How to retrieve resource actions for Entra ID role permissions

Resource action

Resource actions are tighted to the role permissions which are defined for the Entra ID roles. As the name suggests, resource action describes an activity/operation a security principal can perform on a resource like user, group, application, etc.

Role permissions is a definition that specifies one or more activities a security principal can perform on a resource.

Resource action schema

The resource action names have the following schema

{namespace}/{entity}/{property_set}/{action}

• namespace: Related to a product or service in Microsoft 365 environment like microsoft.directory or microsoft.dynamics365.
• entity: The resource exposed by the Microsoft Graph API like user, group, application, administrativeUnit, etc.
• property_set: Specific properties of the entity for which access is being granted
• action: The operation that can be performed on the entity. Possible values are create, read, update, delete and allTasks.

Retrieve resource namespaces

Resource actions are accessible through the resource namespaces. To retrieve all resource namespaces, call the Graph API endpoint:

GET /beta/roleManagement/directory/resourceNamespaces

or the Graph SDK PowerShell cmdlet Get-MgBetaRoleManagementDirectoryResourceNamespace.

The resource namespaces for Entra ID role permissions are:

Id	Name
microsoft.directory	microsoft.directory
microsoft.aad.b2c	microsoft.aad.b2c
microsoft.aad.cloudAppSecurity	microsoft.aad.cloudAppSecurity
microsoft.aad.directorySync	microsoft.aad.directorySync
microsoft.aad.identityProtection	microsoft.aad.identityProtection
microsoft.aad.privilegedIdentityManagement	microsoft.aad.privilegedIdentityManagement
microsoft.aad.reports	microsoft.aad.reports
microsoft.azure.advancedThreatProtection	microsoft.azure.advancedThreatProtection
microsoft.azure.customSecurityAttributeDiagnosticSettings	microsoft.azure.customSecurityAttributeDiagnosticSettings
microsoft.azure.devOps	microsoft.azure.devOps
microsoft.azure.informationProtection	microsoft.azure.informationProtection
microsoft.azure.print	microsoft.azure.print
microsoft.azure.serviceHealth	microsoft.azure.serviceHealth
microsoft.azure.supportTickets	microsoft.azure.supportTickets
microsoft.backup	microsoft.backup
microsoft.cloudPC	microsoft.cloudPC
microsoft.commerce.billing	microsoft.commerce.billing
microsoft.commerce.volumeLicenseServiceCenter	microsoft.commerce.volumeLicenseServiceCenter
microsoft.dynamics365	microsoft.dynamics365
microsoft.dynamics365.businessCentral	microsoft.dynamics365.businessCentral
microsoft.edge	microsoft.edge
microsoft.embeddedFinance.financialConnections	microsoft.embeddedFinance.financialConnections
microsoft.networkAccess	microsoft.networkAccess
microsoft.flow	microsoft.flow
microsoft.graph.dataConnect	microsoft.graph.dataConnect
microsoft.hardware.support	microsoft.hardware.support
microsoft.insights	microsoft.insights
microsoft.intune	microsoft.intune
microsoft.managedTenants	microsoft.managedTenants
microsoft.office365.complianceManager	microsoft.office365.complianceManager
microsoft.office365.desktopAnalytics	microsoft.office365.desktopAnalytics
microsoft.office365.exchange	microsoft.office365.exchange
microsoft.office365.knowledge	microsoft.office365.knowledge
microsoft.office365.lockbox	microsoft.office365.lockbox
microsoft.office365.messageCenter	microsoft.office365.messageCenter
microsoft.office365.network	microsoft.office365.network
microsoft.office365.organizationalMessages	microsoft.office365.organizationalMessages
microsoft.office365.portalSettings	microsoft.office365.portalSettings
microsoft.office365.protectionCenter	microsoft.office365.protectionCenter
microsoft.office365.search	microsoft.office365.search
microsoft.office365.security	microsoft.office365.security
microsoft.office365.securityComplianceCenter	microsoft.office365.securityComplianceCenter
microsoft.office365.serviceHealth	microsoft.office365.serviceHealth
microsoft.office365.sharePoint	microsoft.office365.sharePoint
microsoft.office365.skypeForBusiness	microsoft.office365.skypeForBusiness
microsoft.office365.supportTickets	microsoft.office365.supportTickets
microsoft.office365.usageReports	microsoft.office365.usageReports
microsoft.office365.userCommunication	microsoft.office365.userCommunication
microsoft.office365.webPortal	microsoft.office365.webPortal
microsoft.office365.webPortalSettings	microsoft.office365.webPortalSettings
microsoft.office365.yammer	microsoft.office365.yammer
microsoft.office365.copilot	microsoft.office365.copilot
microsoft.office365.fileStorageContainers	microsoft.office365.fileStorageContainers
microsoft.office365.migrations	microsoft.office365.migrations
microsoft.permissionsManagement	microsoft.permissionsManagement
microsoft.powerApps	microsoft.powerApps
microsoft.powerApps.powerBI	microsoft.powerApps.powerBI
microsoft.securityCopilot	microsoft.securityCopilot
microsoft.teams	microsoft.teams
microsoft.virtualVisits	microsoft.virtualVisits
microsoft.viva.goals	microsoft.viva.goals
microsoft.viva.pulse	microsoft.viva.pulse
microsoft.windows.defenderAdvancedThreatProtection	microsoft.windows.defenderAdvancedThreatProtection
microsoft.windows.updatesDeployments	microsoft.windows.updatesDeployments

Retrieve resource actions

Once you have the id of the resource namespace, you can retrieve all resource actions for that namespace by calling the Graph API endpoint:

GET /beta/roleManagement/directory/resourceNamespaces/{resourceNamespaceId}/resourceActions

or the Graph SDK PowerShell cmdlet Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction -UnifiedRbacResourceNamespaceId $resourceNamespaceId.

Not all resource namespaces have resource actions.

You can find all resource actions for Entra ID role permissions including their descriptions in the GitHub repo.

List all resource actions for Entra ID role permissions

If you want to list all the resource actions yourself, you can use the following PowerShell script for the Graph API SDK.

Prerequisites:

• Install the Microsoft Graph SDK PowerShell module Microsoft.Graph.Beta from the PowerShell Gallery.
• Register an Entra ID app
• Add and grant the application permission RoleManagement.Read.Directory
• Create a client secret for the app

$clientId = '<client_id>'
$clientSecret='<client_secret>'
$clientSecretCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $clientId, (ConvertTo-SecureString -String $clientSecret -AsPlainText -Force)
$tenantId = '<tenant_id>'

# connect to Microsoft Graph API
Connect-MgGraph -ClientSecretCredential $clientSecretCredential -TenantId $tenantId

$resourceActions = @()

$resourceNamespaces = Get-MgBetaRoleManagementDirectoryResourceNamespace -All
$resourceNamespaces | ForEach-Object {
    $resourceAction = Get-MgBetaRoleManagementDirectoryResourceNamespaceResourceAction -UnifiedRbacResourceNamespaceId $_.Id -All -Property "name,description,isPrivileged"
    $resourceAction | ForEach-Object {
        $resourceActions+=[PSCustomObject]@{
            Name = $_.Name; Description = $_.Description; IsPrivileged = $_.IsPrivileged
        }
    }
}

$resourceActions

# disconnect
Disconnect-MgGraph

You can also use delegated permission RoleManagement.Read.Directory. The signed-in user must have at least one of the following role:

• Directory Readers
• Global Reader
• Privileged Role Administrator
• Global Administrator

The table below shows all resource actions for Entra ID role permissions.

