Permissions for application
- Updated: 2024/07/03
Permissions for application
After registering Microsoft 365, you must grant certain permissions to the application. These permissions are required to enable Microsoft 365 packages to perform various operations.
To grant permissions to an application, see Add permissions.
Note: You must be the
co-owner of the application for which you are configuring
permissions.
The following
Delegated permissions
for Microsoft Graph are required for Microsoft 365 packages:
| Permission name | Description | Administrator consent required | |
| Common permissions | |||
| openid | Allows users to sign in to the app with their work or school accounts and allows the app to see basic user profile information. | No | |
| offline_access | Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. | No | |
| User.Read | Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. | No | |
| User.ReadBasic.All | Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address and photo. | No | |
| Calendar | |||
| Calendars.Read | Allows the application to read events in user calendars | No | |
| Calendars.Read.Shared | Allows the application to read events in all calendars that the user can access, including delegate and shared calendars. | No | |
| Calendars.ReadWrite | Allows the application to create, read, update, and delete events in user calendars. | No | |
| Directory | |||
| Directory.AccessAsUser.All | Allows the application to have the same access to information in the directory as the signed-in user. | Yes | |
| Directory.ReadWrite.All | Allows the application to read data in your organization's directory, such as users, groups and apps. | Yes | |
| Mail.Read | Allows the application to read the signed-in user's mailbox. | No | |
| Mail.ReadWrite | Allows the application to create, read, update, and delete email in user mailboxes. Does not include permission to send mail. | No | |
| MailboxSettings.Read | Allows the application to the read user's mailbox settings. Does not include permission to send mail. | No | |
| MailboxSettings.ReadWrite | Allows the application to create, read, update, and delete user's mailbox settings. Does not include permission to send mail. | No | |
| Excel | |||
| Directory.ReadAll | Allows the application to read data in your organization's directory, such as users, groups and applications. | Yes | |
| Directory.ReadWriteAll | Allows the application to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. | Yes | |
| Files.ReadAll | Allows the application to read all files the signed-in user can access. | No | |
| Files.ReadWriteAll | Allows the app to read, create, update and delete all files the signed-in user can access. | No | |
| OneDrive | |||
| Files.ReadWrite.All | Allows the application to read, create, update and delete all files the signed-in user can access. | No | |
| Sites.ReadWrite.All | Allows the application to edit or delete documents and list items in all site collections on behalf of the signed-in user. | No | |
Apart from the above permissions, you can grant additional permissions based on your requirements. See, Microsoft Graph permission reference.