAttributeAssignment

Roles Id Type Description
.Read.All b46ffa80-fe3d-4822-9a1a-c200932d54d0 Admin User
Allows the app to read custom security attribute assignments for all principals in the tenant on your behalf.

Admin
Allows the app to read custom security attribute assignments for all principals in the tenant on behalf of a signed in user.
.ReadWrite.All ca46335e-8453-47cd-a001-8459884efeae Admin User
Allows the app to read and write custom security attribute assignments for all principals in the tenant on your behalf.

Admin
Allows the app to read and write custom security attribute assignments for all principals in the tenant on behalf of a signed in user.

CustomSecAttributeDefinition

Roles Id Type Description
.Read.All ce026878-a0ff-4745-a728-d4fedd086c07 Admin User
Allows the app to read custom security attribute definitions for the tenant on your behalf.

Admin
Allows the app to read custom security attribute definitions for the tenant on behalf of a signed in user.
.ReadWrite.All 8b0160d4-5743-482b-bb27-efc0a485ca4a Admin User
Allows the app to read and write custom security attribute definitions for the tenant on your behalf.

Admin
Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user.

DelegatedAdminRelationship

Roles Id Type Description
.Read.All 0c0064ea-477b-4130-82a5-4c2cc4ff68aa Admin User
Allows the app to read details of Delegated Admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups on your behalf.

Admin
Allows the app to read details of delegated admin relationships with customers like access details (that includes roles) and the duration as well as specific role assignments to security groups on behalf of the signed-in user.
.ReadWrite.All 885f682f-a990-4bad-a642-36736a74b0c7 Admin User
Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships on your behalf.

Admin
Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers as well as role assignments to security groups for active Delegated Admin relationships on behalf of the signed-in user.

DelegatedPermissionGrant

Roles Id Type Description
.ReadWrite.All 41ce6ca6-6826-4807-84f1-1c82854f7ee5 Admin User
Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on your behalf.

Admin
Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on behalf of the signed in user.

Device

Roles Id Type Description
.Command bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804 User User
Allows the app to launch another app or communicate with another app on a device that you own.

Admin
Allows the app to launch another app or communicate with another app on a user’s device on behalf of the signed-in user.
.Read 11d4cd79-5ba5-460f-803f-e22c8ab85ccd User User
Allows the app to see your list of devices.

Admin
Allows the app to read a user’s list of devices on behalf of the signed-in user.
.Read.All 951183d1-1a61-466f-a6d1-1fde911bfd95 Admin User
Allows the app to read devices’ configuration information on your behalf.

Admin
Allows the app to read your organization’s devices’ configuration information on behalf of the signed-in user.

DeviceManagementApps

Roles Id Type Description
.Read.All 4edf5f54-4666-44af-9de9-0144fb4b6e8c Admin User
Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.

Admin
Allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
.ReadWrite.All 7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af Admin User
Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.

Admin
Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.

DeviceManagementConfiguration

Roles Id Type Description
.Read.All f1493658-876a-4c87-8fa7-edb559b3476a Admin User
Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.

Admin
Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.
.ReadWrite.All 0883f392-0a7a-443d-8c76-16a6d39c7b63 Admin User
Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.

Admin
Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups.

DeviceManagementManagedDevices

Roles Id Type Description
.PrivilegedOperations.All 3404d2bf-2b13-457e-a330-c24615765193 Admin User
Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.

Admin
Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune.
.Read.All 314874da-47d6-4978-88dc-cf0d37f0bb82 Admin User
Allows the app to read the properties of devices managed by Microsoft Intune.

Admin
Allows the app to read the properties of devices managed by Microsoft Intune.
.ReadWrite.All 44642bfe-8385-4adc-8fc6-fe3cb2c375c3 Admin User
Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the devices owner.

Admin
Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the devices owner.

DeviceManagementRBAC

Roles Id Type Description
.Read.All 49f0cc30-024c-4dfd-ab3e-82e137ee5431 Admin User
Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.

Admin
Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.
.ReadWrite.All 0c5e8a55-87a6-4556-93ab-adc52c4d862d Admin User
Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.

Admin
Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings.

DeviceManagementServiceConfig

Roles Id Type Description
.Read.All 8696daa5-bce5-4b2e-83f9-51b6defc4e1e Admin User
Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration.

Admin
Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration.
.ReadWrite.All 662ed50a-ac44-4eef-ad86-62eed9be2a29 Admin User
Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.

Admin
Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.

Directory

Roles Id Type Description
.AccessAsUser.All 0e263e50-5827-48a4-b97c-d940288653c7 Admin User
Allows the app to have the same access to information in your work or school directory as you do.

Admin
Allows the app to have the same access to information in the directory as the signed-in user.
.Read.All 06da0dbc-49e2-44d2-8312-53f166ab848a Admin User
Allows the app to read data in your organization’s directory.

Admin
Allows the app to read data in your organization’s directory, such as users, groups and apps.
.ReadWrite.All c5366453-9fb0-48a5-a156-24f0c49a4b84 Admin User
Allows the app to read and write data in your organization’s directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.

Admin
Allows the app to read and write data in your organization’s directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.
.Write.Restricted cba5390f-ed6a-4b7f-b657-0efc2210ed20 Admin User
Allows the app to manage restricted resources based on the other permissions granted to the app, on your behalf.

Admin
Allows the app to manage restricted resources based on the other permissions granted to the app, on behalf of the signed-in user.

DirectoryRecommendations

Roles Id Type Description
.Read.All 34d3bd24-f6a6-468c-b67c-0c365c1d6410 Admin User
Allows the app to read Azure AD recommendations, on your behalf.

Admin
Allows the app to read Azure AD recommendations, on behalf of the signed-in user.
.ReadWrite.All f37235e8-90a0-4189-93e2-e55b53867ccd Admin User
Allows the app to read and update Azure AD recommendations, on your behalf.

Admin
Allows the app to read and update Azure AD recommendations, on behalf of the signed-in user.

Domain

Roles Id Type Description
.Read.All 2f9ee017-59c1-4f1d-9472-bd5529a7b311 Admin User
Allows the app to read all domain properties on your behalf.

Admin
Allows the app to read all domain properties on behalf of the signed-in user.
.ReadWrite.All 0b5d694c-a244-4bde-86e6-eb5cd07730fe Admin User
Allows the app to read and write all domain properties on your behalf. Also allows the app to add, verify and remove domains.

Admin
Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify and remove domains.

EAS

Roles Id Type Description
.AccessAsUser.All ff91d191-45a0-43fd-b837-bd682c4a0b0f User User
Allows the app full access to your mailboxes on your behalf.

Admin
Allows the app to have the same access to mailboxes as the signed-in user via Exchange ActiveSync.

eDiscovery

Roles Id Type Description
.Read.All 99201db3-7652-4d5a-809a-bdb94f85fe3c Admin User
Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on your behalf.

Admin
Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user.
.ReadWrite.All acb8f680-0834-4146-b69e-4ab1b39745ad Admin User
Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on your behalf.

Admin
Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user.

EduAdministration

Roles Id Type Description
.Read 8523895c-6081-45bf-8a5d-f062a2f12c9f Admin User
Allows the app to view the state and settings of all Microsoft education apps on your behalf.

Admin
Read the state and settings of all Microsoft education apps on behalf of the user.
.ReadWrite 63589852-04e3-46b4-bae9-15d5b1050748 Admin User
Allows the app to manage the state and settings of all Microsoft education apps on your behalf.

Admin
Manage the state and settings of all Microsoft education apps on behalf of the user.

EduAssignments

Roles Id Type Description
.Read 091460c9-9c4a-49b2-81ef-1f3d852acce2 Admin User
Allows the app to view your assignments on your behalf including grades.

Admin
Allows the app to read assignments and their grades on behalf of the user.
.ReadBasic c0b0103b-c053-4b2e-9973-9f3a544ec9b8 Admin User
Allows the app to view your assignments on your behalf without seeing grades.

Admin
Allows the app to read assignments without grades on behalf of the user.
.ReadWrite 2f233e90-164b-4501-8bce-31af2559a2d3 Admin User
Allows the app to view and modify your assignments on your behalf including grades.

Admin
Allows the app to read and write assignments and their grades on behalf of the user.
.ReadWriteBasic 2ef770a1-622a-47c4-93ee-28d6adbed3a0 Admin User
Allows the app to view and modify your assignments on your behalf without seeing grades.

Admin
Allows the app to read and write assignments without grades on behalf of the user.

EduRoster

Roles Id Type Description
.Read a4389601-22d9-4096-ac18-36a927199112 Admin User
Allows the app to view information about schools and classes in your organization and education-related information about you and other users on your behalf.

Admin
Allows the app to read the structure of schools and classes in an organization’s roster and education-specific information about users to be read on behalf of the user.
.ReadBasic 5d186531-d1bf-4f07-8cea-7c42119e1bd9 Admin User
Allows the app to view minimal information about both schools and classes in your organization and education-related information about you and other users on your behalf.