Name	Description	Privileged
microsoft.directory/accessReviews/allProperties/allTasks	Create and delete access reviews, and read and update all properties of access reviews in Microsoft Entra ID	False
microsoft.directory/accessReviews/allProperties/read	Read all properties of access reviews	False
microsoft.directory/accessReviews/definitions.applications/allProperties/allTasks	Manage access reviews of application role assignments in Microsoft Entra ID	False
microsoft.directory/accessReviews/definitions.applications/allProperties/read	Read all properties of access reviews of application role assignments in Microsoft Entra ID	False
microsoft.directory/accessReviews/definitions.directoryRoles/allProperties/allTasks	Manage access reviews for Microsoft Entra role assignments	False
microsoft.directory/accessReviews/definitions.directoryRoles/allProperties/read	Read all properties of access reviews for Microsoft Entra role assignments	False
microsoft.directory/accessReviews/definitions.entitlementManagement/allProperties/allTasks	Manage access reviews for access package assignments in entitlement management	False
microsoft.directory/accessReviews/definitions.groups/allProperties/read	Read all properties of access reviews for membership in Security and Microsoft 365 groups, including role-assignable groups.	False
microsoft.directory/accessReviews/definitions.groups/allProperties/update	Update all properties of access reviews for membership in Security and Microsoft 365 groups, excluding role-assignable groups.	False
microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/allProperties/update	Update all properties of access reviews for membership in groups that are assignable to Microsoft Entra roles	False
microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/create	Create access reviews for membership in groups that are assignable to Microsoft Entra roles	False
microsoft.directory/accessReviews/definitions.groupsAssignableToRoles/delete	Delete access reviews for membership in groups that are assignable to Microsoft Entra roles	False
microsoft.directory/accessReviews/definitions.groups/create	Create access reviews for membership in Security and Microsoft 365 groups.	False
microsoft.directory/accessReviews/definitions.groups/delete	Delete access reviews for membership in Security and Microsoft 365 groups.	False
microsoft.directory/accessReviews/definitions/allProperties/allTasks	Manage access reviews of all reviewable resources in Microsoft Entra ID	False
microsoft.directory/accessReviews/definitions/allProperties/read	Read all properties of access reviews of all reviewable resources in Microsoft Entra ID	False
microsoft.directory/adminConsentRequestPolicy/allProperties/allTasks	Manage admin consent request policies in Microsoft Entra ID	False
microsoft.directory/adminConsentRequestPolicy/allProperties/read	Read all properties of admin consent request policies in Microsoft Entra ID	False
microsoft.directory/administrativeUnits/allProperties/allTasks	Create and manage administrative units (including members)	False
microsoft.directory/administrativeUnits/allProperties/read	Read all properties of administrative units, including members	False
microsoft.directory/administrativeUnits/members/read	Read members of administrative units	False
microsoft.directory/administrativeUnits/members/update	Update members of administrative units	False
microsoft.directory/administrativeUnits/members/update	Update members of administrative units	False
microsoft.directory/administrativeUnits/standard/read	Read basic properties on administrative units	False
microsoft.directory/appConsent/appConsentRequests/allProperties/read	Read all properties of consent requests for applications registered with Microsoft Entra ID	False
microsoft.directory/applicationPolicies/allProperties/read	Read all properties (including privileged properties) on application policies	False
microsoft.directory/applicationPolicies/allProperties/update	Update all properties (including privileged properties) on application policies	False
microsoft.directory/applicationPolicies/basic/update	Update standard properties of application policies	False
microsoft.directory/applicationPolicies/createAsOwner	Create application policies, and creator is added as the first owner	False
microsoft.directory/applicationPolicies/create	Create application policies	False
microsoft.directory/applicationPolicies/delete	Delete application policies	False
microsoft.directory/applicationPolicies/owners/read	Read owners on application policies	False
microsoft.directory/applicationPolicies/owners/update	Update the owner property of application policies	False
microsoft.directory/applicationPolicies/owners/update	Update the owner property of application policies	False
microsoft.directory/applicationPolicies/policyAppliedTo/read	Read application policies applied to objects list	False
microsoft.directory/applicationPolicies/standard/read	Read standard properties of application policies	False
microsoft.directory/applications.myOrganization/allProperties/read	Read all properties (including privileged properties) on single-directory applications	False
microsoft.directory/applications.myOrganization/allProperties/update	Update all properties (including privileged properties) on single-directory applications	True
microsoft.directory/applications.myOrganization/appRoles/update	Update appRoles on single-directory applications	False
microsoft.directory/applications.myOrganization/audience/update	Update audience on single-directory applications	False
microsoft.directory/applications.myOrganization/authentication/update	Update authentication on single-directory applications	False
microsoft.directory/applications.myOrganization/basic/update	Update basic properties on single-directory applications	False
microsoft.directory/applications.myOrganization/credentials/update	Update credentials on single-directory applications	True
microsoft.directory/applications.myOrganization/delete	Delete single-directory applications	False
microsoft.directory/applications.myOrganization/extensionProperties/update	Update extension properties on single-directory applications	False
microsoft.directory/applications.myOrganization/extensionProperties/update	Update extension properties on single-directory applications	False
microsoft.directory/applications.myOrganization/notes/update	Update notes on single-directory applications	False
microsoft.directory/applications.myOrganization/owners/read	Read owners on single-directory applications	False
microsoft.directory/applications.myOrganization/owners/update	Update owners on single-directory applications	False
microsoft.directory/applications.myOrganization/owners/update	Update owners on single-directory applications	False
microsoft.directory/applications.myOrganization/permissions/update	Update exposed permissions and required permissions on single-tenant applications	False
microsoft.directory/applications.myOrganization/standard/read	Read basic properties on single-directory applications	False
microsoft.directory/applications.myOrganization/tag/update	Update tags on single-directory applications	False
microsoft.directory/applications/allProperties/allTasks	Create and delete applications, and read and update all properties	True
microsoft.directory/applications/allProperties/read	Read all properties (including privileged properties) on all types of applications	False
microsoft.directory/applications/allProperties/update	Update all properties (including privileged properties) on all types of applications	True
microsoft.directory/applications/applicationProxyAuthentication/update	Update authentication on all types of applications	False
microsoft.directory/applications/applicationProxy/read	Read all application proxy properties	False
microsoft.directory/applications/applicationProxySslCertificate/update	Update SSL certificate settings for application proxy	False
microsoft.directory/applications/applicationProxy/update	Update all application proxy properties	False
microsoft.directory/applications/applicationProxyUrlSettings/update	Update URL settings for application proxy	False
microsoft.directory/applications/appRoles/update	Update the appRoles property on all types of applications	False
microsoft.directory/applications/audience/update	Update the audience property for applications	False
microsoft.directory/applications/authentication/update	Update authentication on all types of applications	False
microsoft.directory/applications/basic/update	Update basic properties for applications	False
microsoft.directory/applications/createAsOwner	Create all types of applications, and creator is added as the first owner	False
microsoft.directory/applications/create	Create all types of applications	False
microsoft.directory/applications/credentials/update	Update application credentials	True
microsoft.directory/applications/delete	Delete all types of applications	False
microsoft.directory/applications/extensionProperties/update	Update extension properties on applications	False
microsoft.directory/applications/extensionProperties/update	Update extension properties on applications	False
microsoft.directory/applications/notes/update	Update notes of applications	False
microsoft.directory/applications/owners/limitedRead	Read the owners of a specific application, but cannot enumerate applications	False
microsoft.directory/applications/owners/read	Read owners of applications	False
microsoft.directory/applications/owners/update	Update owners of applications	False
microsoft.directory/applications/owners/update	Update owners of applications	False
microsoft.directory/applications/permissions/update	Update exposed permissions and required permissions on all types of applications	False
microsoft.directory/applications/policies/limitedRead	Read policies of a specific application, but cannot enumerate applications	False
microsoft.directory/applications/policies/read	Read policies of applications	False
microsoft.directory/applications/policies/update	Update policies of applications	False
microsoft.directory/applications/restore	Restore applications	False
microsoft.directory/applications/standard/limitedRead	Read standard properties of a specific application, but cannot enumerate applications	False
microsoft.directory/applications/standard/read	Read standard properties of applications	False
microsoft.directory/applications/synchronization/standard/read	Read provisioning settings associated with the application object	False
microsoft.directory/applications/tag/update	Update tags of applications	False
microsoft.directory/applications/verification/update	Update applicationsverification property	False
microsoft.directory/applicationTemplates/instantiate	Instantiate gallery applications from application templates	False
microsoft.directory/appRoleAssignments/allProperties/allTasks	Create and delete appRoleAssignments, and read and update all properties	False
microsoft.directory/appRoleAssignments/basic/update	Update basic properties of application role assignments	False
microsoft.directory/appRoleAssignments/createAsOwner	Create application role assignments, with creator as the first owner	False
microsoft.directory/appRoleAssignments/create	Create application role assignments	False
microsoft.directory/appRoleAssignments/delete	Delete application role assignments	False
microsoft.directory/appRoleAssignments/standard/read	Read standard properties of application role assignments	False
microsoft.directory/attributeSets/allProperties/allTasks	Manage all aspects of attribute sets	False
microsoft.directory/attributeSets/allProperties/read	Read all properties of attribute sets	False
microsoft.directory/auditLogs/allProperties/read	Read all properties on audit logs, excluding custom security attributes audit logs	False
microsoft.directory/authorizationPolicy/allProperties/allTasks	Manage all aspects of authorization policy	True
microsoft.directory/authorizationPolicy/basic/update	Update basic properties of authorization policy	False
microsoft.directory/authorizationPolicy/defaultUserRoleOverrides/update	Update permissions for default user role overrides of authorization policy	False
microsoft.directory/authorizationPolicy/defaultUserRolePermissions/update	Update default user role permissions of authorization policy	False
microsoft.directory/authorizationPolicy/guestUserSettings/update	Update guest user settings of authorization policy	True
microsoft.directory/authorizationPolicy/organizationSettings/update	Update organization settings of authorization policy	False
microsoft.directory/authorizationPolicy/standard/read	Read standard properties of authorization policy	False
microsoft.directory/azureManagedIdentities/customSecurityAttributes/read	Read custom security attribute values for Microsoft Entra managed identities	False
microsoft.directory/azureManagedIdentities/customSecurityAttributes/update	Update custom security attribute values for Microsoft Entra managed identities	False
microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks	Read and configure key sets in Azure Active Directory B2C	True
microsoft.directory/b2cTrustFrameworkPolicy/allProperties/allTasks	Read and configure custom policies in Azure Active Directory B2C	False
microsoft.directory/b2cUserAttribute/allProperties/allTasks	Read and configure user attribute in Azure Active Directory B2C	False
microsoft.directory/b2cUserFlow/allProperties/allTasks	Read and configure user flow in Azure Active Directory B2C	False
microsoft.directory/bitlockerKeys/key/read	Read bitlocker metadata and key on devices	True
microsoft.directory/bitlockerKeys/metadata/read	Read bitlocker key metadata on devices	False
