You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/permissions-notes/directory.accessasuser.all.md
+2-31Lines changed: 2 additions & 31 deletions
Original file line number
Diff line number
Diff line change
@@ -4,35 +4,6 @@ ms.localizationpriority: high
4
4
5
5
<!-- markdownlint-disable MD002 MD041 -->
6
6
7
-
> [!CAUTION]
8
-
> Directory permissions provide the highest level of privilege for accessing directory resources such as [user](/graph/api/resources/user), [group](/graph/api/resources/group), and [device](/graph/api/resources/device) in an organization.
7
+
> Directory permissions grant broad access to directory (Microsoft Entra ID) resources such as [user](/graph/api/resources/user), [group](/graph/api/resources/group), and [device](/graph/api/resources/device) in an organization. Whenever possible, choose permissions specific to these resources and avoid using directory permissions.
9
8
>
10
-
> They also exclusively control access to other directory resources like [organizational contacts](/graph/api/resources/orgcontact) and [schema extensions](/graph/api/resources/schemaextension), as well as many directory resources including administrative units, directory roles, directory settings, and policies.
11
-
12
-
<!--
13
-
14
-
This section doesn't look correct; for example, you can create aapps using Directory.ReadWrite.All; Maybe it's out of date?
15
-
16
-
17
-
The _Directory.ReadWrite.All_ permission grants the following privileges:
18
-
19
-
- Full read of all directory resources (both declared properties and navigation properties)
20
-
- Create and update users
21
-
- Disable and enable users (but not Company Administrator)
22
-
- Set user alternative security ID (but not administrators)
23
-
- Create and update groups
24
-
- Manage group memberships
25
-
- Update group owner
26
-
- Manage license assignments
27
-
- Define schema extensions on applications
28
-
- Manage directory settings
29
-
- Manage admin consent workflow configuration (but not whether admin consent is required or who is authorized to grant admin consent)
30
-
31
-
And **doesn't grant* the following privileges:
32
-
33
-
- To reset user passwords.
34
-
- Updating another user's **businessPhones**, **mobilePhone**, or **otherMails** property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. For more details, see Helpdesk (Password) Administrator in [Azure AD available roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles). This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
35
-
- Deleting resources (including users or groups).
36
-
- Specifically excludes create or update for resources not listed above. This includes: application, oAuth2PermissionGrant, appRoleAssignment, device, servicePrincipal, organization, domains, and so on.
37
-
38
-
-->
9
+
> Directory permissions might be deprecated in the future.
0 commit comments