Admin
Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization’s roster and a limited subset of properties about users to be read on behalf of the user.Includes name, status, education role, email address and photo.
.ReadWrite 359e19a6-e3fa-4d7f-bcab-d28ec592b51e Admin User
Allows the app to view and modify information about schools and classes in your organization and education-related information about you and other users on your behalf.

Admin
Allows the app to read and write the structure of schools and classes in an organization’s roster and education-specific information about users to be read and written on behalf of the user.

email

Roles Id Type Description
email 64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0 User User
Allows the app to read your primary email address

Admin
Allows the app to read your users’ primary email address

EntitlementManagement

Roles Id Type Description
.Read.All 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2 Admin User
Allows the app to read access packages and related entitlement management resources that you have access to.

Admin
Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user.
.ReadWrite.All ae7a573d-81d7-432b-ad44-4ed5c9d89038 Admin User
Allows the app to request access to and management of access packages and related entitlement management resources that you have access to.

Admin
Allows the app to request access to and management of access packages and related entitlement management resources on behalf of the signed-in user.

EWS

Roles Id Type Description
.AccessAsUser.All 9769c687-087d-48ac-9cb3-c37dde652038 User User
Allows the app full access to your mailboxes on your behalf.

Admin
Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.

ExternalConnection

Roles Id Type Description
.Read.All a38267a5-26b6-4d76-9493-935b7599116b Admin User
Allows the app to read all external connections on your behalf. The signed-in user must be an administrator.

Admin
Allows the app to read all external connections on behalf of a signed-in user. The signed-in user must be an administrator.
.ReadWrite.All bbbbd9b3-3566-4931-ac37-2b2180d9e334 Admin User
Allows the app to read and write all external connections on your behalf. The signed-in user must be an administrator.

Admin
Allows the app to read and write all external connections on behalf of a signed-in user. The signed-in user must be an administrator.
.ReadWrite.OwnedBy 4082ad95-c812-4f02-be92-780c4c4f1830 Admin User
Allows the app to read and write external connections on your behalf. The signed-in user must be an administrator. The app can only read and write external connections that it is authorized to, or it can create new external connections.

Admin
Allows the app to read and write settings of external connections on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read and write settings of connections that it is authorized to.

ExternalItem

Roles Id Type Description
.Read.All 922f9392-b1b7-483c-a4be-0089be7704fb Admin User
Allows the app to read external datasets and content that you have access to.

Admin
Allow the app to read external datasets and content, on behalf of the signed-in user.
.ReadWrite.All b02c54f8-eb48-4c50-a9f0-a149e5a2012f Admin User
Allows the app to read and write all external items on your behalf. The signed-in user must be an administrator.

Admin
Allows the app to read and write all external items on behalf of a signed-in user. The signed-in user must be an administrator.
.ReadWrite.OwnedBy 4367b9d7-cee7-4995-853c-a0bdfe95c1f9 Admin User
Allows the app to read and write external items on your behalf. The signed-in user must be an administrator. The app can only read external items of the connection that it is authorized to.

Admin
Allows the app to read and write external items on behalf of a signed-in user. The signed-in user must be an administrator. The app can only read external items of the connection that it is authorized to.

Family

Roles Id Type Description
.Read 3a1e4806-a744-4c70-80fc-223bf8582c46 User User
Allows the app to read your family information, members and their basic profile.

Admin
Allows the app to read your family information, members and their basic profile.

Files

Roles Id Type Description
.Read 10465720-29dd-4523-a11a-6a75c743c9d9 User User
Allows the app to read your files.

Admin
Allows the app to read the signed-in user’s files.
.Read.All df85f4d6-205c-4ac5-a5ea-6bf408dba283 User User
Allows the app to read all files you can access.

Admin
Allows the app to read all files the signed-in user can access.
.Read.Selected 5447fe39-cb82-4c1a-b977-520e67e724eb User User
(Preview) Allows the app to read files that you select. After you select a file, the app has access to the file for several hours.

Admin
(Preview) Allows the app to read files that the user selects. The app has access for several hours after the user selects a file.
.ReadWrite 5c28f0bf-8a70-41f1-8ab2-9032436ddb65 User User
Allows the app to read, create, update, and delete your files.

Admin
Allows the app to read, create, update and delete the signed-in user’s files.
.ReadWrite.All 863451e7-0667-486c-a5d6-d135439485f0 User User
Allows the app to read, create, update and delete all files that you can access.

Admin
Allows the app to read, create, update and delete all files the signed-in user can access.
.ReadWrite.AppFolder 8019c312-3263-48e6-825e-2b833497195b User User
(Preview) Allows the app to read, create, update and delete files in the application’s folder.

Admin
(Preview) Allows the app to read, create, update and delete files in the application’s folder.
.ReadWrite.Selected 17dde5bd-8c17-420f-a486-969730c1b827 User User
(Preview) Allows the app to read and write files that you select. After you select a file, the app has access to the file for several hours.

Admin
(Preview) Allows the app to read and write files that the user selects. The app has access for several hours after the user selects a file.

Financials

Roles Id Type Description
.ReadWrite.All f534bf13-55d4-45a9-8f3c-c92fe64d6131 User User
Allows the app to read and write financials data on your behalf.

Admin
Allows the app to read and write financials data on behalf of the signed-in user.

Group

Roles Id Type Description
.Read.All 5f8c59db-677d-491f-a6b8-5f174b11ec1d Admin User
Allows the app to list groups, and to read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access.

Admin
Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.
.ReadWrite.All 4e46008b-f24c-477d-8fff-7bb4ec7aafe0 Admin User
Allows the app to create groups and read all group properties and memberships on your behalf. Additionally allows the app to manage your groups and to update group content for groups you are a member of.

Admin
Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.

GroupMember

Roles Id Type Description
.Read.All bc024368-1153-4739-b217-4326f2e966d0 Admin User
Allows the app to list groups, read basic group properties and read membership of all your groups.

Admin
Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to.
.ReadWrite.All f81125ac-d3b7-4573-a3b2-7099cc39df9e Admin User
Allows the app to list groups, read basic properties, read and update the membership of your groups. Group properties and owners cannot be updated and groups cannot be deleted.

Admin
Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to. Group properties and owners cannot be updated and groups cannot be deleted.

IdentityProvider

Roles Id Type Description
.Read.All 43781733-b5a7-4d1b-98f4-e8edff23e1a9 Admin User
Allows the app to read your organizations identity (authentication) providers properties on your behalf.

Admin
Allows the app to read your organizations identity (authentication) providers properties on behalf of the user.
.ReadWrite.All f13ce604-1677-429f-90bd-8a10b9f01325 Admin User
Allows the app to read and write your organizations identity (authentication) providers properties on your behalf.

Admin
Allows the app to read and write your organizations identity (authentication) providers properties on behalf of the user.

IdentityRiskEvent

Roles Id Type Description
.Read.All 8f6a01e7-0391-4ee5-aa22-a3af122cef27 Admin User
Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user.

Admin
Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user.
.ReadWrite.All 9e4862a5-b68f-479e-848a-4e07e25c9916 Admin User
Allows the app to read and update identity risk event information for all users in your organization on your behalf.Update operations include confirming risk event detections.

Admin
Allows the app to read and update identity risk event information for all users in your organization on behalf of the signed-in user.Update operations include confirming risk event detections.

IdentityRiskyServicePrincipal

Roles Id Type Description
.Read.All ea5c4ab0-5a73-4f35-8272-5d5337884e5d Admin User
Allows the app to read all identity risky service principal information for your organization, on your behalf.

Admin
Allows the app to read all identity risky service principal information for your organization, on behalf of the signed-in user.
.ReadWrite.All bb6f654c-d7fd-4ae3-85c3-fc380934f515 Admin User
Allows the app to read and update identity risky service principal information for all service principals in your organization, on your behalf. Update operations include dismissing risky service principals.

Admin
Allows the app to read and update identity risky service principal information for all service principals in your organization, on behalf of the signed-in user. Update operations include dismissing risky service principals.

IdentityRiskyUser

Roles Id Type Description
.Read.All d04bb851-cb7c-4146-97c7-ca3e71baf56c Admin User
Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user.

Admin
Allows the app to read identity risky user information for all users in your organization on behalf of the signed-in user.
.ReadWrite.All e0a7cdbb-08b0-4697-8264-0069786e9674 Admin User
Allows the app to read and update identity risky user information for all users in your organization on your behalf.Update operations include dismissing risky users.

Admin
Allows the app to read and update identity risky user information for all users in your organization on behalf of the signed-in user.Update operations include dismissing risky users.

IdentityUserFlow

Roles Id Type Description
.Read.All 2903d63d-4611-4d43-99ce-a33f3f52e343 Admin User
Allows the app to read your organization’s user flows, on your behalf.

Admin
Allows the app to read your organization’s user flows, on behalf of the signed-in user.
.ReadWrite.All 281892cc-4dbf-4e3a-b6cc-b21029bb4e82 Admin User
Allows the app to read or write your organization’s user flows, on your behalf.

Admin
Allows the app to read or write your organization’s user flows, on behalf of the signed-in user.