microsoft.directory/certificateBasedDeviceAuthConfigurations/create	Create Certificate Authorities configurations for IoT Device trust and authentication	False
microsoft.directory/certificateBasedDeviceAuthConfigurations/credentials/update	Update crendential related properties on certificate authority configurations for Internet of Things (IoT) device trust and authentication	False
microsoft.directory/certificateBasedDeviceAuthConfigurations/delete	Delete certificate authority configurations for Internet of Things (IoT) device	False
microsoft.directory/certificateBasedDeviceAuthConfigurations/standard/read	Read standard properties on certificate authority configurations for Internet of Things (IoT) device trust and authentication	False
microsoft.directory/cloudAppSecurity/allProperties/allTasks	Create and delete all resources, and read and update standard properties in Microsoft Cloud App Security	False
microsoft.directory/cloudAppSecurity/allProperties/read	Read all properties for Cloud app security	False
microsoft.directory/cloudProvisioning/allProperties/allTasks	Read and configure all properties of Microsoft Entra cloud provisioning service.	False
microsoft.directory/conditionalAccessPolicies/allProperties/allTasks	Manage all properties of Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/allProperties/read	Read all properties of Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/basic/update	Update basic properties for Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/create	Create Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/delete	Delete Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/owners/read	Read the owners of Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/owners/update	Update owners for Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/owners/update	Update owners for Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/policyAppliedTo/read	Read the "applied to" property for Conditional Access policies	False
microsoft.directory/conditionalAccessPolicies/standard/read	Read Conditional Access for policies	False
microsoft.directory/conditionalAccessPolicies/tenantDefault/update	Update the default tenant for Conditional Access policies	False
microsoft.directory/connectorGroups/allProperties/read	Read all properties of application proxy connector groups	False
microsoft.directory/connectorGroups/allProperties/update	Update all properties of application proxy connector groups	False
microsoft.directory/connectorGroups/create	Create application proxy connector groups	False
microsoft.directory/connectorGroups/delete	Delete application proxy connector groups	False
microsoft.directory/connectors/allProperties/read	Read all properties of application proxy connectors	False
microsoft.directory/connectors/allProperties/update	Update properties for application proxy connectors	False
microsoft.directory/connectors/create	Create application proxy connectors	False
microsoft.directory/contacts/allProperties/allTasks	Create and delete contacts, and read and update all properties	False
microsoft.directory/contacts/allProperties/read	Read all properties for contacts	False
microsoft.directory/contacts/basic/update	Update basic properties on contacts	False
microsoft.directory/contacts/create	Create contacts	False
microsoft.directory/contacts/delete	Delete contacts	False
microsoft.directory/contacts/memberOf/read	Read the group membership for all contacts in Microsoft Entra ID	False
microsoft.directory/contacts/standard/read	Read basic properties on contacts in Microsoft Entra ID	False
microsoft.directory/contracts/allProperties/allTasks	Create and delete partner contracts, and read and update all properties	False
microsoft.directory/contracts/standard/read	Read basic properties on partner contracts	False
microsoft.directory/crossTenantAccessPolicy/allowedCloudEndpoints/update	Update allowed cloud endpoints of cross-tenant access policy	False
microsoft.directory/crossTenantAccessPolicy/basic/update	Update basic settings of cross-tenant access policy	False
microsoft.directory/crossTenantAccessPolicy/default/b2bCollaboration/update	Update Microsoft Entra B2B collaboration settings of the default cross-tenant access policy	False
microsoft.directory/crossTenantAccessPolicy/default/b2bDirectConnect/update	Update Microsoft Entra B2B direct connect settings of the default cross-tenant access policy	False
microsoft.directory/crossTenantAccessPolicy/default/crossCloudMeetings/update	Update cross-cloud Teams meeting settings of the default cross-tenant access policy	False
microsoft.directory/crossTenantAccessPolicy/default/standard/read	Read basic properties of the default cross-tenant access policy	False
microsoft.directory/crossTenantAccessPolicy/default/tenantRestrictions/update	Update tenant restrictions of the default cross-tenant access policy	False
microsoft.directory/crossTenantAccessPolicy/partners/b2bCollaboration/update	Update Microsoft Entra B2B collaboration settings of cross-tenant access policy for partners	False
microsoft.directory/crossTenantAccessPolicy/partners/b2bDirectConnect/update	Update Microsoft Entra B2B direct connect settings of cross-tenant access policy for partners	False
microsoft.directory/crossTenantAccessPolicy/partners/create	Create cross-tenant access policy for partners	False
microsoft.directory/crossTenantAccessPolicy/partners/crossCloudMeetings/update	Update cross-cloud Teams meeting settings of cross-tenant access policy for partners	False
microsoft.directory/crossTenantAccessPolicy/partners/delete	Delete cross-tenant access policy for partners	False
microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/basic/update	Update basic settings of cross-tenant sync policy	False
microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/create	Create cross-tenant sync policy for partners	False
microsoft.directory/crossTenantAccessPolicy/partners/identitySynchronization/standard/read	Read basic properties of cross-tenant sync policy	False
microsoft.directory/crossTenantAccessPolicy/partners/standard/read	Read basic properties of cross-tenant access policy for partners	False
microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/basic/update	Update cross tenant sync policy templates for multi-tenant organization	False
microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/resetToDefaultSettings	Reset cross tenant sync policy template for multi-tenant organization to default settings	False
microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationIdentitySynchronization/standard/read	Read basic properties of cross tenant sync policy templates for multi-tenant organization	False
microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/basic/update	Update cross tenant access policy templates for multi-tenant organization	False
microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/resetToDefaultSettings	Reset cross tenant access policy template for multi-tenant organization to default settings	False
microsoft.directory/crossTenantAccessPolicy/partners/templates/multiTenantOrganizationPartnerConfiguration/standard/read	Read basic properties of cross tenant access policy templates for multi-tenant organization	False
microsoft.directory/crossTenantAccessPolicy/partners/tenantRestrictions/update	Update tenant restrictions of cross-tenant access policy for partners	False
microsoft.directory/crossTenantAccessPolicy/standard/read	Read basic properties of cross-tenant access policy	False
microsoft.directory/customAuthenticationExtensions/allProperties/allTasks	Create and manage custom authentication extensions	True
microsoft.directory/customAuthenticationExtensions/allProperties/read	Read custom authentication extensions	False
microsoft.directory/customSecurityAttributeAuditLogs/allProperties/read	Read audit logs related to custom secruity attributes	False
microsoft.directory/customSecurityAttributeDefinitions/allProperties/allTasks	Manage all aspects of custom security attribute definitions	False
microsoft.directory/customSecurityAttributeDefinitions/allProperties/read	Read all properties of custom security attribute definitions	False
microsoft.directory/deletedItems.applications/delete	Permanently delete applications, which can no longer be restored	False
microsoft.directory/deletedItems.applications/restore	Restore soft deleted applications to original state	False
microsoft.directory/deletedItems.devices/delete	Permanently delete devices, which can no longer be restored	False
microsoft.directory/deletedItems.devices/restore	Restore soft deleted devices to original state	False
microsoft.directory/deletedItems.groups/delete	Permanently delete groups, which can no longer be restored	False
microsoft.directory/deletedItems.groups/restore	Restore soft deleted groups to original state	False
microsoft.directory/deletedItems.users/restore	Restore soft deleted users to original state	False
microsoft.directory/deletedItems/delete	Permanently delete objects, which can no longer be restored	False
microsoft.directory/deletedItems/restore	Restore soft deleted objects to original state	False
microsoft.directory/deviceLocalCredentials/password/read	Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password	False
microsoft.directory/deviceLocalCredentials/standard/read	Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, except the password	False
microsoft.directory/deviceManagementPolicies/basic/update	Update basic properties on mobile device management and mobile app management policies	True
microsoft.directory/deviceManagementPolicies/standard/read	Read standard properties on mobile device management and mobile app management policies	False
microsoft.directory/deviceRegistrationPolicy/basic/update	Update basic properties on device registration policies	True
microsoft.directory/deviceRegistrationPolicy/standard/read	Read standard properties on device registration policies	False
microsoft.directory/devices/allProperties/allTasks	Create and delete devices, and read and update all properties	True
microsoft.directory/devices/allProperties/read	Read all properties of devices	False
microsoft.directory/devices/basic/update	Update basic properties on devices	False
microsoft.directory/devices/createdFrom/read	Read created from Internet of Things (IoT) device template links	False
microsoft.directory/devices/create	Create devices (enroll in Microsoft Entra ID)	False
microsoft.directory/devices/customSecurityAttributes/read	Read custom security attribute values for devices	False
microsoft.directory/devices/customSecurityAttributes/update	Update custom security attribute values for devices	False
microsoft.directory/devices/delete	Delete devices from Microsoft Entra ID	False
microsoft.directory/devices/disable	Disable devices in Microsoft Entra ID	False
microsoft.directory/devices/enable	Enable devices in Microsoft Entra ID	False
microsoft.directory/devices/extensionAttributeSet1/update	Update the extensionAttribute1 to extensionAttribute5 properties on devices	False
microsoft.directory/devices/extensionAttributeSet2/update	Update the extensionAttribute6 to extensionAttribute10 properties on devices	False
microsoft.directory/devices/extensionAttributeSet3/update	Update the extensionAttribute11 to extensionAttribute15 properties on devices	False
microsoft.directory/devices/memberOf/read	Read device memberships	False
microsoft.directory/devices/registeredOwners/read	Read registered owners of devices	False
microsoft.directory/devices/registeredOwners/update	Update registered owners of devices	False
microsoft.directory/devices/registeredOwners/update	Update registered owners of devices	False
microsoft.directory/devices/registeredUsers/read	Read registered users of devices	False
microsoft.directory/devices/registeredUsers/update	Update registered users of devices	False
microsoft.directory/devices/registeredUsers/update	Update registered users of devices	False
microsoft.directory/devices/standard/read	Read basic properties on devices	False
microsoft.directory/deviceTemplates/createDeviceFromTemplate	Create IoT Device from Internet of Things (IoT) device templates	False
microsoft.directory/deviceTemplates/create	Create Internet of Things (IoT) device templates	False
microsoft.directory/deviceTemplates/delete	Delete Internet of Things (IoT) device templates	False
microsoft.directory/deviceTemplates/deviceInstances/read	Read device instances from Internet of Things (IoT) device links	False
microsoft.directory/deviceTemplates/standard/read	Read standard properties on Internet of Things (IoT) device templates	False
microsoft.directory/directoryRoles/allProperties/allTasks	Create and delete directory roles, and read and update all properties	False
microsoft.directory/directoryRoles/allProperties/read	Read all properties of directory roles	False
microsoft.directory/directoryRoles/basic/update	Update basic properties in Microsoft Entra roles	False
microsoft.directory/directoryRoles/eligibleMembers/read	Read the eligible members of Microsoft Entra roles	False
microsoft.directory/directoryRoles/members/read	Read all members of Microsoft Entra roles	False
microsoft.directory/directoryRoles/standard/read	Read basic properties of Microsoft Entra roles	False
microsoft.directory/directoryRoleTemplates/allProperties/allTasks	Create and delete Microsoft Entra role templates, and read and update all properties	False
microsoft.directory/directoryRoleTemplates/allProperties/read	Read all properties of directory role templates	False
microsoft.directory/directorySync/allProperties/allTasks	Perform all actions in Microsoft Entra Connect.	False
microsoft.directory/domains/allProperties/allTasks	Create and delete domains, and read and update all properties	True
