How to find out what member users and guests users can do

Users in Entra

I won't go to the details, but users in Entra ID can be either internal users or guests.

Every internal user is implicitly considered to be a member of the User role. The User role is the default role, but it's not directly assigned to any member user.

The guest users have the default role based on the guestUserRoleId property from the authorization policy. Allowed values are:

• a0b1b346-4d3e-4e8b-98f8-753987be4970 - User role
• 10dae51f-b6af-4016-8d66-8c2a99b929b3 - Guest User role
• 2af84b1e-32c8-42b7-82bc-daa82404023b - Restricted Guest User role

The authorization policy can be read via the https://graph.microsoft.com/v1.0/policies/authorizationPolicy endpoint.

What if you want to know what the member users and guest users are allowed to do?

You can of course read the documentation, or use the CLI for Microsoft 365 tool to read the role permissions of the User, Guest User, and Restricted Guest User roles.

CLI for Microsoft 365

CLI for Microsoft 365 is a cross-platform command-line tool used to manage your Microsoft 365 tenant and SharePoint Framework projects.

It is built on Node.js and can be installed on any platform using npm.

npm install -g @pnp/cli-microsoft365

It uses the Microsoft Entra application to authenticate to your Microsoft 365 tenant.

The m365 setup command will guide through the process of setting up the CLI to work with your tenant. It's super easy to start with this tool.

The command will register a new Entra application with the name CLI for M365. The output contains the tenant id and client id which we will use later for login.

Read role permissions

The CLI has sets of commands that allow you to read role definitions, and role permissions. I will use these commands:

• m365 login - to authenticate to the tenant
• m365 entra roledefinition get - to read the role definition
• m365 entra rolepermission list - to read the role permissions
• m365 logout - to log out

Because I will call the commands from PowerShell, I will start with preparing a function to invoke the CLI command and handle the output.

# credits: https://github.com/pnp/cli-microsoft365/discussions/6590#discussioncomment-12052198
function Invoke-CLICommand {
  [cmdletbinding()]
  param(
    [parameter(Mandatory = $true, ValueFromPipeline = $true)] $input
  )
  
  $output = $input
  
  if ($null -eq $output) {
    return $null
  }
  
  $parsedOutput = $output | ConvertFrom-Json

  if ($parsedOutput -isnot [Array] -and $null -ne $parsedOutput.error) {
    throw $parsedOutput.error
  }
  
  return $parsedOutput
}

The function will execute the CLI command and return the output as a PowerShell object. If the output contains an error, it will throw an exception.

Steps to read the role permissions:

1. Log in to the tenant

$tenantId = '<tenant_id>'
$appId = '<app_id>'
m365 login --tenant $tenantId --appId $appId --output none | Invoke-CLICommand

2. Read the role definition

$rolePermissionsDict = @{}
$roleDefinition = m365 entra roledefinition get --displayName 'User' | Invoke-CLICommand

3. Iterate through the allowed resource actions and load desription for each resource action

$roleDefinition.rolePermissions | ForEach-Object {
  if ($_.condition -eq '$SubjectIsOwner') {
      Write-Host "As owner:"   
  }
  elseif ($_.condition -eq '$ResourceIsSelf') {
      Write-Host "To yourself:"   
  }
  else {
      Write-Host "General:"
  }

  $_.allowedResourceActions | ForEach-Object {
      if (!$rolePermissionsDict.ContainsKey($_)) {
          $resourceActionParts = $_.Split("/")
          # Load role permissions ad-hoc, first part is the resource namespace
          $rolePermissions = m365 entra rolepermission list --resourceNamespace $resourceActionParts[0] | Invoke-CLICommand

          $rolePermissions | ForEach-Object {
              $rolePermissionsDict[$_.name] = $_.description
          }
      }
      Write-Host " - $($rolePermissionsDict[$_])"
  }
}

4. Log out

m365 logout

The whole script:

try
{
  $tenantId = '<tenant_id>'
  $appId = '<app_id>'
  m365 login --tenant $tenantId --appId $appId --output none | Invoke-CLICommand
  
  $rolePermissionsDict = @{}
  $roleName = 'User'
  $roleDefinition = m365 entra roledefinition get --displayName $roleName | Invoke-CLICommand
  
  Write-Host "Role definition: $($roleDefinition.displayName)"
  Write-Host $roleDefinition.description
  
  $roleDefinition.rolePermissions | ForEach-Object {
    if ($_.condition -eq '$SubjectIsOwner') {
        Write-Host "As owner:"   
    }
    elseif ($_.condition -eq '$ResourceIsSelf') {
        Write-Host "To yourself:"   
    }
    else {
        Write-Host "General:"
    }
  
    $_.allowedResourceActions | ForEach-Object {
        if (!$rolePermissionsDict.ContainsKey($_)) {
            $resourceActionParts = $_.Split("/")
            # Load role permissions ad-hoc, first part is the resource namespace
            $rolePermissions = m365 entra rolepermission list --resourceNamespace $resourceActionParts[0] | Invoke-CLICommand
  
            $rolePermissions | ForEach-Object {
                $rolePermissionsDict[$_.name] = $_.description
            }
        }
        Write-Host " - $($rolePermissionsDict[$_])"
    }
  }

  m365 logout
}
catch {
  Write-Host "Failed to read users: $($_.Exception.Message)"
}

Run the script and you will see the role definition and role permissions for the User role.

What a member user can do

Below are listed the permissions that a member user (or guest user with the User role) has in Microsoft 365. The permissions are grouped by the condition under which they are applied.