IMAP

Roles Id Type Description
.AccessAsUser.All 652390e4-393a-48de-9484-05f9b1212954 User User
Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail.

Admin
Allows the app to have the same access to mailboxes as the signed-in user via IMAP protocol.

InformationProtectionPolicy

Roles Id Type Description
.Read 4ad84827-5578-4e18-ad7a-86530b12f884 User User
Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user.

Admin
Allows an app to read information protection sensitivity labels and label policy settings, on behalf of the signed-in user.

Mail

Roles Id Type Description
.Read 570282fd-fa5c-430d-a7fd-fc8dc98a9dca User User
Allows the app to read email in your mailbox.

Admin
Allows the app to read the signed-in user’s mailbox.
.Read.Shared 7b9103a5-4610-446b-9670-80643382c1fa User User
Allows the app to read mail you can access, including shared mail.

Admin
Allows the app to read mail a user can access, including their own and shared mail.
.ReadBasic a4b8392a-d8d1-4954-a029-8e668a39a170 User User
Allows the app to read email in the signed-in user’s mailbox except body, previewBody, attachments and any extended properties.

Admin
Allows the app to read email in the signed-in user’s mailbox except body, previewBody, attachments and any extended properties.
.ReadWrite 024d486e-b451-40bb-833d-3e66d98c5c73 User User
Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail.

Admin
Allows the app to create, read, update, and delete email in user mailboxes. Does not include permission to send mail.
.ReadWrite.Shared 5df07973-7d5d-46ed-9847-1271055cbd51 User User
Allows the app to read, update, create, and delete mail you have permission to access, including your own and shared mail. Does not allow the app to send mail on your behalf.

Admin
Allows the app to create, read, update, and delete mail a user has permission to access, including their own and shared mail. Does not include permission to send mail.
.Send e383f46e-2787-4529-855e-0e479a3ffac0 User User
Allows the app to send mail as you.

Admin
Allows the app to send mail as users in the organization.
.Send.Shared a367ab51-6b49-43bf-a716-a1fb06d2a174 User User
Allows the app to send mail as you or on-behalf of someone else.

Admin
Allows the app to send mail as the signed-in user, including sending on-behalf of others.

MailboxSettings

Roles Id Type Description
.Read 87f447af-9fa4-4c32-9dfa-4a57a73d18ce User User
Allows the app to read your mailbox settings.

Admin
Allows the app to the read user’s mailbox settings. Does not include permission to send mail.
.ReadWrite 818c620a-27a9-40bd-a6a5-d96f7d610b4b User User
Allows the app to read, update, create, and delete your mailbox settings.

Admin
Allows the app to create, read, update, and delete user’s mailbox settings. Does not include permission to send mail.

ManagedTenants

Roles Id Type Description
.Read.All dc34164e-6c4a-41a0-be89-3ae2fbad7cd3 Admin User
Allows the app to read all managed tenant information on your behalf.

Admin
Allows the app to read all managed tenant information on behalf of the signed-in user.
.ReadWrite.All b31fa710-c9b3-4d9e-8f5e-8036eecddab9 Admin User
Allows the app to read and write all managed tenant information on your behalf.

Admin
Allows the app to read and write all managed tenant information on behalf of the signed-in user.

Member

Roles Id Type Description
.Read.Hidden f6a3db3e-f7e8-4ed2-a414-557c8c9830be Admin User
Allows the app to read the memberships of hidden groups or administrative units on your behalf, for those hidden groups or adminstrative units that you have access to.

Admin
Allows the app to read the memberships of hidden groups and administrative units on behalf of the signed-in user, for those hidden groups and administrative units that the signed-in user has access to.

Notes

Roles Id Type Description
.Create 9d822255-d64d-4b7a-afdb-833b9a97ed02 User User
Allows the app to view the titles of your OneNote notebooks and sections and to create new pages, notebooks, and sections on your behalf.

Admin
Allows the app to read the titles of OneNote notebooks and sections and to create new pages, notebooks, and sections on behalf of the signed-in user.
.Read 371361e4-b9e2-4a3f-8315-2a301a3b0a3d User User
Allows the app to read OneNote notebooks on your behalf.

Admin
Allows the app to read OneNote notebooks on behalf of the signed-in user.
.Read.All dfabfca6-ee36-4db2-8208-7a28381419b3 User User
Allows the app to read all the OneNote notebooks that you have access to.

Admin
Allows the app to read OneNote notebooks that the signed-in user has access to in the organization.
.ReadWrite 615e26af-c38a-4150-ae3e-c3b0d4cb1d6a User User
Allows the app to read, share, and modify OneNote notebooks on your behalf.

Admin
Allows the app to read, share, and modify OneNote notebooks on behalf of the signed-in user.
.ReadWrite.All 64ac0503-b4fa-45d9-b544-71a463f05da0 User User
Allows the app to read, share, and modify all the OneNote notebooks that you have access to.

Admin
Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to in the organization.
.ReadWrite.CreatedByApp ed68249d-017c-4df5-9113-e684c7f8760b User User
This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app.

Admin
This is deprecated! Do not use! This permission no longer has any effect. You can safely consent to it. No additional privileges will be granted to the app.

Notifications

Roles Id Type Description
.ReadWrite.CreatedByApp 89497502-6e42-46a2-8cb2-427fd3df970a User User
Allows the app to deliver its notifications, on your behalf. Also allows the app to read, update, and delete your notification items for this app.

Admin
Allows the app to deliver its notifications on behalf of signed-in users. Also allows the app to read, update, and delete the user’s notification items for this app.

offline_access

Roles Id Type Description
offline_access 7427e0e9-2fba-42fe-b0c0-848c9e6a8182 User User
Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions.

Admin
Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

OnlineMeetingArtifact

Roles Id Type Description
.Read.All 110e5abb-a10c-4b59-8b55-9b4daa4ef743 User User
Allows the app to read online meeting artifacts on your behalf.

Admin
Allows the app to read online meeting artifacts on behalf of the signed-in user.

OnlineMeetings

Roles Id Type Description
.Read 9be106e1-f4e3-4df5-bdff-e4bc531cbe43 User User
Allows the app to read online meeting details on your behalf.

Admin
Allows the app to read online meeting details on behalf of the signed-in user.
.ReadWrite a65f2972-a4f8-4f5e-afd7-69ccb046d5dc User User
Allows the app to read and create online meetings on your behalf.

Admin
Allows the app to read and create online meetings on behalf of the signed-in user.

OnPremisesPublishingProfiles

Roles Id Type Description
.ReadWrite.All 8c4d5184-71c2-4bf8-bb9d-bc3378c9ad42 Admin User
Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on your behalf.

Admin
Allows the app to manage hybrid identity service configuration by creating, viewing, updating and deleting on-premises published resources, on-premises agents and agent groups, on behalf of the signed-in user.

openid

Roles Id Type Description
openid 37f7f235-527c-4136-accd-4a02d197296e User User
Allows you to sign in to the app with your work or school account and allows the app to read your basic profile information.

Admin
Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information.

Organization

Roles Id Type Description
.Read.All 4908d5b9-3fb2-4b1e-9336-1888b7937185 Admin User
Allows the app to read the organization and related resources, on your behalf.Related resources include things like subscribed skus and tenant branding information.

Admin
Allows the app to read the organization and related resources, on behalf of the signed-in user.Related resources include things like subscribed skus and tenant branding information.
.ReadWrite.All 46ca0847-7e6b-426e-9775-ea810a948356 Admin User
Allows the app to read and write the organization and related resources, on your behalf.Related resources include things like subscribed skus and tenant branding information.

Admin
Allows the app to read and write the organization and related resources, on behalf of the signed-in user.Related resources include things like subscribed skus and tenant branding information.

OrgContact

Roles Id Type Description
.Read.All 08432d1b-5911-483c-86df-7980af5cdee0 Admin User
Allows the app to read all organizational contacts on your behalf. These contacts are managed by the organization and are different from your personal contacts.

Admin
Allows the app to read all organizational contacts on behalf of the signed-in user. These contacts are managed by the organization and are different from a user’s personal contacts.

People

Roles Id Type Description
.Read ba47897c-39ec-4d83-8086-ee8256fa737d User User
Allows the app to read a list of people in the order that’s most relevant to you. This includes your local contacts, your contacts from social networking, people listed in your organization’s directory, and people from recent communications.

Admin
Allows the app to read a ranked list of relevant people of the signed-in user. The list includes local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype).
.Read.All b89f9189-71a5-4e70-b041-9887f0bc7e4a Admin User
Allows the app to read a list of people in the order that is most relevant to you. Allows the app to read a list of people in the order that is most relevant to another user in your organization. These can include local contacts, contacts from social networking, people listed in your organizations directory, and people from recent communications.

Admin
Allows the app to read a scored list of relevant people of the signed-in user or other users in the signed-in user’s organization. The list can include local contacts, contacts from social networking, your organization’s directory, and people from recent communications (such as email and Skype).