microsoft.directory/domains/allProperties/read	Read all properties of domains	False
microsoft.directory/domains/federationConfiguration/basic/update	Update basic federation configuration for domains	False
microsoft.directory/domains/federationConfiguration/create	Create federation configuration for domains	False
microsoft.directory/domains/federationConfiguration/delete	Delete federation configuration for domains	False
microsoft.directory/domains/federationConfiguration/standard/read	Read standard properties of federation configuration for domains	False
microsoft.directory/domains/federation/update	Update federation property of domains	True
microsoft.directory/domains/standard/read	Read basic properties on domains	False
microsoft.directory/entitlementManagement/allProperties/allTasks	Create and delete resources, and read and update all properties in Microsoft Entra entitlement management	False
microsoft.directory/entitlementManagement/allProperties/read	Read all properties in Microsoft Entra entitlement management	False
microsoft.directory/externalUserProfiles/basic/update	Update basic properties of external user profiles in the extended directory for Teams	False
microsoft.directory/externalUserProfiles/delete	Delete external user profiles in the extended directory for Teams	False
microsoft.directory/externalUserProfiles/standard/read	Read standard properties of external user profiles in the extended directory for Teams	False
microsoft.directory/federatedAuthentication/allProperties/allTasks	Manage all aspects of federated authentication	False
microsoft.directory/groups.security.assignedMembership/allProperties/update	Update all properties (including privileged properties) on Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/basic/update	Update basic properties on Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/classification/update	Update the classification property on Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/createAsOwner	Create Security groups of assigned membership type, excluding role-assignable groups. Creator is added as the first owner.	False
microsoft.directory/groups.security.assignedMembership/create	Create Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/delete	Delete Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/members/update.add	Add members to Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/members/update.remove	Remove members from Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/members/update	Update members of Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/members/update	Update members of Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/owners/update.add	Add owners to Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/owners/update.remove	Remove owners from Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/owners/update	Update owners of Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/owners/update	Update owners of Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security.assignedMembership/visibility/update	Update the visibility property on Security groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.security/allProperties/update	Update all properties (including privileged properties) on Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/basic/update	Update basic properties on Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/classification/update	Update the classification property on Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/createAsOwner	Create Security groups, excluding role-assignable groups. Creator is added as the first owner.	False
microsoft.directory/groups.security/create	Create Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/delete	Delete Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/dynamicMembershipRule/update	Update the dynamic membership rule on Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/members/update.add	Add members to Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/members/update.remove	Remove members from Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/members/update	Update members of Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/members/update	Update members of Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/owners/update.add	Add owners to Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/owners/update.remove	Remove owners from Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/owners/update	Update owners of Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/owners/update	Update owners of Security groups, excluding role-assignable groups	False
microsoft.directory/groups.security/visibility/update	Update the visibility property on Security groups, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/allProperties/update	Update all properties (including privileged properties) on Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/basic/update	Update basic properties on Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/classification/update	Update the classification property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/createAsOwner	Create Microsoft 365 groups of assigned membership type, excluding role-assignable groups. Creator is added as the first owner.	False
microsoft.directory/groups.unified.assignedMembership/create	Create Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/delete	Delete Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/members/update.add	Add members to Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/members/update.remove	Remove members from Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/members/update	Update members of Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/members/update	Update members of Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/owners/update.add	Add owners to Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/owners/update.remove	Remove owners from Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/owners/update	Update owners of Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/owners/update	Update owners of Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified.assignedMembership/visibility/update	Update the visibility property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups	False
microsoft.directory/groups.unified/allProperties/update	Update all properties (including privileged properties) on Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/appRoleAssignments/update	Update app role assignments on Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/basic/update	Update basic properties on Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/classification/update	Update the classification property on Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/createAsOwner	Create Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner.	False
microsoft.directory/groups.unified/create	Create Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/delete	Delete Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/dynamicMembershipRule/update	Update the dynamic membership rule on Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/members/update.add	Add members to Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/members/update.remove	Remove members from Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/members/update	Update members of Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/members/update	Update members of Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/owners/update.add	Add owners to Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/owners/update.remove	Remove owners from Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/owners/update	Update owners of Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/owners/update	Update owners of Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups.unified/restore	Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups	False
microsoft.directory/groups.unified/visibility/update	Update the visibility property on Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/allowAccessTo/read	Read the allowAccessTo property of groups	False
microsoft.directory/groups/allowAccessTo/update	Update the allowAccessTo property of groups	False
microsoft.directory/groups/allProperties/allTasks	Create and delete groups, and read and update all properties	True
microsoft.directory/groups/allProperties/read	Read all properties (including privileged properties) on Security groups and Microsoft 365 groups, including role-assignable groups	False
microsoft.directory/groups/allProperties/update	Update all properties (including privileged properties) on Security groups and Microsoft 365 groups, excluding role-assignable groups	True
microsoft.directory/groups/appRoleAssignments/limitedRead	Read the application role assignments of a specific group, but cannot enumerate groups	False
microsoft.directory/groups/appRoleAssignments/read	Read application role assignments of groups	False
microsoft.directory/groups/appRoleAssignments/update	Update application role assignments of groups	False
microsoft.directory/groupsAssignableToRoles/allProperties/update	Update role-assignable groups	False
microsoft.directory/groupsAssignableToRoles/assignLicense	Assign a license to role-assignable groups	False
microsoft.directory/groupsAssignableToRoles/create	Create role-assignable groups	False
microsoft.directory/groupsAssignableToRoles/delete	Delete role-assignable groups	False
microsoft.directory/groupsAssignableToRoles/reprocessLicenseAssignment	Reprocess license assignments to role-assignable groups	False
microsoft.directory/groupsAssignableToRoles/restore	Restore role-assignable groups	False
microsoft.directory/groups/assignLicense	Assign product licenses to groups for group-based licensing	False
microsoft.directory/groups/basic/update	Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/classification/update	Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/createAsOwner	Create Security groups and Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner.	False
microsoft.directory/groups/create	Create Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/delete	Delete Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/dynamicMembershipRule/update	Update the dynamic membership rule on Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groupSettings/allProperties/allTasks	Create and delete group settings, and read and update all properties	False
microsoft.directory/groupSettings/allProperties/read	Read all properties of group settings	False
microsoft.directory/groupSettings/basic/update	Update basic properties on group settings	False
microsoft.directory/groupSettings/create	Create group settings	False
microsoft.directory/groupSettings/delete	Delete group settings	False
microsoft.directory/groupSettings/standard/read	Read basic properties on group settings	False
microsoft.directory/groupSettingTemplates/allProperties/allTasks	Create and delete group setting templates, and read and update all properties	False
microsoft.directory/groupSettingTemplates/allProperties/read	Read all properties of group setting templates	False
microsoft.directory/groupSettingTemplates/standard/read	Read basic properties on group setting templates	False
microsoft.directory/groups/groupType/update	Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/hasAccessTo/read	Read the hasAccessTo property of groups	False
microsoft.directory/groups/hiddenMembers/read	Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups	False
microsoft.directory/groups/memberOf/limitedRead	Read memberships of a specific group, but cannot enumerate groups	False
microsoft.directory/groups/memberOf/read	Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups	False
microsoft.directory/groups/members/limitedRead	Read members of a specific group, but cannot enumerate groups	False
microsoft.directory/groups/members/read	Read members of Security groups and Microsoft 365 groups, including role-assignable groups	False
microsoft.directory/groups/members/update.add	Add members to Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/members/update.remove	Remove members from Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/members/update	Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/members/update	Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/onPremWriteBack/update	Update Microsoft Entra groups to be written back to on-premises with Microsoft Entra Connect	False
microsoft.directory/groups/owners/limitedRead	Read owners of a specific group, but cannot enumerate groups	False
microsoft.directory/groups/owners/read	Read owners of Security groups and Microsoft 365 groups, including role-assignable groups	False
microsoft.directory/groups/owners/update.add	Add owners to Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/owners/update.remove	Remove owners from Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/owners/update	Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/owners/update	Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/groups/pendingMembers/read	Read pending members of groups	False
microsoft.directory/groups/pendingMembers/update	Update pending members of groups	False
microsoft.directory/groups/pendingMembers/update	Update pending members of groups	False
microsoft.directory/groups/reprocessLicenseAssignment	Reprocess license assignments for group-based licensing	False
microsoft.directory/groups/restore	Restore groups from soft-deleted container	False
microsoft.directory/groups/serviceEndpoints/read	Read service endpoints of groups	False
microsoft.directory/groups/serviceEndpoints/update	Update service endpoints of groups	False
microsoft.directory/groups/settings/limitedRead	Read settings of a specific group, but cannot enumerate groups	False
