Comments on: How to Figure Out What Microsoft Graph Permissions You Need

By: Tony Redmond

Tony Redmond — Wed, 22 Nov 2023 13:29:27 +0000

Does this help? https://office365itpros.com/2023/11/22/enterprise-app-assignments/

By: Tony Redmond

Tony Redmond — Wed, 15 Nov 2023 10:05:24 +0000

In reply to Paul Carter. You're looking at the service principals for the enterprise apps - correct? If so, you should find assignments for the SPs that contain the names of the assignees.

By: Paul Carter

Paul Carter — Tue, 14 Nov 2023 22:34:39 +0000

Hello Tony & Community,

I am trying to execute Microsoft Graph that it can grab all my Enterprise Applications in my tenancy and export to CSV the application name and user and groups assigned to the groups.

I am struggling to find how to grab the user and groups properties within Enterprise Applications.

By: Tony Redmond

Tony Redmond — Thu, 19 Oct 2023 17:27:52 +0000

In reply to SP.

This is what the Microsoft app governance solution does: https://office365itpros.com/2021/07/21/microsoft-preview-app-governance/

You could do something like this https://office365itpros.com/2023/06/14/app-governance-license/ too…

By: SP

SP — Thu, 19 Oct 2023 10:34:33 +0000

Hey Tony,
Do we have any enpoint where we can get all the apps which are having specific graph permisisons or a UI – like if we want to know if the app is having a mail.read or MailboxSettings.ReadWrite permissions. It would be good to have a central view. What I am getting is service principal and oauth permissions but the graph permission , application or delegated permissions an application is having.

By: Tony Redmond

Tony Redmond — Tue, 03 Oct 2023 22:12:34 +0000

In reply to Mathijs.

Admin accounts mean nothing for Graph permissions. What counts is the permissions consented to for the service principal of the app, in this case the Graph Explorer.

See https://learn.microsoft.com/en-us/graph/graph-explorer/graph-explorer-features

By: Mathijs

Mathijs — Tue, 03 Oct 2023 19:13:30 +0000

Dear Tony,

Thanks for explaining however I still have a question, when i have for example the graph explorer and I consent permissions with my admin account for example:
RoleManagement.ReadWrite.Directory & Directory.ReadWrite.All

After this I should be able to execute:

https://graph.microsoft.com/v1.0/directoryRoles/xxx/members/$ref

{
“@odata.id”: “https://graph.microsoft.com/v1.0/users/xxx”
}

However, this gives me the following warning:

{
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
“innerError”: {
“date”: “2023-10-03T19:02:59”,
“request-id”: “f7269107-4ffa-4284-8422-d998242c0be1”,
“client-request-id”: “8043f372-e76f-6678-caf0-72068806849f”
}
}
}

If I request those specific rights as the user and approve them from within the window of the user it does work. But why does it not work using the admin consent?

By: Giusseppe

Giusseppe — Wed, 30 Aug 2023 14:41:43 +0000

In reply to Tony Redmond. Thank you! That response was freakishly fast.

By: Tony Redmond

Tony Redmond — Wed, 30 Aug 2023 13:21:19 +0000

In reply to Giusseppe. There is no concept of "entire tenant." You decide what types of data you need to interact with and look for the Graph permission which supports access to that data. Delegate permissions support access to data available to the signed-in user while application permissions support access to all data of a specific type.

By: Giusseppe

Giusseppe — Wed, 30 Aug 2023 13:19:20 +0000

I am struggling trying to figure out what permissions to grant myself if I need read access to the entire tenant.
Would you happen to know this?
Thank you!