User & GroupsUser & Groups
Try For Free

Microsoft Entra ID (formerly Azure AD) - Microsoft Graph API permission

General

All permission need to grant admin consent and should be added as Application Permission. The Delegated Permission will not work. It needs to be Application Permission for User Sync to work. This is related to the client credential flow that we’re using:

When authenticating as an application (as opposed to with a user), you can’t use delegated permissions - scopes that are granted by a user. You must use application permissions, also known as roles, that are granted by an admin for the application or via pre-authorization by the web API.

Is there a working alternative to Directory.Read.All (MS Graph API Permission)?

Yes, the minimum requirement to make User Sync work is Group.Read.All and User.Read.All. Please keep in mind, the suggested setup in the setup guides ensures that all features and future additions to User Sync will work without customers having to change their Azure configuration.

In future versions, new features may not work because they may require additional API permissions. Please check our documentation / release notes for further details.

Can I use GroupMember.Read.All instead of Group.Read.All?

Instead of Group.Read.All we have customers, who are using GroupMember.Read.All. Based on the Microsoft documentation, there is the following difference between both (Application Permission)

Group.Read.All

GroupMember.Read.All

Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.

Allows the app to read memberships and basic group properties for all groups without a signed-in user.

However, new features may not work in future versions because they may require additional API permissions. Please check our documentation/release notes for further details.

How can I sync Groups with the attribute HiddenGroupMembership enabled?

Please add the application permission (Member.Read.Hidden) to your (User Sync) app registration in Azure (and grant admin consent). The permission will help to sync those groups and also to fetch the members.

Knowing Limitations

  • Profile Picture will only work if the permission is set to Directory.Read.All and User.Read.All.

This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other