Is there a working alternative to Directory.Read.All (MS Graph API Permission)?

Yes, the minimum requirement to make User Sync work is Group.Read.All and User.Read.All. Please keep in mind, the suggested setup in the setup guides ensures that all features and future additions to User Sync will work without customers having to change their Azure configuration.

It could be that in future versions new features will not work, because they may require additional API permissions. Please check our documentation / release notes for further details.

Can I use GroupMember.Read.All instead of Group.Read.All?

Instead of Group.Read.All we have customers, who are using GroupMember.Read.All. Based on the Microsoft documentation, there is the following difference between both (Application Permission)

Group.Read.AllGroupMember.Read.All
Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.Allows the app to read memberships and basic group properties for all groups without a signed-in user.

However, it could be that in future versions new features will not work, because they may require additional API permissions. Please check our documentation / release notes for further details.

How can I sync Groups with the attribute HiddenGroupMembership enabled?

Please add the application permission (Member.Read.Hidden) to your (User Sync) app registration in Azure (and grant admin consent). The permission will help to sync those groups and also to fetch the members.

Knowing Limitations

  • Profile Picture will only work if the permission is set to Directory.Read.All and User.Read.All.