Place

Roles Id Type Description
.Read 40f6bacc-b201-40da-90a5-09775cc4a863 User User
Allows the app to read your personal places.

Admin
Allows the app to read the signed-in users personal places.
.Read.All cb8f45a0-5c2e-4ea1-b803-84b870a7d7ec Admin User
Allows the app to read your company’s places (conference rooms and room lists) for calendar events and other applications, on your behalf.

Admin
Allows the app to read your company’s places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.
.Read.Shared 0b3f56bc-fecd-4036-8930-660fc672e342 User User
Allows the app to read your personal places and other users personal places that you have delegate access to.

Admin
Allows the app to read other users personal places that the signed-in user has delegate access to. Also allows read of the signed-in users personal places.
.ReadWrite 012ba4a5-ca82-4a76-95ba-6c27f44364c3 User User
Allows the app to create, read, and update personal places on your behalf.

Admin
Allows the app to create, read, and update the signed-in users personal places.
.ReadWrite.All 4c06a06a-098a-4063-868e-5dfee3827264 Admin User
Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on your behalf.

Admin
Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on behalf of the signed-in user.

Policy

Roles Id Type Description
.Read.All 572fea84-0151-49b2-9301-11cb16974376 Admin User
Allows the app to read your organization’s policies on your behalf.

Admin
Allows the app to read your organization’s policies on behalf of the signed-in user.
.Read.ConditionalAccess 633e0fce-8c58-4cfb-9495-12bbd5a24f7c User User
Allows the app to read your organization’s conditional access policies on your behalf.

Admin
Allows the app to read your organization’s conditional access policies on behalf of the signed-in user.
.Read.PermissionGrant 414de6ea-2d92-462f-b120-6e2a809a6d01 Admin User
Allows the app to read policies related to consent and permission grants for applications, on your behalf.

Admin
Allows the app to read policies related to consent and permission grants for applications, on behalf of the signed-in user.
.ReadWrite.ApplicationConfiguration b27add92-efb2-4f16-84f5-8108ba77985c Admin User
Allows the app to read and write your organization’s application configuration policies on your behalf. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.

Admin
Allows the app to read and write your organization’s application configuration policies on behalf of the signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.
.ReadWrite.AuthenticationFlows edb72de9-4252-4d03-a925-451deef99db7 Admin User
Allows the app to read and write the authentication flow policies for your tenant, on your behalf.

Admin
Allows the app to read and write the authentication flow policies, on behalf of the signed-in user.
.ReadWrite.AuthenticationMethod 7e823077-d88e-468f-a337-e18f1f0e6c7c Admin User
Allows the app to read and write the authentication method policies for your tenant, on your behalf.

Admin
Allows the app to read and write the authentication method policies, on behalf of the signed-in user.
.ReadWrite.Authorization edd3c878-b384-41fd-95ad-e7407dd775be Admin User
Allows the app to read and write your organization’s authorization policy on your behalf. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

Admin
Allows the app to read and write your organization’s authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.
.ReadWrite.ConditionalAccess ad902697-1014-4ef5-81ef-2b4301988e8c Admin User
Allows the app to read and write your organization’s conditional access policies on your behalf.

Admin
Allows the app to read and write your organization’s conditional access policies on behalf of the signed-in user.
.ReadWrite.ConsentRequest 4d135e65-66b8-41a8-9f8b-081452c91774 Admin User
Allows the app to read and write your organization’s consent request policy on your behalf.

Admin
Allows the app to read and write your organization’s consent requests policy on behalf of the signed-in user.
.ReadWrite.CrossTenantAccess 014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85 Admin User
Allows the app to read and write your organization’s cross tenant access policies on your behalf.

Admin
Allows the app to read and write your organization’s cross tenant access policies on behalf of the signed-in user.
.ReadWrite.DeviceConfiguration 40b534c3-9552-4550-901b-23879c90bcf9 Admin User
Allows the app to read and write your organization’s device configuration policies on your behalf. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.

Admin
Allows the app to read and write your organization’s device configuration policies on behalf of the signed-in user. For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks.
.ReadWrite.FeatureRollout 92a38652-f13b-4875-bc77-6e1dbb63e1b2 Admin User
Allows the app to read and write your organization’s feature rollout policies on your behalf. Includes abilities to assign and remove users and groups to rollout of a specific feature.

Admin
Allows the app to read and write your organization’s feature rollout policies on behalf of the signed-in user. Includes abilities to assign and remove users and groups to rollout of a specific feature.
.ReadWrite.MobilityManagement a8ead177-1889-4546-9387-f25e658e2a79 Admin User
Allows the app to read and write your organization’s mobility management policies on your behalf. For example, a mobility management policy can set the enrollment scope for a given mobility management application.

Admin
Allows the app to read and write your organization’s mobility management policies on behalf of the signed-in user. For example, a mobility management policy can set the enrollment scope for a given mobility management application.
.ReadWrite.PermissionGrant 2672f8bb-fd5e-42e0-85e1-ec764dd2614e Admin User
Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user.

Admin
Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user.
.ReadWrite.TrustFramework cefba324-1a70-4a6e-9c1d-fd670b7ae392 Admin User
Allows the app to read and write your organization’s trust framework policies on your behalf.

Admin
Allows the app to read and write your organization’s trust framework policies on behalf of the signed-in user.

POP

Roles Id Type Description
.AccessAsUser.All d7b7f2d9-0f45-4ea1-9d42-e50810c06991 User User
Allows the app to read, update, create and delete email in your mailbox. Does not include permission to send mail.

Admin
Allows the app to have the same access to mailboxes as the signed-in user via POP protocol.

Presence

Roles Id Type Description
.Read 76bc735e-aecd-4a1d-8b4c-2b915deabb79 User User
Allows the app to read your presence information on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.

Admin
Allows the app to read presence information on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.
.Read.All 9c7a330d-35b3-4aa1-963d-cb2b9f927841 User User
Allows the app to read presence information of all users in the directory on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.

Admin
Allows the app to read presence information of all users in the directory on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.
.ReadWrite 8d3c54a7-cf58-4773-bf81-c0cd6ad522bb User User
Allows the app to read the presence information and write activity and availability on your behalf. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.

Admin
Allows the app to read the presence information and write activity and availability on behalf of the signed-in user. Presence information includes activity, availability, status note, calendar out-of-office message, timezone and location.

PrintConnector

Roles Id Type Description
.Read.All d69c2d6d-4f72-4f99-a6b9-663e32f8cf68 Admin User
Allows the application to read print connectors on your behalf.

Admin
Allows the application to read print connectors on behalf of the signed-in user.
.ReadWrite.All 79ef9967-7d59-4213-9c64-4b10687637d8 Admin User
Allows the application to read and write print connectors on your behalf.

Admin
Allows the application to read and write print connectors on behalf of the signed-in user.

Printer

Roles Id Type Description
.Create 90c30bed-6fd1-4279-bf39-714069619721 Admin User
Allows the application to create (register) printers on your behalf.

Admin
Allows the application to create (register) printers on behalf of the signed-in user.
.FullControl.All 93dae4bd-43a1-4a23-9a1a-92957e1d9121 Admin User
Allows the application to create (register), read, update, and delete (unregister) printers on your behalf.

Admin
Allows the application to create (register), read, update, and delete (unregister) printers on behalf of the signed-in user.
.Read.All 3a736c8a-018e-460a-b60c-863b2683e8bf Admin User
Allows the application to read printers on your behalf.

Admin
Allows the application to read printers on behalf of the signed-in user.
.ReadWrite.All 89f66824-725f-4b8f-928e-e1c5258dc565 Admin User
Allows the application to read and update printers on your behalf.Does not allow creating (registering) or deleting (unregistering) printers.

Admin
Allows the application to read and update printers on behalf of the signed-in user.Does not allow creating (registering) or deleting (unregistering) printers.

PrinterShare

Roles Id Type Description
.Read.All ed11134d-2f3f-440d-a2e1-411efada2502 User User
Allows the application to read printer shares on your behalf.

Admin
Allows the application to read printer shares on behalf of the signed-in user.
.ReadBasic.All 5fa075e9-b951-4165-947b-c63396ff0a37 User User
Allows the application to read basic information about printer shares on your behalf.

Admin
Allows the application to read basic information about printer shares on behalf of the signed-in user. Does not allow reading access control information.
.ReadWrite.All 06ceea37-85e2-40d7-bec3-91337a46038f Admin User
Allows the application to read and update printer shares on your behalf.

Admin
Allows the application to read and update printer shares on behalf of the signed-in user.

PrintJob

Roles Id Type Description
.Create 21f0d9c0-9f13-48b3-94e0-b6b231c7d320 User User
Allows the application to create print jobs on your behalf and upload document content to print jobs that you created.

Admin
Allows the application to create print jobs on behalf of the signed-in user and upload document content to print jobs that the signed-in user created.
.Read 248f5528-65c0-4c88-8326-876c7236df5e User User
Allows the application to read the metadata and document content of print jobs that you created.