microsoft.directory/groups/settings/read	Read settings of groups	False
microsoft.directory/groups/settings/update	Update settings of groups	False
microsoft.directory/groups/standard/limitedRead	Read standard properties of a specific group, but cannot enumerate groups	False
microsoft.directory/groups/standard/read	Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups	False
microsoft.directory/groups/visibility/update	Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups	False
microsoft.directory/hybridAuthenticationPolicy/allProperties/allTasks	Manage hybrid authentication policy in Microsoft Entra ID	True
microsoft.directory/hybridAuthenticationPolicy/standard/read	Read standard properties of onPremAuthentication policies.	False
microsoft.directory/identityProtection/allProperties/allTasks	Create and delete all resources, and read and update standard properties in Microsoft Entra ID Protection	True
microsoft.directory/identityProtection/allProperties/read	Read all resources in Microsoft Entra ID Protection	False
microsoft.directory/identityProtection/allProperties/update	Update all resources in Microsoft Entra ID Protection	True
microsoft.directory/identityProviders/allProperties/allTasks	Read and configure identity providers in Azure Active Directory B2C	True
microsoft.directory/lifecycleWorkflows/workflows/allProperties/allTasks	Manage all aspects of lifecycle workflows and tasks in Microsoft Entra ID	False
microsoft.directory/lifecycleWorkflows/workflows/allProperties/read	Read all properties of lifecycle workflows and tasks in Microsoft Entra ID	False
microsoft.directory/loginOrganizationBranding/allProperties/allTasks	Create and delete loginTenantBranding, and read and update all properties	False
microsoft.directory/loginOrganizationBranding/allProperties/read	Read all properties for your organization's branded sign-in page	False
microsoft.directory/multiTenantOrganization/basic/update	Update basic properties of a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/create	Create a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/joinRequest/organizationDetails/update	Join a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/joinRequest/standard/read	Read properties of a multi-tenant organization join request	False
microsoft.directory/multiTenantOrganization/standard/read	Read basic properties of a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/tenants/create	Create a tenant in a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/tenants/delete	Delete a tenant participating in a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/tenants/organizationDetails/read	Read organization details of a tenant participating in a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/tenants/organizationDetails/update	Update basic properties of a tenant participating in a multi-tenant organization	False
microsoft.directory/multiTenantOrganization/tenants/standard/read	Read basic properties of a tenant participating in a multi-tenant organization	False
microsoft.directory/namedLocations/basic/update	Update basic properties of custom rules that define network locations	False
microsoft.directory/namedLocations/create	Create custom rules that define network locations	False
microsoft.directory/namedLocations/delete	Delete custom rules that define network locations	False
microsoft.directory/namedLocations/standard/read	Read basic properties of custom rules that define network locations	False
microsoft.directory/oAuth2PermissionGrants/allProperties/allTasks	Create and delete OAuth 2.0 permission grants, and read and update all properties	True
microsoft.directory/oAuth2PermissionGrants/allProperties/read	Read all properties of OAuth 2.0 permission grants	False
microsoft.directory/oAuth2PermissionGrants/basic/update	Update OAuth 2.0 permission grants	True
microsoft.directory/oAuth2PermissionGrants/createAsOwner	Create OAuth 2.0 permission grants, with creator as the first owner	True
microsoft.directory/oAuth2PermissionGrants/create	Create OAuth 2.0 permission grants	True
microsoft.directory/oAuth2PermissionGrants/delete	Delete OAuth 2.0 permission grants	True
microsoft.directory/oAuth2PermissionGrants/standard/read	Read basic properties on OAuth 2.0 permission grants	False
microsoft.directory/onPremisesSynchronization/basic/update	Update basic on-premises directory synchronization information	False
microsoft.directory/onPremisesSynchronization/standard/read	Read standard on-premises directory synchronization information	False
microsoft.directory/organization/allProperties/allTasks	Read and update all properties for an organization	False
microsoft.directory/organization/allProperties/read	Read all properties for an organization	False
microsoft.directory/organization/basicProfile/read	Read basic organization profile information	False
microsoft.directory/organization/basic/update	Update basic properties on organization	False
microsoft.directory/organization/dirSync/update	Update the organization directory sync property	False
microsoft.directory/organization/standard/read	Read basic properties on an organization	False
microsoft.directory/organization/strongAuthentication/allTasks	Manage all aspects of strong authentication properties of an organization	False
microsoft.directory/organization/strongAuthentication/read	Read strong authentication properties of an organization	False
microsoft.directory/organization/trustedCAsForPasswordlessAuth/read	Read trusted certificate authorities for passwordless authentication	False
microsoft.directory/organization/trustedCAsForPasswordlessAuth/update	Update trusted certificate authorities for passwordless authentication	False
microsoft.directory/passThroughAuthentication/allProperties/allTasks	Manage all aspects of pass-through authentication for Microsoft Entra Connect	False
microsoft.directory/passwordHashSync/allProperties/allTasks	Manage all aspects of Password Hash Synchronization (PHS) in Microsoft Entra ID	False
microsoft.directory/pendingExternalUserProfiles/basic/update	Update basic properties of external user profiles in the extended directory for Teams	False
microsoft.directory/pendingExternalUserProfiles/create	Create external user profiles in the extended directory for Teams	False
microsoft.directory/pendingExternalUserProfiles/delete	Delete external user profiles in the extended directory for Teams	False
microsoft.directory/pendingExternalUserProfiles/standard/read	Read standard properties of external user profiles in the extended directory for Teams	False
microsoft.directory/permissionGrantPolicies/allProperties/read	Read all properties of permission grant policies	False
microsoft.directory/permissionGrantPolicies/allProperties/update	Update all properties of permission grant policies	False
microsoft.directory/permissionGrantPolicies/basic/update	Update basic properties of permission grant policies	False
microsoft.directory/permissionGrantPolicies/create	Create permission grant policies	False
microsoft.directory/permissionGrantPolicies/delete	Delete permission grant policies	False
microsoft.directory/permissionGrantPolicies/standard/read	Read standard properties of permission grant policies	False
microsoft.directory/policies/allProperties/allTasks	Create and delete policies, and read and update all properties	True
microsoft.directory/policies/allProperties/read	Read all properties of policies	False
microsoft.directory/policies/basic/update	Update basic properties on policies	True
microsoft.directory/policies/create	Create policies in Microsoft Entra ID	False
microsoft.directory/policies/delete	Delete policies in Microsoft Entra ID	False
microsoft.directory/policies/owners/read	Read owners of policies	False
microsoft.directory/policies/owners/update	Update owners of policies	False
microsoft.directory/policies/owners/update	Update owners of policies	False
microsoft.directory/policies/policyAppliedTo/read	Read policies.policyAppliedTo property	False
microsoft.directory/policies/standard/read	Read basic properties on policies	False
microsoft.directory/policies/tenantDefault/update	Update default organization policies	False
microsoft.directory/privilegedIdentityManagement/allProperties/allTasks	Create and delete all resources, and read and update standard properties in Privileged Identity Management	False
microsoft.directory/privilegedIdentityManagement/allProperties/read	Read all resources in Privileged Identity Management	False
microsoft.directory/provisioningLogs/allProperties/read	Read all properties of provisioning logs	False
microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update	Update Conditional Access authentication context of Microsoft 365 role-based access control (RBAC) resource actions	True
microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update	Update Conditional Access authentication context of Microsoft 365 role-based access control (RBAC) resource actions	True
microsoft.directory/resourceNamespaces/resourceActions/authenticationContext/update	Update Conditional Access authentication context of Microsoft 365 role-based access control (RBAC) resource actions	True
microsoft.directory/roleAssignments/allProperties/allTasks	Create and delete role assignments, and read and update all role assignment properties	False
microsoft.directory/roleAssignments/allProperties/read	Read all properties of role assignments	False
microsoft.directory/roleAssignments/standard/read	Read basic properties on role assignments	False
microsoft.directory/roleDefinitions/allProperties/allTasks	Create and delete role definitions, and read and update all properties	False
microsoft.directory/roleDefinitions/allProperties/read	Read all properties of role definitions	False
microsoft.directory/roleDefinitions/standard/read	Read basic properties on role definitions	False
microsoft.directory/scopedRoleMemberships/allProperties/allTasks	Create and delete scopedRoleMemberships, and read and update all properties	False
microsoft.directory/scopedRoleMemberships/allProperties/read	View members in administrative units	False
microsoft.directory/seamlessSso/allProperties/allTasks	Manage all aspects of single sign-on (SSO) in Microsoft Entra ID	False
microsoft.directory/serviceAction/activateService	Can perform the "activate service" action for a service	False
microsoft.directory/serviceAction/disableDirectoryFeature	Can perform the "disable directory feature" service action	False
microsoft.directory/serviceAction/enableDirectoryFeature	Can perform the "enable directory feature" service action	False
microsoft.directory/serviceAction/getAvailableExtentionProperties	Can perform the getAvailableExtentionProperties service action	False
microsoft.directory/serviceAction/grantResourceSpecificConsent	Grant consent for a specific resource	False
microsoft.directory/serviceAction/revokeResourceSpecificConsent	Revoke consent for a specific resource	False
microsoft.directory/servicePrincipalCreationPolicies/allProperties/read	Read all properties of service principal creation policies	False
microsoft.directory/servicePrincipalCreationPolicies/allProperties/update	Update all properties of service principal creation policies	False
microsoft.directory/servicePrincipalCreationPolicies/basic/update	Update basic properties of service principal creation policies	False
microsoft.directory/servicePrincipalCreationPolicies/create	Create service principal creation policies	False
microsoft.directory/servicePrincipalCreationPolicies/delete	Delete service principal creation policies	False
microsoft.directory/servicePrincipalCreationPolicies/standard/read	Read standard properties of service principal creation policies	False
microsoft.directory/servicePrincipals/allProperties/allTasks	Create and delete service principals, and read and update all properties	True
microsoft.directory/servicePrincipals/allProperties/read	Read all properties (including privileged properties) on servicePrincipals	False
microsoft.directory/servicePrincipals/allProperties/update	Update all properties (including privileged properties) on servicePrincipals	True
microsoft.directory/servicePrincipals/appRoleAssignedTo/limitedRead	Read app roles a specific instance of a service principal is assigned to, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/appRoleAssignedTo/read	Read service principal role assignments	False
microsoft.directory/servicePrincipals/appRoleAssignedTo/update	Update service principal role assignments	False
microsoft.directory/servicePrincipals/appRoleAssignedTo/update	Update service principal role assignments	False
microsoft.directory/servicePrincipals/appRoleAssignments/limitedRead	Read application roles assigned to a specific service principal, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/appRoleAssignments/read	Read role assignments assigned to service principals	False
microsoft.directory/servicePrincipals/audience/update	Update audience properties on service principals	False
microsoft.directory/servicePrincipals/authentication/read	Read authentication properties on service principals	False
microsoft.directory/servicePrincipals/authentication/update	Update authentication properties on service principals	False
microsoft.directory/servicePrincipals/basic/update	Update basic properties on service principals	False
microsoft.directory/servicePrincipals/createAsOwner	Create service principals, with creator as the first owner	False
microsoft.directory/servicePrincipals/create	Create service principals	False
microsoft.directory/servicePrincipals/credentials/update	Update credentials of service principals	True
microsoft.directory/servicePrincipals/customSecurityAttributes/read	Read custom security attribute values for service principals	False
