Comments on: How to Figure Out What Microsoft Graph Permissions You Need https://practical365.com/microsoft-graph-api-permission/ Practical Office 365 News, Tips, and Tutorials Wed, 22 Nov 2023 13:29:27 +0000 hourly 1 https://wordpress.org/?v=6.3.2 By: Tony Redmond https://practical365.com/microsoft-graph-api-permission/#comment-281736 Wed, 22 Nov 2023 13:29:27 +0000 https://practical365.com/?p=55808#comment-281736 In reply to Paul Carter.

Does this help? https://office365itpros.com/2023/11/22/enterprise-app-assignments/

]]>
By: Tony Redmond https://practical365.com/microsoft-graph-api-permission/#comment-280822 Wed, 15 Nov 2023 10:05:24 +0000 https://practical365.com/?p=55808#comment-280822 In reply to Paul Carter.

You’re looking at the service principals for the enterprise apps – correct? If so, you should find assignments for the SPs that contain the names of the assignees.

]]>
By: Paul Carter https://practical365.com/microsoft-graph-api-permission/#comment-280778 Tue, 14 Nov 2023 22:34:39 +0000 https://practical365.com/?p=55808#comment-280778 Hello Tony & Community,

I am trying to execute Microsoft Graph that it can grab all my Enterprise Applications in my tenancy and export to CSV the application name and user and groups assigned to the groups.

I am struggling to find how to grab the user and groups properties within Enterprise Applications.

]]>
By: Tony Redmond https://practical365.com/microsoft-graph-api-permission/#comment-278003 Thu, 19 Oct 2023 17:27:52 +0000 https://practical365.com/?p=55808#comment-278003 In reply to SP.

This is what the Microsoft app governance solution does: https://office365itpros.com/2021/07/21/microsoft-preview-app-governance/

You could do something like this https://office365itpros.com/2023/06/14/app-governance-license/ too…

]]>
By: SP https://practical365.com/microsoft-graph-api-permission/#comment-277951 Thu, 19 Oct 2023 10:34:33 +0000 https://practical365.com/?p=55808#comment-277951 Hey Tony,
Do we have any enpoint where we can get all the apps which are having specific graph permisisons or a UI – like if we want to know if the app is having a mail.read or MailboxSettings.ReadWrite permissions. It would be good to have a central view. What I am getting is service principal and oauth permissions but the graph permission , application or delegated permissions an application is having.

]]>
By: Tony Redmond https://practical365.com/microsoft-graph-api-permission/#comment-276397 Tue, 03 Oct 2023 22:12:34 +0000 https://practical365.com/?p=55808#comment-276397 In reply to Mathijs.

Admin accounts mean nothing for Graph permissions. What counts is the permissions consented to for the service principal of the app, in this case the Graph Explorer.

See https://learn.microsoft.com/en-us/graph/graph-explorer/graph-explorer-features

]]>
By: Mathijs https://practical365.com/microsoft-graph-api-permission/#comment-276384 Tue, 03 Oct 2023 19:13:30 +0000 https://practical365.com/?p=55808#comment-276384 Dear Tony,

Thanks for explaining however I still have a question, when i have for example the graph explorer and I consent permissions with my admin account for example:
RoleManagement.ReadWrite.Directory & Directory.ReadWrite.All

After this I should be able to execute:

https://graph.microsoft.com/v1.0/directoryRoles/xxx/members/$ref

{
“@odata.id”: “https://graph.microsoft.com/v1.0/users/xxx”
}

However, this gives me the following warning:

{
“error”: {
“code”: “Authorization_RequestDenied”,
“message”: “Insufficient privileges to complete the operation.”,
“innerError”: {
“date”: “2023-10-03T19:02:59”,
“request-id”: “f7269107-4ffa-4284-8422-d998242c0be1”,
“client-request-id”: “8043f372-e76f-6678-caf0-72068806849f”
}
}
}

If I request those specific rights as the user and approve them from within the window of the user it does work. But why does it not work using the admin consent?

]]>
By: Giusseppe https://practical365.com/microsoft-graph-api-permission/#comment-273223 Wed, 30 Aug 2023 14:41:43 +0000 https://practical365.com/?p=55808#comment-273223 In reply to Tony Redmond.

Thank you!
That response was freakishly fast.

]]>
By: Tony Redmond https://practical365.com/microsoft-graph-api-permission/#comment-273213 Wed, 30 Aug 2023 13:21:19 +0000 https://practical365.com/?p=55808#comment-273213 In reply to Giusseppe.

There is no concept of “entire tenant.” You decide what types of data you need to interact with and look for the Graph permission which supports access to that data. Delegate permissions support access to data available to the signed-in user while application permissions support access to all data of a specific type.

]]>
By: Giusseppe https://practical365.com/microsoft-graph-api-permission/#comment-273211 Wed, 30 Aug 2023 13:19:20 +0000 https://practical365.com/?p=55808#comment-273211 I am struggling trying to figure out what permissions to grant myself if I need read access to the entire tenant.
Would you happen to know this?
Thank you!

]]>