Admin
Allows the application to read the metadata and document content of print jobs that the signed-in user created.
.Read.All afdd6933-a0d8-40f7-bd1a-b5d778e8624b Admin User
Allows the application to read the metadata and document content of print jobs on your behalf.

Admin
Allows the application to read the metadata and document content of print jobs on behalf of the signed-in user.
.ReadBasic 6a71a747-280f-4670-9ca0-a9cbf882b274 User User
Allows the application to read the metadata of print jobs that you created. Does not allow access to print job document content.

Admin
Allows the application to read the metadata of print jobs that the signed-in user created. Does not allow access to print job document content.
.ReadBasic.All 04ce8d60-72ce-4867-85cf-6d82f36922f3 Admin User
Allows the application to read the metadata of print jobs on your behalf.Does not allow access to print job document content.

Admin
Allows the application to read the metadata of print jobs on behalf of the signed-in user.Does not allow access to print job document content.
.ReadWrite b81dd597-8abb-4b3f-a07a-820b0316ed04 User User
Allows the application to read and update the metadata and document content of print jobs that you created.

Admin
Allows the application to read and update the metadata and document content of print jobs that the signed-in user created.
.ReadWrite.All 036b9544-e8c5-46ef-900a-0646cc42b271 Admin User
Allows the application to read and update the metadata and document content of print jobs on your behalf.

Admin
Allows the application to read and update the metadata and document content of print jobs on behalf of the signed-in user.
.ReadWriteBasic 6f2d22f2-1cb6-412c-a17c-3336817eaa82 User User
Allows the application to read and update the metadata of print jobs that you created. Does not allow access to print job document content.

Admin
Allows the application to read and update the metadata of print jobs that the signed-in user created. Does not allow access to print job document content.
.ReadWriteBasic.All 3a0db2f6-0d2a-4c19-971b-49109b19ad3d Admin User
Allows the application to read and update the metadata of print jobs on your behalf.Does not allow access to print job document content.

Admin
Allows the application to read and update the metadata of print jobs on behalf of the signed-in user.Does not allow access to print job document content.

PrintSettings

Roles Id Type Description
.Read.All 490f32fd-d90f-4dd7-a601-ff6cdc1a3f6c Admin User
Allows the application to read tenant-wide print settings on your behalf.

Admin
Allows the application to read tenant-wide print settings on behalf of the signed-in user.
.ReadWrite.All 9ccc526a-c51c-4e5c-a1fd-74726ef50b8f Admin User
Allows the application to read and write tenant-wide print settings on your behalf.

Admin
Allows the application to read and write tenant-wide print settings on behalf of the signed-in user.

PrivilegedAccess

Roles Id Type Description
.Read.AzureAD b3a539c9-59cb-4ad5-825a-041ddbdc2bdb Admin User
Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on your behalf.

Admin
Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD built-in and custom administrative roles, on behalf of the signed-in user.
.Read.AzureADGroup d329c81c-20ad-4772-abf9-3f6fdb7e5988 Admin User
Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on your behalf.

Admin
Allows the app to read time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.
.Read.AzureResources 1d89d70c-dcac-4248-b214-903c457af83a Admin User
Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf.

Admin
Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on behalf of the signed-in user.
.ReadWrite.AzureAD 3c3c74f5-cdaa-4a97-b7e0-4e788bfcfb37 Admin User
Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on your behalf.

Admin
Allows the app to request and manage just in time elevation (including scheduled elevation) of users to Azure AD built-in administrative roles, on behalf of signed-in users.
.ReadWrite.AzureADGroup 32531c59-1f32-461f-b8df-6f8a3b89f73b Admin User
Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on your behalf.

Admin
Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups, on behalf of the signed-in user.
.ReadWrite.AzureResources a84a9652-ffd3-496e-a991-22ba5529156a Admin User
Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage your Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf.

Admin
Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage Azure resources (like subscriptions, resource groups, storage, compute) on behalf of the signed-in users.

profile

Roles Id Type Description
profile 14dad69e-099b-42c9-810b-d002981feec1 User User
Allows the app to see your basic profile (name, picture, user name)

Admin
Allows the app to see your users’ basic profile (name, picture, user name)

ProgramControl

Roles Id Type Description
.Read.All c492a2e1-2f8f-4caa-b076-99bbf6e40fe4 Admin User
Allows the app to read information on programs and program controls that you have access to.

Admin
Allows the app to read programs and program controls that the signed-in user has access to in the organization.
.ReadWrite.All 50fd364f-9d93-4ae1-b170-300e87cccf84 Admin User
Allows the app to read, update and perform action on programs and program controls that you have access to.

Admin
Allows the app to read, update, delete and perform actions on programs and program controls that the signed-in user has access to in the organization.

Reports

Roles Id Type Description
.Read.All 02e97553-ed7b-43d0-ab3c-f8bace0d040c Admin User
Allows an app to read all service usage reports on your behalf. Services that provide usage reports include Office 365 and Azure Active Directory.

Admin
Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.

RoleAssignmentSchedule

Roles Id Type Description
.Read.Directory 344a729c-0285-42c6-9014-f12b9b8d6129 Admin User
Allows the app to read the active role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes reading directory role templates, and directory roles.

Admin
Allows the app to read the active role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles.
.ReadWrite.Directory 8c026be3-8e26-4774-9372-8d5d6f21daff Admin User
Allows the app to read and manage the active role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.

Admin
Allows the app to read and manage the active role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes managing active directory role membership, and reading directory role templates, directory roles and active memberships.

RoleEligibilitySchedule

Roles Id Type Description
.Read.Directory eb0788c2-6d4e-4658-8c9e-c0fb8053f03d Admin User
Allows the app to read the eligible role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes reading directory role templates, and directory roles.

Admin
Allows the app to read the eligible role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, and directory roles.
.ReadWrite.Directory 62ade113-f8e0-4bf9-a6ba-5acb31db32fd Admin User
Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company’s directory, on your behalf. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships.

Admin
Allows the app to read and manage the eligible role-based access control (RBAC) assignments for your company’s directory, on behalf of the signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships.

RoleManagement

Roles Id Type Description
.Read.All 48fec646-b2ba-4019-8681-8eb31435aded Admin User
Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on your behalf. This includes reading role definitions and role assignments.

Admin
Allows the app to read the role-based access control (RBAC) settings for all RBAC providers, on behalf of the signed-in user. This includes reading role definitions and role assignments.
.Read.CloudPC 9619b88a-8a25-48a7-9571-d23be0337a79 Admin User
Allows the app to read the Cloud PC role-based access control (RBAC) settings, on your behalf. This includes reading Cloud PC role definitions and role assignments.

Admin
Allows the app to read the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user. This includes reading Cloud PC role definitions and role assignments.
.Read.Directory 741c54c3-0c1e-44a1-818b-3f97ab4e8c83 Admin User
Allows the app to read the role-based access control (RBAC) settings for your company’s directory, on your behalf. This includes reading directory role templates, directory roles and memberships.

Admin
Allows the app to read the role-based access control (RBAC) settings for your company’s directory, on behalf of the signed-in user. This includes reading directory role templates, directory roles and memberships.
.ReadWrite.CloudPC 501d06f8-07b8-4f18-b5c6-c191a4af7a82 Admin User
Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, on your behalf. This includes reading and managing Cloud PC role definitions and memberships.

Admin
Allows the app to read and manage the Cloud PC role-based access control (RBAC) settings, on behalf of the signed-in user. This includes reading and managing Cloud PC role definitions and role assignments.
.ReadWrite.Directory d01b97e9-cbc0-49fe-810a-750afd5527a3 Admin User
Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, on your behalf. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Admin
Allows the app to read and manage the role-based access control (RBAC) settings for your company’s directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

RoleManagementPolicy

Roles Id Type Description
.Read.Directory 3de2cdbe-0ff5-47d5-bdee-7f45b4749ead Admin User
Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company’s directory, on your behalf.

Admin
Allows the app to read policies for privileged role-based access control (RBAC) assignments of your company’s directory, on behalf of the signed-in user.
.ReadWrite.Directory 1ff1be21-34eb-448c-9ac9-ce1f506b2a68 Admin User
Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company’s directory, on your behalf.

Admin
Allows the app to read, update, and delete policies for privileged role-based access control (RBAC) assignments of your company’s directory, on behalf of the signed-in user.

Schedule

Roles Id Type Description
.Read.All fccf6dd8-5706-49fa-811f-69e2e1b585d0 Admin User
Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on your behalf.

Admin
Allows the app to read schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user.
.ReadWrite.All 63f27281-c9d9-4f29-94dd-6942f7f1feb0 Admin User
Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on your behalf.

Admin
Allows the app to manage schedule, schedule groups, shifts and associated entities in the Teams or Shifts application on behalf of the signed-in user.

SearchConfiguration

Roles Id Type Description
.Read.All 7d307522-aa38-4cd0-bd60-90c6f0ac50bd Admin User
Allows the app to read search configuration, on your behalf.

Admin
Allows the app to read search configuration, on behalf of the signed-in user.
.ReadWrite.All b1a7d408-cab0-47d2-a2a5-a74a3733600d Admin User
Allows the app to read and write search configuration, on your behalf.

