Permissions differences between Azure AD Graph and Microsoft Graph
Artykuł 01/19/2024
Współautorzy: 3
Opinia
W tym artykule
This article is part of step 1: review API differences of the process to migrate apps .
The least privileged permission for a specific scenario might be different between Azure AD Graph and Microsoft Graph. When migrating your apps to call Microsoft Graph, analyze whether you also need to migrate to more narrowly scoped Microsoft Graph permissions to maintain least privilege.
For example, on Azure AD Graph, reading users in app-only scenarios requires the Directory.Read.All permission. This permission also allows your app to read all the groups, apps, and some policies in your tenant. However, on Microsoft Graph, reading users in app-only scenarios requires only the User.Read.All permission.
While the permission strings might be the same in both Azure AD Graph and Microsoft Graph, they have different identifiers. However, similar to Azure AD Graph, Microsoft Graph also exposes both application and delegated permissions. Administrator consent is always required for application permissions.
The article provides a mapping of Azure AD Graph to Microsoft Graph permissions to help you migrate your apps.
Application.Read.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
c79f8feb-a9db-4090-85f9-90d820caa0eb
Display String
Not available
Read applications
Admin consent required?
Not available
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
3afa6a7d-9b1a-42eb-948e-1650a849e176
9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30
Display String
Read all applications
Read all applications
Application.ReadWrite.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
bdfbf15f-ee85-4955-8675-146e8e5296b5
Display String
Not available
Read and write all applications
Admin consent required?
Not available
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
1cda74f2-2616-4834-b122-5cb1b07f8a59
1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9
Display String
Read and write all applications
Read all applications
Application.ReadWrite.OwnedBy
Delegated
Not applicable.
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
1cda74f2-2616-4834-b122-5cb1b07f8a59
18a4783c-866b-4cc7-a460-3d5e5662c884
Display String
Manage apps that this app creates or owns
Manage apps that this app creates or owns
Device.ReadWrite.All
Delegated
Not applicable.
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
1138cb37-bd11-4084-a2b7-9f71582aeddb
1138cb37-bd11-4084-a2b7-9f71582aeddb
Display String
Read and write devices
Read and write devices
Directory.Read.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
5778995a-e1bf-45b8-affa-663a9f3f4d04
06da0dbc-49e2-44d2-8312-53f166ab848a
Display String
Read directory data
Read directory data
Admin consent required?
Yes
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
5778995a-e1bf-45b8-affa-663a9f3f4d04
7ab1d382-f21e-4acd-a863-ba3e13f7da61
Display String
Read directory data
Read directory data
Directory.ReadWrite.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
78c8a3c8-a07e-4b9e-af1b-b5ccab50a175
c5366453-9fb0-48a5-a156-24f0c49a4b84
Display String
Read and write directory data
Read and write directory data
Admin consent required?
Yes
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
78c8a3c8-a07e-4b9e-af1b-b5ccab50a175
19dbc75e-c2e2-444c-a770-ec69d8559fc7
Display String
Read and write directory data
Read and write directory data
Directory.AccessAsUser.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
a42657d6-7f20-40e3-b6f0-cee03008a62a
0e263e50-5827-48a4-b97c-d940288653c7
Display String
Access the directory as the signed-in user
Access the directory as the signed-in user
Admin consent required?
Yes
Yes
Application
Not applicable.
Domain.ReadWrite.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
Read and write domains
Display String
Not available
Read and write domains
Admin consent required?
Not available
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
abefe9df-d5a9-41c6-a60b-27b38eac3efb
7e05723c-0bb0-42da-be95-ae9f08a6e53c
Display String
Read and write domains
Read and write domains
Group.Read.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
6234d376-f627-4f0f-90e0-dff25c5211a3
5f8c59db-677d-491f-a6b8-5f174b11ec1d
Display String
Read all groups
Read all groups
Admin consent required?
Yes
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
5b567255-7703-4780-807c-7be8301ae99b
Display String
Not available
Read all groups
Group.ReadWrite.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
970d6fa6-214a-4a9b-8513-08fad511e2fd
4e46008b-f24c-477d-8fff-7bb4ec7aafe0
Display String
Read and write all groups
Read and write all groups
Admin consent required?
Yes
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
62a82d76-70ea-41e2-9197-370581804d09
Display String
Not available
Read and write all groups
Member.Read.Hidden
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
2d05a661-f651-4d57-a595-489c91eda336
f6a3db3e-f7e8-4ed2-a414-557c8c9830be
Display String
Read hidden memberships
Read hidden memberships
Admin consent required?
Yes
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
9728c0c4-a06b-4e0e-8d1b-3d694e8ec207
658aa5d8-239f-45c4-aa12-864f4fc7e490
Display String
Read all hidden memberships
Read all hidden memberships
Policy.Read.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
572fea84-0151-49b2-9301-11cb16974376
Display String
Not available
Read your organization's policies
Admin consent required?
Not available
Yes
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
6c2d1b1d-a490-4178-ba6b-7efceda9129b
246dd0d5-5bd0-4def-940b-0421030a5b68
Display String
Read your organization's policies
Read your organization's policies
User.Read
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
311a71cc-e848-46a1-bdf8-97ff7156d8e6
e1fe6dd8-ba31-4d61-89e7-88639da4683d
Display String
Sign in and read user profile
Sign in and read user profile
Admin consent required?
No
No
Application
Not applicable.
User.ReadBasic.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
cba73afc-7f69-4d86-8450-4978e04ecd1a
b340eb25-3456-403f-be2f-af7a0d370277
Display String
Read all users' basic profiles
Read all users' basic profiles
Admin consent required?
No
No
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
97235f07-e226-4f63-ace3-39588e11d3a1
Display String
Not available
Read all users' basic profiles
User.Read.All
Delegated
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
c582532d-9d9e-43bd-a97c-2667a28ce295
a154be20-db9c-4678-8ab7-66f6cc099a59
Display String
Read all users' full profiles
Read all users' full profiles
Admin consent required?
Admin
Admin
Application
Parameter
Azure AD Graph
Microsoft Graph
Permission ID
Not available
df021288-bdef-4463-88db-98f22de89214
Display String
Not available
Read all users' full profiles
Next step