microsoft.directory/servicePrincipals/customSecurityAttributes/update	Update custom security attribute values for service principals	False
microsoft.directory/servicePrincipals/delete	Delete service principals	False
microsoft.directory/servicePrincipals/disable	Disable service principals	False
microsoft.directory/servicePrincipals/enable	Enable service principals	False
microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials	Manage password single sign-on credentials on service principals	False
microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials	Read password single sign-on credentials on service principals	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-all-application-permissions	Grant consent to delegated permissions on behalf of any user or all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-all-application-permissions-verified	Grant consent to delegated permissions on behalf of any user or all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin	Grant consent for application permissions and delegated permissions on behalf of any user or all users, except for application permissions for Microsoft Graph and Azure AD Graph	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-application-admin	Grant consent to delegated permissions on behalf of any user or all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin	Grant consent for any permission to any application	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-company-admin	Grant consent to delegated permissions on behalf of any user or all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-user-default-legacy	Grant consent to delegated permissions on behalf of any user or all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-user-default-low	Grant consent to delegated permissions on behalf of any user or all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForAll.microsoft-user-default-recommended	Grant consent to delegated permissions on behalf of any user or all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForOwnedResource.microsoft-all-application-permissions-for-chat	Grant resource specific consent to application permissions as the owner of the resource	False
microsoft.directory/servicePrincipals/managePermissionGrantsForOwnedResource.microsoft-all-application-permissions-for-team	Grant resource specific consent to application permissions as the owner of the resource	False
microsoft.directory/servicePrincipals/managePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat	Grant resource specific consent to application permissions as the owner of the resource	False
microsoft.directory/servicePrincipals/managePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team	Grant resource specific consent to application permissions as the owner of the resource	False
microsoft.directory/servicePrincipals/managePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-chat	Grant resource specific consent to application permissions as the owner of the resource	False
microsoft.directory/servicePrincipals/managePermissionGrantsForOwnedResource.microsoft-pre-approval-apps-for-team	Grant resource specific consent to application permissions as the owner of the resource	False
microsoft.directory/servicePrincipals/managePermissionGrantsForResource.microsoft-all-application-permissions-for-chat	Grant resource specific consent to application permissions on behalf of all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForResource.microsoft-all-application-permissions-for-team	Grant resource specific consent to application permissions on behalf of all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForResource.microsoft-dynamically-managed-permissions-for-chat	Grant resource specific consent to application permissions on behalf of all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForResource.microsoft-dynamically-managed-permissions-for-team	Grant resource specific consent to application permissions on behalf of all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForResource.microsoft-pre-approval-apps-for-chat	Grant resource specific consent to application permissions on behalf of all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForResource.microsoft-pre-approval-apps-for-team	Grant resource specific consent to application permissions on behalf of all users	False
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-all-application-permissions	Grant consent to delegated permissions on behalf of themselves	False
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-all-application-permissions-verified	Grant consent to delegated permissions on behalf of themselves	False
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-application-admin	Grant consent to delegated permissions on behalf of themselves	False
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-company-admin	Grant consent to delegated permissions on behalf of themselves	False
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-user-default-legacy	Grant consent to delegated permissions on behalf of themselves	False
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-user-default-low	Grant consent to delegated permissions on behalf of themselves	False
microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.microsoft-user-default-recommended	Grant consent to delegated permissions on behalf of themselves	False
microsoft.directory/servicePrincipals/memberOf/limitedRead	Read memberships for a specific service principal, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/memberOf/read	Read the group memberships on service principals	False
microsoft.directory/servicePrincipals/notes/update	Update notes of service principals	False
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/limitedRead	Read OAuth 2.0 permission grants for specific service principal, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/oAuth2PermissionGrants/read	Read delegated permission grants on service principals	False
microsoft.directory/servicePrincipals/ownedObjects/limitedRead	Read objects owned by a specific service principal, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/ownedObjects/read	Read owned objects of service principals	False
microsoft.directory/servicePrincipals/owners/limitedRead	Read owners of a specific service principal, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/owners/read	Read owners of service principals	False
microsoft.directory/servicePrincipals/owners/update	Update owners of service principals	False
microsoft.directory/servicePrincipals/owners/update	Update owners of service principals	False
microsoft.directory/servicePrincipals/permissions/update	Update permissions of service principals	False
microsoft.directory/servicePrincipals/policies/limitedRead	Read policies of a specific service principal, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/policies/read	Read policies of service principals	False
microsoft.directory/servicePrincipals/policies/update	Update policies of service principals	False
microsoft.directory/servicePrincipals/standard/limitedRead	Read standard properties of a specific service principal, but cannot enumerate service principals	False
microsoft.directory/servicePrincipals/standard/read	Read basic properties of service principals	False
microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/credentials/manage	Manage cloud tenant to cloud tenant application provisioning secrets and credentials.	False
microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/jobs/manage	Start, restart, and pause cloud tenant to cloud tenant application provisioning synchronization jobs.	False
microsoft.directory/servicePrincipals/synchronization.cloudTenantToCloudTenant/schema/manage	Create and manage cloud tenant to cloud tenant application provisioning synchronization jobs and schema.	False
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/credentials/manage	Manage application provisioning secrets and credentials.	False
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/jobs/manage	Start, restart, and pause application provisioning synchronization jobs.	False
microsoft.directory/servicePrincipals/synchronization.cloudTenantToExternalSystem/schema/manage	Create and manage application provisioning synchronization jobs and schema.	False
microsoft.directory/servicePrincipals/synchronizationCredentials/manage	Manage application provisioning secrets and credentials	False
microsoft.directory/servicePrincipals/synchronizationJobs/manage	Start, restart, and pause application provisioning synchronization jobs	False
microsoft.directory/servicePrincipals/synchronizationSchema/manage	Create and manage application provisioning synchronization jobs and schema	False
microsoft.directory/servicePrincipals/synchronization/standard/read	Read provisioning settings associated with your service principal	False
microsoft.directory/servicePrincipals/tag/update	Update the tag property for service principals	False
microsoft.directory/signInReports/allProperties/read	Read all properties on sign-in reports, including privileged properties	False
microsoft.directory/subscribedSkus/allProperties/allTasks	Buy and manage subscriptions and delete subscriptions	False
microsoft.directory/subscribedSkus/allProperties/read	Read all properties of product subscriptions	False
microsoft.directory/subscribedSkus/standard/read	Read basic properties on subscriptions	False
microsoft.directory/tenantManagement/tenants/create	Create new tenants in Microsoft Entra ID	False
microsoft.directory/userCredentialPolicies/basic/update	Update basic policies for users	False
microsoft.directory/userCredentialPolicies/create	Create credential policies for users	False
microsoft.directory/userCredentialPolicies/delete	Delete credential policies for users	False
microsoft.directory/userCredentialPolicies/owners/read	Read owners of credential policies for users	False
microsoft.directory/userCredentialPolicies/owners/update	Update owners of credential policies for users	False
microsoft.directory/userCredentialPolicies/owners/update	Update owners of credential policies for users	False
microsoft.directory/userCredentialPolicies/policyAppliedTo/read	Read policy.appliesTo navigation link	False
microsoft.directory/userCredentialPolicies/standard/read	Read standard properties of credential policies for users	False
microsoft.directory/userCredentialPolicies/tenantDefault/update	Update policy.isOrganizationDefault property	False
microsoft.directory/userInfos/address/read	Read address of users	False
microsoft.directory/userInfos/email/read	Read email address of users	False
microsoft.directory/userInfos/openId/read	Read OpenID of users	False
microsoft.directory/userInfos/phone/read	Read phone number of users	False
microsoft.directory/userInfos/profile/read	Read profile properties of users	False
microsoft.directory/users/activateServicePlan	Activate service plans for users	False
microsoft.directory/users/allProperties/allTasks	Create and delete users, and read and update all properties	True
microsoft.directory/users/allProperties/read	Read all properties of users	True
microsoft.directory/users/appRoleAssignments/read	Read application role assignments for users	False
microsoft.directory/users/appRoleAssignments/update	Update application role assignments of users	False
microsoft.directory/users/assignLicense	Manage user licenses	False
microsoft.directory/users/authenticationMethods.email/basic/update	Update email address authentication methods for users	True
microsoft.directory/users/authenticationMethods.email/create	Add email address authentication methods for users	True
microsoft.directory/users/authenticationMethods.email/delete	Delete email address authentication methods for users	True
microsoft.directory/users/authenticationMethods.email/standard/read	Read email address authentication methods for users	False
microsoft.directory/users/authenticationMethods.email/standard/restrictedRead	Read masked email address authentication methods for users	False
microsoft.directory/users/authenticationMethods.fido2/basic/update	Update FIDO2 security key authentication methods for users	True
microsoft.directory/users/authenticationMethods.fido2/create	Add FIDO2 security key authentication methods for users	True
microsoft.directory/users/authenticationMethods.fido2/delete	Delete FIDO2 security key authentication methods for users	True
microsoft.directory/users/authenticationMethods.fido2/standard/read	Read FIDO2 security key authentication methods for users	False
microsoft.directory/users/authenticationMethods.fido2/standard/restrictedRead	Read masked FIDO2 security key authentication methods for users	False
microsoft.directory/users/authenticationMethods.microsoftAuthenticator/basic/update	Update Microsoft Authenticator app authentication methods for users	True
microsoft.directory/users/authenticationMethods.microsoftAuthenticator/create	Add Microsoft Authenticator app authentication methods for users	True
microsoft.directory/users/authenticationMethods.microsoftAuthenticator/delete	Delete Microsoft Authenticator app authentication methods for users	True
microsoft.directory/users/authenticationMethods.microsoftAuthenticator/standard/read	Read Microsoft Authenticator app authentication methods for users	False
microsoft.directory/users/authenticationMethods.microsoftAuthenticator/standard/restrictedRead	Read masked Microsoft Authenticator app authentication methods for users	False
microsoft.directory/users/authenticationMethods.password/basic/update	Update password authentication methods for users	True
microsoft.directory/users/authenticationMethods.password/create	Add password authentication methods for users	True