Admin
Allows the app to read and write search configuration, on behalf of the signed-in user.

SecurityActions

Roles Id Type Description
.Read.All 1638cddf-07a4-4de2-8645-69c96cacad73 Admin User
Allows the app to read security actions, on your behalf.

Admin
Allows the app to read security actions, on behalf of the signed-in user.
.ReadWrite.All dc38509c-b87d-4da0-bd92-6bec988bac4a Admin User
Allows the app to read and update security actions, on your behalf.

Admin
Allows the app to read or update security actions, on behalf of the signed-in user.

SecurityAlert

Roles Id Type Description
.Read.All bc257fb8-46b4-4b15-8713-01e91bfbe4ea Admin User
Allows the app to read all security alerts that you have access to.

Admin
Allows the app to read all security alerts, on behalf of the signed-in user.
.ReadWrite.All 471f2a7f-2a42-4d45-a2bf-594d0838070d Admin User
Allows the app to read and write all alerts that you have access to.

Admin
Allows the app to read and write to all security alerts, on behalf of the signed-in user.

SecurityEvents

Roles Id Type Description
.Read.All 64733abd-851e-478a-bffb-e47a14b18235 Admin User
Allows the app to read your organizations security events on your behalf.

Admin
Allows the app to read your organizations security events on behalf of the signed-in user.
.ReadWrite.All 6aedf524-7e1c-45a7-bd76-ded8cab8d0fc Admin User
Allows the app to read your organizations security events on your behalf. Also allows you to update editable properties in security events.

Admin
Allows the app to read your organizations security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user.

SecurityIncident

Roles Id Type Description
.Read.All b9abcc4f-94fc-4457-9141-d20ce80ec952 Admin User
Allows the app to read all security incidents that you have access to.

Admin
Allows the app to read security incidents, on behalf of the signed-in user.
.ReadWrite.All 128ca929-1a19-45e6-a3b8-435ec44a36ba Admin User
Allows the app to read and write to all security incidents that you have access to.

Admin
Allows the app to read and write security incidents, on behalf of the signed-in user.

ServiceHealth

Roles Id Type Description
.Read.All 55896846-df78-47a7-aa94-8d3d4442ca7f Admin User
Allows the app to read your tenant’s service health information on your behalf.Health information may include service issues or service health overviews.

Admin
Allows the app to read your tenant’s service health information on behalf of the signed-in user. Health information may include service issues or service health overviews.

ServiceMessage

Roles Id Type Description
.Read.All eda39fa6-f8cf-4c3c-a909-432c683e4c9b Admin User
Allows the app to read your tenant’s service announcement messages on your behalf. Messages may include information about new or changed features.

Admin
Allows the app to read your tenant’s service announcement messages on behalf of the signed-in user. Messages may include information about new or changed features.

ServiceMessageViewpoint

Roles Id Type Description
.Write 636e1b0b-1cc2-4b1c-9aa9-4eeed9b9761b Admin User
Allows the app to update service announcement messages’ status on your behalf. Your status for messages can be marked as read, archive, or favorite.

Admin
Allows the app to update service announcement messages’ user status on behalf of the signed-in user. The message status can be marked as read, archive, or favorite.

ServicePrincipalEndpoint

Roles Id Type Description
.Read.All 9f9ce928-e038-4e3b-8faf-7b59049a8ddc Admin User
Allows the app to read service principal endpoints

Admin
Allows the app to read service principal endpoints
.ReadWrite.All 7297d82c-9546-4aed-91df-3d4f0a9b3ff0 Admin User
Allows the app to update service principal endpoints

Admin
Allows the app to update service principal endpoints

SharePointTenantSettings

Roles Id Type Description
.Read.All 2ef70e10-5bfd-4ede-a5f6-67720500b258 Admin User
Allows the application to read the tenant-level settings in SharePoint and OneDrive on your behalf.

Admin
Allows the application to read the tenant-level settings in SharePoint and OneDrive on behalf of the signed-in user.
.ReadWrite.All aa07f155-3612-49b8-a147-6c590df35536 Admin User
Allows the application to read and change the tenant-level settings of SharePoint and OneDrive on your behalf.

Admin
Allows the application to read and change the tenant-level settings of SharePoint and OneDrive on behalf of the signed-in user.

ShortNotes

Roles Id Type Description
.Read 50f66e47-eb56-45b7-aaa2-75057d9afe08 User User
Allows the app to read your short notes.

Admin
Allows the app to read all the short notes a sign-in user has access to.
.ReadWrite 328438b7-4c01-4c07-a840-e625a749bb89 User User
Allows the app to read, create, edit, and delete your short notes.

Admin
Allows the app to read, create, edit, and delete short notes of a signed-in user.

Sites

Roles Id Type Description
.FullControl.All 5a54b8b3-347c-476d-8f8e-42d5c7424d29 Admin User
Allow the application to have full control of all site collections on your behalf.

Admin
Allows the application to have full control of all site collections on behalf of the signed-in user.
.Manage.All 65e50fdc-43b7-4915-933e-e8138f11f40a User User
Allow the application to create or delete document libraries and lists in all site collections on your behalf.

Admin
Allows the application to create or delete document libraries and lists in all site collections on behalf of the signed-in user.
.Read.All 205e70e5-aba6-4c52-a976-6d2d46c48043 User User
Allow the application to read documents and list items in all site collections on your behalf

Admin
Allows the application to read documents and list items in all site collections on behalf of the signed-in user
.ReadWrite.All 89fe6a52-be36-487e-b7d8-d061c450a026 User User
Allow the application to edit or delete documents and list items in all site collections on your behalf.

Admin
Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user.

SMTP

Roles Id Type Description
.Send 258f6531-6087-4cc4-bb90-092c5fb3ed3f User User
Allows the app to send emails on your behalf from your mailbox.

Admin
Allows the app to be able to send emails from the users mailbox using the SMTP AUTH client submission protocol.

SubjectRightsRequest

Roles Id Type Description
.Read.All 9c3af74c-fd0f-4db4-b17a-71939e2a9d77 Admin User
Allows the app to read subject rights requests on your behalf.

Admin
Allows the app to read subject rights requests on behalf of the signed-in user
.ReadWrite.All 2b8fcc74-bce1-4ae3-a0e8-60c53739299d Admin User
Allows the app to read and write subject rights requests on your behalf.

Admin
Allows the app to read and write subject rights requests on behalf of the signed-in user

Subscription

Roles Id Type Description
.Read.All 5f88184c-80bb-4d52-9ff2-757288b2e9b7 Admin User
Allows the app to read all webhook subscriptions on your behalf.

Admin
Allows the app to read all webhook subscriptions on behalf of the signed-in user.

Tasks

Roles Id Type Description
.Read f45671fb-e0fe-4b4b-be20-3d3ce43f1bcb User User
Allows the app to read your tasks and task lists, including any shared with you. Doesn’t include permission to create, delete, or update anything.

Admin
Allows the app to read the signed-in users tasks and task lists, including any shared with the user. Doesn’t include permission to create, delete, or update anything.
.Read.Shared 88d21fd4-8e5a-4c32-b5e2-4a1c95f34f72 User User
Allows the app to read tasks you have permissions to access, including your own and shared tasks.

Admin
Allows the app to read tasks a user has permissions to access, including their own and shared tasks.
.ReadWrite 2219042f-cab5-40cc-b0d2-16b1540b4c5f User User
Allows the app to create, read, update, and delete your tasks and task lists, including any shared with you.

Admin
Allows the app to create, read, update, and delete the signed-in user’s tasks and task lists, including any shared with the user.
.ReadWrite.Shared c5ddf11b-c114-4886-8558-8a4e557cd52b User User
Allows the app to read, update, create, and delete tasks you have permissions to access, including your own and shared tasks.

Admin
Allows the app to create, read, update, and delete tasks a user has permissions to, including their own and shared tasks.

Team

Roles Id Type Description
.Create 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 User User
Allows the app to create teams on your behalf.

Admin
Allows the app to create teams on behalf of the signed-in user.
.ReadBasic.All 485be79e-c497-4b35-9400-0e3fa7f2a5d4 User User
Read the names and descriptions of teams, on your behalf.

Admin
Read the names and descriptions of teams, on behalf of the signed-in user.

TeamMember

Roles Id Type Description
.Read.All 2497278c-d82d-46a2-b1ce-39d4cdde5570 Admin User
Read the members of teams, on your behalf.

Admin
Read the members of teams, on behalf of the signed-in user.
.ReadWrite.All 4a06efd2-f825-4e34-813e-82a57b03d1ee Admin User
Add and remove members from teams, on your behalf. Also allows changing a member’s role, for example from owner to non-owner.

Admin
Add and remove members from teams, on behalf of the signed-in user. Also allows changing a member’s role, for example from owner to non-owner.
.ReadWriteNonOwnerRole.All 2104a4db-3a2f-4ea0-9dba-143d457dc666 Admin User
Add and remove members from all teams, on your behalf. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.

