Microsoft Graph API serves as an interface for developers to interact programmatically with Azure Active Directory (AD), facilitating access to comprehensive user and group-related functionalities and data.
Korbyt Required Minimum Permissions
These permissions can be configured in the Azure AD application’s registration settings under “API permissions.”
It’s important to note that administrative consent may be required after adding these permissions, especially in environments where the application’s service principal lacks administrative privileges.
for our application’s functionality, the minimum permissions required are:
- Group.Read.All
- Requires Application Level access for this API Call
- Delegated access is not sufficient
- Essential for enumerating groups from Azure AD
- Provides access to group-related information such as group name, description, memberships, and other properties
- Required for Korbyt to efficiently manage and interact with groups within the Azure AD directory
- Requires Application Level access for this API Call
- User.Read.All
- Requires Application Level access for this API Call
- Delegated access is not sufficient
- Required for enumerating users from Azure AD
- granting access to comprehensive user properties and relationships, including the Security Identifier (SID)
- The SID is a critical identifier assigned to each security principal in Windows operating systems, including Azure AD
- Required for Korbyt to retrieve vital user information such as contact details, organizational data, and the SID, enabling seamless user management and interactions
- We use the SID as a unique identifier when logging in Korbyt users.
- Requires Application Level access for this API Call
- User.Read
- Required for Authenticating the individual user when they log in
- Delegated Permission is sufficient for this API Permission
By securing these minimum permissions at the application level, our application can ensure secure and efficient access to group and user-related data within the Azure AD directory, while adhering to organizational policies and regulatory requirements.
With the Group.Read.All and User.Read.All permissions in place, our application is well-equipped to fulfill its functionality of group and user enumeration, providing users with a seamless experience and facilitating effective user and group management within our system.
For more information on the steps of connecting Korbyt to your Azure AD please see
- How to Manage CMS Users – Importing from Azure
- How to Manager End Users of Desktop(InView) and Mobile&Web – Importing for Azure
The rest of this article explores the implications of Microsoft Graph API calls, and their effects so that you can better understand Korbyt’s need for the previously listed services.
Understanding Minimum Permissions Required for Group Enumeration
When utilizing Microsoft Graph API to enumerate groups from Azure AD, it’s essential to configure the appropriate permissions to ensure secure and efficient access to the required data.
The minimum permissions required for group enumeration are as follows:
- Group.Read.All: – REQUIRED Application Level Access
- This permission allows reading all groups within the Azure AD directory.
- It provides access to group-related information such as group name, description, memberships, and other properties.
- Group.ReadWrite.All: – Not Required and Not Recommended for Korbyt Access
- In addition to reading group information, this permission grants the application the ability to modify group properties and memberships.
- It provides full read and write access to all groups within the Azure AD directory.
- Korbyt Does Not Want this level of access to your Azure Active Directory.
Understanding Group Member Read Permissions
While Group.Read.All and Group.ReadWrite.All permissions focus on accessing group-related information, so it’s crucial to differentiate the implications of using GroupMember.Read.All permission in this context.
- GroupMember.Read.All: Not Required and Not Sufficient for Korbyt Access
- This permission grants the application the ability to read the members of all groups within the Azure AD directory.
- It provides access to user or application memberships within groups.
Important Consideration: Although GroupMember.Read.All allows reading group members, it does not provide permissions to enumerate groups themselves. This means that while the application can fetch information about group members, it lacks the capability to list the groups present in the Azure AD directory.
Understanding Minimum Permissions Required for User Enumeration
When leveraging Microsoft Graph API to enumerate users from Azure AD, it’s imperative to configure appropriate permissions to ensure secure and effective access to required data.
- User.Read.All: REQUIRED Application Level Access
- This permission grants your application the ability to read all user profiles within the organization’s directory.
- It provides access to comprehensive user properties and relationships, encompassing details such as contact information, organizational data, and more. User.Read.All is sufficient for retrieving basic information about users.
- User.ReadWrite.All: Not Required and Not Recommended for Korbyt Access
- In addition to reading user profiles, this permission facilitates the modification of user data.
- It empowers your application to both read and write all user properties within the organization’s directory, offering comprehensive access for data manipulation and management.
- This permission is not recommended for Korbyt integration.
- User.ReadBasic.All: Not Required and Not Sufficient for Korbyt Access
- Does not include access to the SID
- SID is required to identify the user when logging in
Application Level Permissions Required for Group and User Enumeration
To access the SID and other detailed properties of all users in the directory, Application-level permissions (also known as application-level or admin-level permissions) are required.
These permissions are typically granted by an administrator and apply to the entire directory.
Delegated Permissions grants access to just the signed-in user’s profile rather than the entire directly, meaning that the permission is granted by the signed-in user only for their own user profile and the profiles they have access to.
Therefore it is insufficient to read all groups or users who require access.
Understanding Minimum Permissions Required for User Login
- User.Read: REQUIRED
- Delegated access is sufficient for this API call
- Used when the individual is requesting to log into Korbyt to verify their SID information within the organization’s Active Directory