microsoft.directory/users/authenticationMethods.password/delete	Delete password authentication methods for users	True
microsoft.directory/users/authenticationMethods.passwordlessMicrosoftAuthenticator/basic/update	Update Passwordless Microsoft Authenticator authentication methods for users	True
microsoft.directory/users/authenticationMethods.passwordlessMicrosoftAuthenticator/create	Add Passwordless Microsoft Authenticator authentication methods for users	True
microsoft.directory/users/authenticationMethods.passwordlessMicrosoftAuthenticator/delete	Delete Passwordless Microsoft Authenticator authentication methods for users	False
microsoft.directory/users/authenticationMethods.passwordlessMicrosoftAuthenticator/standard/read	Read Passwordless Microsoft Authenticator authentication methods for users	False
microsoft.directory/users/authenticationMethods.passwordlessMicrosoftAuthenticator/standard/restrictedRead	Read masked Passwordless Microsoft Authenticator authentication methods for users	False
microsoft.directory/users/authenticationMethods.password/standard/read	Read password authentication methods for users	False
microsoft.directory/users/authenticationMethods.password/standard/restrictedRead	Read masked password authentication methods for users	False
microsoft.directory/users/authenticationMethods.securityQuestion/basic/update	Update security question authentication methods for users	True
microsoft.directory/users/authenticationMethods.securityQuestion/create	Add security question authentication methods for users	True
microsoft.directory/users/authenticationMethods.securityQuestion/delete	Delete security question authentication methods for users	True
microsoft.directory/users/authenticationMethods.securityQuestion/standard/read	Read security question authentication methods for users	False
microsoft.directory/users/authenticationMethods.securityQuestion/standard/restrictedRead	Read masked security question authentication methods for users	False
microsoft.directory/users/authenticationMethods.sms/basic/update	Update SMS number authentication methods for users	True
microsoft.directory/users/authenticationMethods.sms/create	Add SMS number authentication methods for users	True
microsoft.directory/users/authenticationMethods.sms/delete	Delete SMS number authentication methods for users	True
microsoft.directory/users/authenticationMethods.sms/standard/read	Read SMS number authentication methods for users	False
microsoft.directory/users/authenticationMethods.sms/standard/restrictedRead	Read masked SMS number authentication methods for users	False
microsoft.directory/users/authenticationMethods.softwareOath/basic/update	Update software OATH token authentication methods for users	False
microsoft.directory/users/authenticationMethods.softwareOath/create	Add software OATH token authentication methods for users	True
microsoft.directory/users/authenticationMethods.softwareOath/delete	Delete software OATH token authentication methods for users	True
microsoft.directory/users/authenticationMethods.softwareOath/standard/read	Read software OATH token authentication methods for users	False
microsoft.directory/users/authenticationMethods.softwareOath/standard/restrictedRead	Read masked software OATH token authentication methods for users	False
microsoft.directory/users/authenticationMethods.temporaryAccessPass/basic/update	Update temporary access pass authentication methods for users	True
microsoft.directory/users/authenticationMethods.temporaryAccessPass/create	Add temporary access pass authentication methods for users	True
microsoft.directory/users/authenticationMethods.temporaryAccessPass/delete	Delete temporary access pass authentication methods for users	True
microsoft.directory/users/authenticationMethods.temporaryAccessPass/standard/read	Read temporary access pass authentication methods for users	False
microsoft.directory/users/authenticationMethods.temporaryAccessPass/standard/restrictedRead	Read masked temporary access pass authentication methods for users	False
microsoft.directory/users/authenticationMethods.voice/basic/update	Update phone number authentication methods for users	True
microsoft.directory/users/authenticationMethods.voice/create	Add phone number authentication methods for users	True
microsoft.directory/users/authenticationMethods.voice/delete	Delete phone number authentication methods for users	True
microsoft.directory/users/authenticationMethods.voice/standard/read	Read phone number authentication methods for users	False
microsoft.directory/users/authenticationMethods.voice/standard/restrictedRead	Read masked phone number authentication methods for users	False
microsoft.directory/users/authenticationMethods/basic/update	Update basic properties of authentication methods for users	True
microsoft.directory/users/authenticationMethods/create	Update authentication methods for users	True
microsoft.directory/users/authenticationMethods/delete	Delete authentication methods for users	True
microsoft.directory/users/authenticationMethods/standard/read	Read standard properties of authentication methods for users	True
microsoft.directory/users/authenticationMethods/standard/restrictedRead	Read standard properties of authentication methods that do not include personally identifiable information for users	False
microsoft.directory/users/authorizationInfo/update	Update the multivalued Certificate user IDs property of users	False
microsoft.directory/users/basicProfile/read	Read basic profile of users	False
microsoft.directory/users/basicProfile/update	Update basic profile of users	False
microsoft.directory/users/basic/update	Update basic properties on users	False
microsoft.directory/users/changePassword	Change passwords for all users	False
microsoft.directory/users/contactInfo/update	Update contact properties on users	False
microsoft.directory/users/contactProfile/update	Update contact profile of users	False
microsoft.directory/users/convertExternalToInternalMemberUser	Convert external user to internal user	False
microsoft.directory/users/create	Add users	True
microsoft.directory/users/customSecurityAttributes/read	Read custom security attribute values for users	False
microsoft.directory/users/customSecurityAttributes/update	Update custom security attribute values for users	False
microsoft.directory/users/delete	Delete users	True
microsoft.directory/users/deviceForResourceAccount/read	Read deviceForResourceAccount of users	False
microsoft.directory/users/directReports/read	Read the direct reports for users	False
microsoft.directory/users/disable	Disable users	True
microsoft.directory/users/eligibleMemberOf/read	Read the "eligible member" of users	False
microsoft.directory/users/enable	Enable users	True
microsoft.directory/users/extensionProperties/update	Update extension properties of users	False
microsoft.directory/users/extensionProperties/update	Update extension properties of users	False
microsoft.directory/users/guestBasicProfile/limitedRead	Read basic guest profile properties of a specific user, but cannot enumerate users	False
microsoft.directory/users/identities/read	Read identities of users	False
microsoft.directory/users/identities/update	Update identity properties of users	True
microsoft.directory/users/invalidateAllRefreshTokens	Force sign-out by invalidating user refresh tokens	True
microsoft.directory/users/invitedBy/read	Read the user that invited an external user to a tenant	False
microsoft.directory/users/inviteGuest	Invite guest users	False
microsoft.directory/users/jobInfo/update	Update job information of users	False
microsoft.directory/users/licenseDetails/read	Read license details of users	False
microsoft.directory/users/lifeCycleInfo/read	Read lifecycle information of users, such as employeeLeaveDateTime	True
microsoft.directory/users/mail/read	Read mail of users	False
microsoft.directory/users/manager/read	Read manager of users	False
microsoft.directory/users/manager/update	Update manager for users	False
microsoft.directory/users/memberOf/read	Read the group memberships of users	False
microsoft.directory/users/mobile/update	Update mobile numbers of users	False
microsoft.directory/users/oAuth2PermissionGrants/read	Read delegated permission grants on users	False
microsoft.directory/users/ownedDevices/read	Read owned devices of users	False
microsoft.directory/users/ownedObjects/read	Read owned objects of users	False
microsoft.directory/users/parentalControls/update	Update parental controls of users	False
microsoft.directory/users/passwordPolicies/update	Update password policies of users	False
microsoft.directory/users/password/update	Reset passwords for all users	True
microsoft.directory/users/pendingMemberOf/read	Read "users.pendingMemberOf" property	False
microsoft.directory/users/photo/read	Read photo of users	False
microsoft.directory/users/photo/update	Update photo of users	False
microsoft.directory/users/preferredDataLocation/update	Update preferred data location of users	False
microsoft.directory/users/registeredDevices/read	Read registered devices of users	False
microsoft.directory/users/reprocessLicenseAssignment	Reprocess license assignments for users	False
microsoft.directory/users/restore	Restore deleted users	False
microsoft.directory/users/scopedRoleMemberOf/read	Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit	False
microsoft.directory/users/searchableDeviceKey/update	Update searchable device keys of users	False
microsoft.directory/users/sponsors/read	Read sponsors of users	False
microsoft.directory/users/sponsors/update	Update sponsors of users	False
microsoft.directory/users/sponsors/update	Update sponsors of users	False
microsoft.directory/users/standard/read	Read basic properties on users	False
microsoft.directory/users/strongAuthentication/read	Read the strong authentication property for users	False
microsoft.directory/users/strongAuthentication/update	Update the strong authentication property for users	False
microsoft.directory/users/usageLocation/update	Update usage location of users	False
microsoft.directory/users/userPrincipalName/read	Read user principal name of users	False
microsoft.directory/users/userPrincipalName/update	Update User Principal Name of users	True
microsoft.directory/users/userType/update	Update user type of users	False
microsoft.directory/verifiableCredentials/configuration/allProperties/read	Read configuration required to create and manage verifiable credentials	False
microsoft.directory/verifiableCredentials/configuration/allProperties/update	Update configuration required to create and manage verifiable credentials	False
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/read	Read a verifiable credential contract	False
microsoft.directory/verifiableCredentials/configuration/contracts/allProperties/update	Update a verifiable credential contract	False
microsoft.directory/verifiableCredentials/configuration/contracts/cards/allProperties/read	Read a verifiable credential card	False
microsoft.directory/verifiableCredentials/configuration/contracts/cards/revoke	Revoke a verifiable credential card	False
microsoft.directory/verifiableCredentials/configuration/contracts/create	Create a verifiable credential contract	False
microsoft.directory/verifiableCredentials/configuration/create	Create configuration required to create and manage verifiable credentials	False
microsoft.directory/verifiableCredentials/configuration/delete	Delete configuration required to create and manage verifiable credentials and delete all of its verifiable credentials	False
microsoft.azure.advancedThreatProtection/allEntities/allTasks	Manage all aspects of Azure Advanced Threat Protection	False
microsoft.azure.customSecurityAttributeDiagnosticSettings/allEntities/allProperties/allTasks	Configure all aspects of custom security attributes diagnostic settings	False
microsoft.azure.devOps/allEntities/allTasks	Read and configure Azure DevOps	False
microsoft.azure.informationProtection/allEntities/allTasks	Manage all aspects of Azure Information Protection	False
microsoft.azure.print/allEntities/allProperties/allTasks	Create and delete printers and connectors, and read and update all properties in Microsoft Print	False
microsoft.azure.print/connectors/allProperties/read	Read all properties of connectors in Microsoft Print	False
microsoft.azure.print/printers/allProperties/read	Read all properties of printers in Microsoft Print	False
microsoft.azure.print/printers/basic/update	Update basic properties of printers in Microsoft Print	False
microsoft.azure.print/printers/register	Register printers in Microsoft Print	False
microsoft.azure.print/printers/unregister	Unregister printers in Microsoft Print	False
microsoft.azure.serviceHealth/allEntities/allTasks	Read and configure Azure Service Health	False
microsoft.azure.supportTickets/allEntities/allTasks	Create and manage Azure support tickets	False
microsoft.backup/allEntities/allProperties/allTasks	Manage all aspects of Microsoft 365 Backup	False
microsoft.backup/allEntities/allProperties/read	Read all aspects of Microsoft 365 Backup	False
microsoft.backup/exchangeProtectionPolicies/allProperties/allTasks	Create and manage Exchange Online protection policy in Microsoft 365 Backup	False
microsoft.backup/exchangeRestoreSessions/allProperties/allTasks	Read and configure restore session for Exchange Online in Microsoft 365 Backup	False
microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks	Create and manage OneDrive protection policy in Microsoft 365 Backup	False
microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks	Read and configure restore session for OneDrive in Microsoft 365 Backup	False