Admin
Add and remove members from all teams, on behalf of the signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role.

TeamsActivity

Roles Id Type Description
.Read 0e755559-83fb-4b44-91d0-4cc721b9323e User User
Allows the app to read your teamwork activity feed.

Admin
Allows the app to read the signed-in user’s teamwork activity feed.
.Send 7ab1d787-bae7-4d5d-8db6-37ea32df9186 User User
Allows the app to create new activities in your teamwork activity feed, and send new activities to other users’ activity feed, on your behalf.

Admin
Allows the app to create new notifications in users’ teamwork activity feeds on behalf of the signed in user. These notifications may not be discoverable or be held or governed by compliance policies.

TeamsApp

Roles Id Type Description
.Read daef10fc-047a-48b0-b1a5-da4b5e72fabc User User
Allows the app to read the Teams apps that are installed for you. Does not give the ability to read application-specific settings.

Admin
Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings.
.Read.All 9127ba42-f79f-43b1-be80-f23ecd42377e Admin User
Allows the app to read the Teams apps that are installed for you, and in teams you are a member of. Does not give the ability to read application-specific settings.

Admin
Allows the app to read the Teams apps that are installed for the signed-in user, and in all teams the user is a member of. Does not give the ability to read application-specific settings.
.ReadWrite 2a5addc2-4d9e-4d7d-8527-5215aec410f3 User User
Allows the app to read, install, upgrade, and uninstall Teams apps, on your behalf. Does not give the ability to read or write application-specific settings.

Admin
Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user. Does not give the ability to read or write application-specific settings.
.ReadWrite.All d3f0af02-b22d-4778-a433-14f7e3f2e1e2 Admin User
Allows the app to read, install, upgrade, and uninstall Teams apps, on your behalf. Does not give the ability to read or write application-specific settings.

Admin
Allows the app to read, install, upgrade, and uninstall Teams apps, on behalf of the signed-in user and also for teams the user is a member of. Does not give the ability to read or write application-specific settings.

TeamsAppInstallation

Roles Id Type Description
.ReadForChat bf3fbf03-f35f-4e93-963e-47e4d874c37a User User
Allows the app to read the Teams apps that are installed in chats that you can access. Does not give the ability to read application-specific settings.

Admin
Allows the app to read the Teams apps that are installed in chats the signed-in user can access. Does not give the ability to read application-specific settings.
.ReadForTeam 5248dcb1-f83b-4ec3-9f4d-a4428a961a72 Admin User
Allows the app to read the Teams apps that are installed in teams that you can access. Does not give the ability to read application-specific settings.

Admin
Allows the app to read the Teams apps that are installed in teams the signed-in user can access. Does not give the ability to read application-specific settings.
.ReadForUser c395395c-ff9a-4dba-bc1f-8372ba9dca84 User User
Allows the app to read the Teams apps that are installed for you. Does not give the ability to read application-specific settings.

Admin
Allows the app to read the Teams apps that are installed for the signed-in user. Does not give the ability to read application-specific settings.
.ReadWriteForChat aa85bf13-d771-4d5d-a9e6-bca04ce44edf Admin User
Allows the app to read, install, upgrade, and uninstall Teams apps in chats you can access. Does not give the ability to read application-specific settings.

Admin
Allows the app to read, install, upgrade, and uninstall Teams apps in chats the signed-in user can access. Does not give the ability to read application-specific settings.
.ReadWriteForTeam 2e25a044-2580-450d-8859-42eeb6e996c0 Admin User
Allows the app to read, install, upgrade, and uninstall Teams apps in teams you can access. Does not give the ability to read application-specific settings.

Admin
Allows the app to read, install, upgrade, and uninstall Teams apps in teams the signed-in user can access. Does not give the ability to read application-specific settings.
.ReadWriteForUser 093f8818-d05f-49b8-95bc-9d2a73e9a43c Admin User
Allows the app to read, install, upgrade, and uninstall Teams apps installed for you. Does not give the ability to read application-specific settings.

Admin
Allows the app to read, install, upgrade, and uninstall Teams apps installed for the signed-in user. Does not give the ability to read application-specific settings.
.ReadWriteSelfForChat 0ce33576-30e8-43b7-99e5-62f8569a4002 Admin User
Allows a Teams app to read, install, upgrade, and uninstall itself in chats you can access.

Admin
Allows a Teams app to read, install, upgrade, and uninstall itself in chats the signed-in user can access.
.ReadWriteSelfForTeam 0f4595f7-64b1-4e13-81bc-11a249df07a9 Admin User
Allows a Teams app to read, install, upgrade, and uninstall itself to teams you can access.

Admin
Allows a Teams app to read, install, upgrade, and uninstall itself to teams the signed-in user can access.
.ReadWriteSelfForUser 207e0cb1-3ce7-4922-b991-5a760c346ebc User User
Allows a Teams app to read, install, upgrade, and uninstall itself for you.

Admin
Allows a Teams app to read, install, upgrade, and uninstall itself for the signed-in user.

TeamSettings

Roles Id Type Description
.Read.All 48638b3c-ad68-4383-8ac4-e6880ee6ca57 Admin User
Read all teams’ settings, on your behalf.

Admin
Read all teams’ settings, on behalf of the signed-in user.
.ReadWrite.All 39d65650-9d3e-4223-80db-a335590d027e Admin User
Read and change all teams’ settings, on your behalf.

Admin
Read and change all teams’ settings, on behalf of the signed-in user.

TeamsTab

Roles Id Type Description
.Create a9ff19c2-f369-4a95-9a25-ba9d460efc8e Admin User
Allows the app to create tabs in any team in Microsoft Teams, on your behalf. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.

Admin
Allows the app to create tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs.
.Read.All 59dacb05-e88d-4c13-a684-59f1afc8cc98 Admin User
Read the names and settings of tabs inside any team in Microsoft Teams, on your behalf. This does not give access to the content inside the tabs.

Admin
Read the names and settings of tabs inside any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs.
.ReadWrite.All b98bfd41-87c6-45cc-b104-e2de4f0dafb9 Admin User
Read and write tabs in any team in Microsoft Teams, on your behalf. This does not give access to the content inside the tabs.

Admin
Read and write tabs in any team in Microsoft Teams, on behalf of the signed-in user. This does not give access to the content inside the tabs.
.ReadWriteForChat ee928332-e9c2-4747-b4a0-f8c164b68de6 Admin User
Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats you can access.

Admin
Allows a Teams app to read, install, upgrade, and uninstall all tabs in chats the signed-in user can access.
.ReadWriteForTeam c975dd04-a06e-4fbb-9704-62daad77bb49 Admin User
Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams you can access.

Admin
Allows a Teams app to read, install, upgrade, and uninstall all tabs to teams the signed-in user can access.
.ReadWriteForUser c37c9b61-7762-4bff-a156-afc0005847a0 User User
Allows a Teams app to read, install, upgrade, and uninstall all tabs for you.

Admin
Allows a Teams app to read, install, upgrade, and uninstall all tabs for the signed-in user.
.ReadWriteSelfForChat 0c219d04-3abf-47f7-912d-5cca239e90e6 Admin User
Allows a Teams app to read, install, upgrade, and uninstall its own tabs in chats you can access.

Admin
Allows a Teams app to read, install, upgrade, and uninstall its own tabs in chats the signed-in user can access.
.ReadWriteSelfForTeam f266662f-120a-4314-b26a-99b08617c7ef Admin User
Allows a Teams app to read, install, upgrade, and uninstall its own tabs to teams you can access.

Admin
Allows a Teams app to read, install, upgrade, and uninstall its own tabs to teams the signed-in user can access.
.ReadWriteSelfForUser 395dfec1-a0b9-465f-a783-8250a430cb8c User User
Allows a Teams app to read, install, upgrade, and uninstall its own tabs for you.

Admin
Allows a Teams app to read, install, upgrade, and uninstall its own tabs for the signed-in user.

TeamworkDevice

Roles Id Type Description
.Read.All b659488b-9d28-4208-b2be-1c6652b3c970 Admin User
Allow the app to read the management data for Teams devices on your behalf.

Admin
Allow the app to read the management data for Teams devices on behalf of the signed-in user.
.ReadWrite.All ddd97ecb-5c31-43db-a235-0ee20e635c40 Admin User
Allow the app to read and write the management data for Teams devices on your behalf.

Admin
Allow the app to read and write the management data for Teams devices on behalf of the signed-in user.

TeamworkTag

Roles Id Type Description
.Read 57587d0b-8399-45be-b207-8050cec54575 Admin User
Allows the app to read tags in Teams, on your behalf.

Admin
Allows the app to read tags in Teams, on behalf of the signed-in user.
.ReadWrite 539dabd7-b5b6-4117-b164-d60cd15a8671 Admin User
Allows the app to read and write tags in Teams, on your behalf.

Admin
Allows the app to read and write tags in Teams, on behalf of the signed-in user.

TermStore

Roles Id Type Description
.Read.All 297f747b-0005-475b-8fef-c890f5152b38 Admin User
Allows the app to read the term store data that you have access to. This includes all sets, groups and terms in the term store.

Admin
Allows the app to read the term store data that the signed-in user has access to. This includes all sets, groups and terms in the term store.
.ReadWrite.All 6c37c71d-f50f-4bff-8fd3-8a41da390140 Admin User
Allows the app to read or modify data that you have access to. This includes all sets, groups and terms in the term store.

Admin
Allows the app to read or modify data that the signed-in user has access to.This includes all sets, groups and terms in the term store.

ThreatAssessment

Roles Id Type Description
.ReadWrite.All cac97e40-6730-457d-ad8d-4852fddab7ad Admin User
Allows an app to read your organization’s threat assessment requests on your behalf. Also allows the app to create new requests to assess threats received by your organization on your behalf.

Admin
Allows an app to read your organization’s threat assessment requests on behalf of the signed-in user. Also allows the app to create new requests to assess threats received by your organization on behalf of the signed-in user.

ThreatHunting

Roles Id Type Description
.Read.All b152eca8-ea73-4a48-8c98-1a6742673d99 Admin User
Allows the app to run hunting queries that you can execute.

Admin
Allows the app to run hunting queries, on behalf of the signed-in user.

ThreatIndicators

Roles Id Type Description
.Read.All 9cc427b4-2004-41c5-aa22-757b755e9796 Admin User
Allows the app to read all the indicators for your organization, on your behalf.

Admin
Allows the app to read all the indicators for your organization, on behalf of the signed-in user.
.ReadWrite.OwnedBy 91e7d36d-022a-490f-a748-f8e011357b42 Admin User
Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on your behalf. It cannot update any threat indicators that it is not an owner of.

Admin
Allows the app to create threat indicators, and fully manage those threat indicators (read, update and delete), on behalf of the signed-in user. It cannot update any threat indicators it does not own.

TrustFrameworkKeySet

Roles Id Type Description
.Read.All 7ad34336-f5b1-44ce-8682-31d7dfcd9ab9 Admin User
Allows the app to read trust framework key sets, on your behalf.

Admin
Allows the app to read trust framework key set properties on behalf of the signed-in user.
.ReadWrite.All 39244520-1e7d-4b4a-aee0-57c65826e427 Admin User
Allows the app to read or write trust framework key sets, on your behalf.

Admin
Allows the app to read and write trust framework key set properties on behalf of the signed-in user.

UnifiedGroupMember

Roles Id Type Description
.Read.AsGuest 73e75199-7c3e-41bb-9357-167164dbb415 Admin User
Allows the app to read basic unified group properties, memberships and owners of the group you are a member of.

Admin
Allows the app to read basic unified group properties, memberships and owners of the group the signed-in guest is a member of.

User

Roles Id Type Description
.Export.All 405a51b5-8d8d-430b-9842-8be4b0e9f324 Admin User
Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator).

Admin
Allows the app to export data (e.g. customer content or system-generated logs), associated with any user in your company, when the app is used by a privileged user (e.g. a Company Administrator).
.Invite.All 63dd7cd9-b489-4adf-a28c-ac38b9a0f962 Admin User
Allows the app to invite guest users to the organization, on your behalf.

Admin
Allows the app to invite guest users to the organization, on behalf of the signed-in user.
.ManageIdentities.All 637d7bec-b31e-4deb-acc9-24275642a2c9 Admin User
Allows the app to read, update and delete identities that are associated with a user’s account that you have access to. This controls the identities users can sign-in with.

Admin
Allows the app to read, update and delete identities that are associated with a user’s account that the signed-in user has access to. This controls the identities users can sign-in with.
.Read e1fe6dd8-ba31-4d61-89e7-88639da4683d User User
Allows you to sign in to the app with your organizational account and let the app read your profile. It also allows the app to read basic company information.

Admin
Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.
.Read.All a154be20-db9c-4678-8ab7-66f6cc099a59 Admin User
Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.

Admin
Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
.ReadBasic.All b340eb25-3456-403f-be2f-af7a0d370277 User User
Allows the app to read a basic set of profile properties of other users in your organization on your behalf. Includes display name, first and last name, email address and photo.

Admin
Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo.
.ReadWrite b4e74841-8e56-480b-be8b-910348b18b4c User User
Allows the app to read your profile, and discover your group membership, reports and manager. It also allows the app to update your profile information on your behalf.

Admin
Allows the app to read your profile. It also allows the app to update your profile information on your behalf.
.ReadWrite.All 204e0828-b5ca-4ad8-b9f3-f32a958e7cc4 Admin User
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.

Admin
Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.

UserActivity

Roles Id Type Description
.ReadWrite.CreatedByApp 47607519-5fb1-47d9-99c7-da4b48f369b1 User User
Allows the app to read and report your activity in the app.

Admin
Allows the app to read and report the signed-in user’s activity in the app.

UserAuthenticationMethod

Roles Id Type Description
.Read 1f6b61c5-2f65-4135-9c9f-31c0f8d32b52 Admin User
Allows the app to read your authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods.

Admin
Allows the app to read the signed-in user’s authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user’s passwords, or to sign-in or otherwise use the signed-in user’s authentication methods.
.Read.All aec28ec7-4d02-4e8c-b864-50163aea77eb Admin User
Allows the app to read authentication methods of all users you have access to in your organization. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Admin
Allows the app to read authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.
.ReadWrite 48971fc1-70d7-4245-af77-0beb29b53ee2 Admin User
Allows the app to read and write your authentication methods, including phone numbers and Authenticator app settings.This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods.

Admin
Allows the app to read and write the signed-in user’s authentication methods, including phone numbers and Authenticator app settings. This does not allow the app to see secret information like the signed-in user’s passwords, or to sign-in or otherwise use the signed-in user’s authentication methods.
.ReadWrite.All b7887744-6746-4312-813d-72daeaee7e2d Admin User
Allows the app to read and write authentication methods of all users you have access to in your organization. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Admin
Allows the app to read and write authentication methods of all users in your organization that the signed-in user has access to. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

UserNotification

Roles Id Type Description
.ReadWrite.CreatedByApp 26e2f3e8-b2a1-47fc-9620-89bb5b042024 User User
Allows the app to send, read, update and delete your app-specific notifications.

Admin
Allows the app to send, read, update and delete users notifications.

UserTimelineActivity

Roles Id Type Description
.Write.CreatedByApp 367492fc-594d-4972-a9b5-0d58c622c91c User User
Allows the app to report your app activity information to Microsoft Timeline.

Admin
Allows the app to report the signed-in user’s app activity information to Microsoft Timeline.

WindowsUpdates

Roles Id Type Description
.ReadWrite.All 11776c0c-6138-4db3-a668-ee621bea2555 Admin User
Allows the app to read and write all Windows update deployment settings for the organization on your behalf.

Admin
Allows the app to read and write all Windows update deployment settings for the organization on behalf of the signed-in user.

WorkforceIntegration

Roles Id Type Description
.Read.All f1ccd5a7-6383-466a-8db8-1a656f7d06fa Admin User
Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on your behalf.

Admin
Allows the app to read workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user.
.ReadWrite.All 08c4b377-0d23-4a8b-be2a-23c1c1d88545 Admin User
Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on your behalf.

Admin
Allows the app to manage workforce integrations, to synchronize data from Microsoft Teams Shifts, on behalf of the signed-in user.

Code

using namespace System.Collections.Generic
$ErrorActionPreference = 'stop'

az login --allow-no-subscriptions
$microsoftGraph = az ad sp list --query "[?appDisplayName=='Microsoft Graph']" --all | ConvertFrom-Json

$apps = [Dictionary[String, [List[Object]]]]::new()

$microsoftGraph.oauth2permissions | Sort-Object Value | ForEach-Object {
    $appName = $_.value.Split('.')[0]
    if ($apps.ContainsKey($appName)) {
        $apps[$appName].Add($_)
    } else {
        $roleList = [List[Object]]::new()
        $roleList.Add($_)
        $apps.Add($appName, $roleList)
    }
}

$output = [System.Text.StringBuilder]::new()
foreach ($appName in $apps.Keys) {
    $output.AppendLine("### $appName") | Out-Null
    $output.AppendLine() | Out-Null
    $roles = $apps[$appName]
    $output.AppendLine("| Roles | Id | Type | Description |") | Out-Null
    $output.AppendLine("|-------|------|----|-------------|") | Out-Null
    $roles | ForEach-Object { 
        $role = $_.value
        if ($_.value.indexOf('.') -ne -1 ) {
            $role = $_.value.Substring($_.value.indexOf('.'), $_.value.length - $_.value.indexOf('.'))
        }
        $row = "| $role | $($_.id) | $($_.type) | **User** <br />$($_.userConsentDescription) <br /><br />**Admin** <br />$($_.adminConsentDescription)  |"
        $output.AppendLine($row) | Out-Null
    }
    $output.AppendLine() | Out-Null
    
}
$output.ToString()