microsoft.backup/restorePoints/sites/allProperties/allTasks	Manage all restore points associated with selected SharePoint sites in M365 Backup	False
microsoft.backup/restorePoints/userDrives/allProperties/allTasks	Manage all restore points associated with selected OneDrive accounts in M365 Backup	False
microsoft.backup/restorePoints/userMailboxes/allProperties/allTasks	Manage all restore points associated with selected Exchange Online mailboxes in M365 Backup	False
microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks	Create and manage SharePoint protection policy in Microsoft 365 Backup	False
microsoft.backup/sharePointRestoreSessions/allProperties/allTasks	Read and configure restore session for SharePoint in Microsoft 365 Backup	False
microsoft.backup/siteProtectionUnits/allProperties/allTasks	Manage sites added to SharePoint protection policy in Microsoft 365 Backup	False
microsoft.backup/siteRestoreArtifacts/allProperties/allTasks	Manage sites added to restore session for SharePoint in Microsoft 365 Backup	False
microsoft.backup/userDriveProtectionUnits/allProperties/allTasks	Manage accounts added to OneDrive protection policy in Microsoft 365 Backup	False
microsoft.backup/userDriveRestoreArtifacts/allProperties/allTasks	Manage accounts added to restore session for OneDrive in Microsoft 365 Backup	False
microsoft.backup/userMailboxProtectionUnits/allProperties/allTasks	Manage mailboxes added to Exchange Online protection policy in Microsoft 365 Backup	False
microsoft.backup/userMailboxRestoreArtifacts/allProperties/allTasks	Manage mailboxes added to restore session for Exchange Online in Microsoft 365 Backup	False
microsoft.cloudPC/allEntities/allProperties/allTasks	Manage all aspects of Windows 365	False
microsoft.cloudPC/allEntities/allProperties/read	Read all aspects of Windows 365	False
microsoft.commerce.billing/allEntities/allProperties/allTasks	Manage all aspects of Office 365 billing	False
microsoft.commerce.billing/allEntities/allProperties/read	Read all resources of Office 365 billing	False
microsoft.commerce.billing/purchases/standard/read	Read purchase services in Microsoft 365 admin center.	False
microsoft.commerce.volumeLicenseServiceCenter/allEntities/allTasks	Manage all aspects of Volume Licensing Service Center	False
microsoft.dynamics365/allEntities/allTasks	Manage all aspects of Dynamics 365	False
microsoft.dynamics365.businessCentral/allEntities/allProperties/allTasks	Manage all aspects of Dynamics 365 Business Central	False
microsoft.edge/allEntities/allProperties/allTasks	Manage all aspects of Microsoft Edge	False
microsoft.edge/allEntities/allProperties/read	Read all aspects of Microsoft Edge	False
microsoft.networkAccess/allEntities/allProperties/allTasks	Manage all aspects of Entra Network Access	False
microsoft.networkAccess/allEntities/allProperties/read	Read all aspects of Entra Network Access	False
microsoft.flow/allEntities/allTasks	Manage all aspects of Microsoft Power Automate	False
microsoft.graph.dataConnect/allEntities/allProperties/allTasks	Manage aspects of Microsoft Graph Data Connect	False
microsoft.graph.dataConnect/allEntities/allProperties/read	Read aspects of Microsoft Graph Data Connect	False
microsoft.hardware.support/shippingAddress/allProperties/allTasks	Create, read, update, and delete shipping addresses for Microsoft hardware warranty claims, including shipping addresses created by others	False
microsoft.hardware.support/shippingAddress/allProperties/read	Read shipping addresses for Microsoft hardware warranty claims, including existing shipping addresses created by others	False
microsoft.hardware.support/shippingAddress/allProperties/update	Update shipping addresses for Microsoft hardware warranty claims, including existing shipping addresses created by others	False
microsoft.hardware.support/shippingStatus/allProperties/read	Read shipping status for open Microsoft hardware warranty claims	False
microsoft.hardware.support/warrantyClaims/allProperties/allTasks	Create and manage all aspects of Microsoft hardware warranty claims	False
microsoft.hardware.support/warrantyClaims/allProperties/read	Read Microsoft hardware warranty claims	False
microsoft.hardware.support/warrantyClaims/createAsOwner	Create Microsoft hardware warranty claims where creator is the owner	False
microsoft.insights/allEntities/allProperties/allTasks	Manage all aspects of Insights app	False
microsoft.insights/allEntities/allProperties/read	Read all aspects of Viva Insights	False
microsoft.insights/programs/allProperties/update	Deploy and manage programs in Insights app	False
microsoft.insights/queries/allProperties/allTasks	Run and manage queries in Viva Insights	False
microsoft.insights/reports/allProperties/read	View reports and dashboard in Insights app	False
microsoft.intune/allEntities/allTasks	Manage all aspects of Microsoft Intune	False
microsoft.intune/allEntities/read	Read all resources in Microsoft Intune	False
microsoft.office365.complianceManager/allEntities/allTasks	Manage all aspects of Office 365 Compliance Manager	False
microsoft.office365.desktopAnalytics/allEntities/allTasks	Manage all aspects of Desktop Analytics	False
microsoft.office365.exchange/allEntities/basic/allTasks	Manage all aspects of Exchange Online	False
microsoft.office365.exchange/messageTracking/allProperties/allTasks	Manage all tasks in message tracking in Exchange Online	False
microsoft.office365.exchange/migration/allProperties/allTasks	Manage all tasks related to migration of recipients in Exchange Online	False
microsoft.office365.exchange/recipients/allProperties/allTasks	Create and delete all recipients, and read and update all properties of recipients in Exchange Online	False
microsoft.office365.knowledge/contentUnderstanding/allProperties/allTasks	Read and update all properties of content understanding in Microsoft 365 admin center	False
microsoft.office365.knowledge/contentUnderstanding/analytics/allProperties/read	Read analytics reports of content understanding in Microsoft 365 admin center	False
microsoft.office365.knowledge/knowledgeNetwork/allProperties/allTasks	Read and update all properties of knowledge network in Microsoft 365 admin center	False
microsoft.office365.knowledge/knowledgeNetwork/topicVisibility/allProperties/allTasks	Manage topic visibility of knowledge network in Microsoft 365 admin center	False
microsoft.office365.knowledge/learningSources/allProperties/allTasks	Manage learning sources and all their properties in Learning App.	False
microsoft.office365.lockbox/allEntities/allTasks	Manage all aspects of Customer Lockbox	False
microsoft.office365.messageCenter/messages/read	Read messages in Message Center in the Microsoft 365 admin center, excluding security messages	False
microsoft.office365.messageCenter/securityMessages/read	Read security messages in Message Center in the Microsoft 365 admin center	False
microsoft.office365.network/locations/allProperties/allTasks	Manage all aspects of network locations	False
microsoft.office365.network/performance/allProperties/read	Read all network performance properties in the Microsoft 365 admin center	False
microsoft.office365.organizationalMessages/allEntities/allProperties/allTasks	Manage all authoring aspects of Microsoft 365 Organizational Messages	False
microsoft.office365.organizationalMessages/allEntities/allProperties/read	Read all aspects of Microsoft 365 Organizational Messages	False
microsoft.office365.organizationalMessages/allEntities/allProperties/update	Approve or reject new organizational messages for delivery in the Microsoft 365 admin center	False
microsoft.office365.protectionCenter/allEntities/allProperties/allTasks	Manage all aspects of the Security and Compliance centers	False
microsoft.office365.protectionCenter/allEntities/allProperties/read	Read all properties in the Security and Compliance centers	False
microsoft.office365.protectionCenter/allEntities/allProperties/update	Update all resources in Microsoft 365 Security and Compliance Center	False
microsoft.office365.protectionCenter/allEntities/basic/update	Update basic properties of all resources in the Security and Compliance centers	False
microsoft.office365.protectionCenter/allEntities/standard/read	Read standard properties of all resources in the Security and Compliance centers	False
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks	Create and manage attack payloads in Attack Simulator	False
microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/read	Read all properties of attack payloads in Attack Simulator	False
microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read	Read reports of attack simulation, responses, and associated training	False
microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/allTasks	Create and manage attack simulation templates in Attack Simulator	False
microsoft.office365.protectionCenter/attackSimulator/simulation/allProperties/read	Read all properties of attack simulation templates in Attack Simulator	False
microsoft.office365.protectionCenter/sensitivityLabels/allProperties/read	Read all properties of sensitivity labels in the Security and Compliance centers	False
microsoft.office365.search/allEntities/allTasks	Create and delete all resources, and read and update all properties in Microsoft Search	False
microsoft.office365.search/content/manage	Create and delete content, and read and update all properties in Microsoft Search	False
microsoft.office365.securityComplianceCenter/allEntities/allTasks	Create and delete all resources, and read and update standard properties in the Microsoft 365 Security and Compliance Center	False
microsoft.office365.securityComplianceCenter/allEntities/read	Read standard properties in Microsoft 365 Security and Compliance Center	False
microsoft.office365.serviceHealth/allEntities/allTasks	Read and configure Service Health in the Microsoft 365 admin center	False
microsoft.office365.sharePoint/allEntities/allTasks	Create and delete all resources, and read and update standard properties in SharePoint	False
microsoft.office365.skypeForBusiness/allEntities/allTasks	Manage all aspects of Skype for Business Online	False
microsoft.office365.supportTickets/allEntities/allTasks	Create and manage Microsoft 365 service requests	False
microsoft.office365.usageReports/allEntities/allProperties/read	Read Office 365 usage reports	False
microsoft.office365.usageReports/allEntities/standard/read	Read tenant-level aggregated Office 365 usage reports	False
microsoft.office365.userCommunication/allEntities/allTasks	Read and update what's new messages visibility	False
microsoft.office365.webPortal/allEntities/standard/read	Read basic properties on all resources in the Microsoft 365 admin center	False
microsoft.office365.yammer/allEntities/allProperties/allTasks	Manage all aspects of Yammer	False
microsoft.office365.yammer/allEntities/allProperties/read	Read all aspects of Yammer	False
microsoft.office365.copilot/allEntities/allProperties/allTasks	Create and manage all settings for Microsoft 365 Copilot	False
microsoft.office365.copilot/allEntities/allProperties/read	Read all settings for Microsoft 365 Copilot	False
microsoft.office365.fileStorageContainers/allEntities/allProperties/allTasks	Manage all aspects of SharePoint Embedded containers	False
microsoft.office365.fileStorageContainers/allEntities/allProperties/read	Read entities and permissions of SharePoint Embedded containers	False
microsoft.office365.migrations/allEntities/allProperties/allTasks	Manage all aspects of Microsoft 365 migrations	False
microsoft.permissionsManagement/allEntities/allProperties/allTasks	Manage all aspects of Entra Permissions Management	False
microsoft.permissionsManagement/allEntities/allProperties/read	Read all aspects of Entra Permissions Management	False
microsoft.powerApps/allEntities/allTasks	Manage all aspects of Power Apps	False
microsoft.powerApps.powerBI/allEntities/allTasks	Manage all aspects of Power BI	False
microsoft.teams/allEntities/allProperties/allTasks	Manage all resources in Teams	False
microsoft.teams/allEntities/allProperties/read	Read all properties of Microsoft Teams	False
microsoft.teams/callQuality/allProperties/read	Read all data in the Call Quality Dashboard (CQD)	False
microsoft.teams/callQuality/standard/read	Read basic data in the Call Quality Dashboard (CQD)	False
microsoft.teams/devices/standard/read	Manage all aspects of Teams-certified devices including configuration policies	False
microsoft.teams/meetings/allProperties/allTasks	Manage meetings including meeting policies, configurations, and conference bridges	False
microsoft.teams/voice/allProperties/allTasks	Manage voice including calling policies and phone number inventory and assignment	False
microsoft.virtualVisits/allEntities/allProperties/allTasks	Manage and share Virtual Visits information and metrics from admin centers or the Virtual Visits app	False
microsoft.virtualVisits/allEntities/allProperties/read	Read all aspects of Virtual Visits	False
microsoft.viva.goals/allEntities/allProperties/allTasks	Manage all aspects of Microsoft Viva Goals	False
microsoft.viva.goals/allEntities/allProperties/read	Read all aspects of Microsoft Viva Goals	False
microsoft.viva.pulse/allEntities/allProperties/allTasks	Manage all aspects of Microsoft Viva Pulse	False
microsoft.viva.pulse/allEntities/allProperties/read	Read all aspects of Microsoft Viva Pulse	False
microsoft.windows.defenderAdvancedThreatProtection/allEntities/allTasks	Manage all aspects of Microsoft Defender for Endpoint	False
microsoft.windows.updatesDeployments/allEntities/allProperties/allTasks	Read and configure all aspects of Windows Update Service	False
microsoft.windows.updatesDeployments/allEntities/allProperties/read	Read all aspects of Windows Update Service	False