In general:

• Read members of administrative units
• Read basic properties on administrative units
• Create application policies, and creator is added as the first owner
• Read standard properties of application policies
• Create all types of applications, and creator is added as the first owner
• Read owners of applications
• Read policies of applications
• Read standard properties of applications
• Read standard properties of authorization policy
• Read the group membership for all contacts in Microsoft Entra ID
• Read basic properties on contacts in Microsoft Entra ID
• Read basic properties on partner contracts
• Read device memberships
• Read registered owners of devices
• Read registered users of devices
• Read basic properties on devices
• Read the eligible members of Microsoft Entra roles
• Read all members of Microsoft Entra roles
• Read basic properties of Microsoft Entra roles
• Read basic properties on domains
• Read application role assignments of groups
• Create Security groups and Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner.
• Read the memberOf property on Security groups and Microsoft 365 groups, including role-assignable groups
• Read members of Security groups and Microsoft 365 groups, including role-assignable groups
• Read owners of Security groups and Microsoft 365 groups, including role-assignable groups
• Read standard properties of Security groups and Microsoft 365 groups, including role-assignable groups
• Read basic properties of a multi-tenant organization
• Read basic properties of a tenant participating in a multi-tenant organization
• Read basic properties on OAuth 2.0 permission grants
• Read basic properties on an organization
• Read owners of policies
• Read policies.policyAppliedTo property
• Read basic properties on policies
• Read basic properties on role assignments
• Read basic properties on role definitions
• Read service principal role assignments
• Read role assignments assigned to service principals
• Read authentication properties on service principals
• Create service principals, with creator as the first owner
• Read the group memberships on service principals
• Read delegated permission grants on service principals
• Read owned objects of service principals
• Read owners of service principals
• Read policies of service principals
• Read basic properties of service principals
• Read basic properties on subscriptions
• Create new tenants in Microsoft Entra ID
• Activate service plans for users
• Read application role assignments for users
• Read deviceForResourceAccount of users
• Read the direct reports for users
• Invite guest users
• Read license details of users
• Read manager of users
• Read the group memberships of users
• Read delegated permission grants on users
• Read owned devices of users
• Read owned objects of users
• Read photo of users
• Read registered devices of users
• Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit
• Read sponsors of users
• Read basic properties on users

As owner:

• Update the appRoles property on all types of applications
• Update the audience property for applications
• Update authentication on all types of applications
• Update basic properties for applications
• Update application credentials
• Delete all types of applications
• Update extension properties on applications
• Update notes of applications
• Update owners of applications
• Update exposed permissions and required permissions on all types of applications
• Update policies of applications
• Update tags of applications
• Update applicationsverification property
• Read all properties on audit logs, excluding custom security attributes audit logs
• Permanently delete applications, which can no longer be restored
• Restore soft deleted applications to original state
• Restore soft deleted groups to original state
• Disable devices in Microsoft Entra ID
• Update role-assignable groups
• Assign a license to role-assignable groups
• Delete role-assignable groups
• Reprocess license assignments to role-assignable groups
• Restore role-assignable groups
• Update basic properties on Security groups and Microsoft 365 groups, excluding role-assignable groups
• Update the classification property on Security groups and Microsoft 365 groups, excluding role-assignable groups
• Delete Security groups and Microsoft 365 groups, excluding role-assignable groups
• Update properties that would affect the group type of Security groups and Microsoft 365 groups, excluding role-assignable groups
• Update members of Security groups and Microsoft 365 groups, excluding role-assignable groups
• Update owners of Security groups and Microsoft 365 groups, excluding role-assignable groups
• Restore groups from soft-deleted container
• Update settings of groups
• Update the visibility property of Security groups and Microsoft 365 groups, excluding role-assignable groups
• Update basic properties on policies
• Delete policies in Microsoft Entra ID
• Update owners of policies
• Read all properties of provisioning logs
• Update service principal role assignments
• Update audience properties on service principals
• Update authentication properties on service principals
• Update basic properties on service principals
• Update credentials of service principals
• Delete service principals
• Disable service principals
• Enable service principals
• Manage password single sign-on credentials on service principals
• Read password single sign-on credentials on service principals
• Update notes of service principals
• Update owners of service principals
• Update permissions of service principals
• Update policies of service principals
• Update the tag property for service principals
• Read all properties on sign-in reports, including privileged properties

To yourself:

• Read address of users
• Read email address of users
• Read OpenID of users
• Read phone number of users
• Read profile properties of users
• Update basic properties of authentication methods for users
• Update authentication methods for users
• Delete authentication methods for users
• Read standard properties of authentication methods for users
• Read standard properties of authentication methods that do not include personally identifiable information for users
• Update basic profile of users
• Change passwords for all users
• Update identity properties of users
• Force sign-out by invalidating user refresh tokens
• Update mobile numbers of users
• Update searchable device keys of users

What a guest user can do

If you modify the script and set $roleName = 'Guest User'

General:

• Read the owners of a specific application, but cannot enumerate applications
• Read policies of a specific application, but cannot enumerate applications
• Read standard properties of a specific application, but cannot enumerate applications
• Read basic properties on domains
• Read the application role assignments of a specific group, but cannot enumerate groups
• Read memberships of a specific group, but cannot enumerate groups
• Read members of a specific group, but cannot enumerate groups
• Read owners of a specific group, but cannot enumerate groups
• Read settings of a specific group, but cannot enumerate groups
• Read standard properties of a specific group, but cannot enumerate groups
• Read basic properties of a multi-tenant organization
• Read basic properties of a tenant participating in a multi-tenant organization
• Read basic organization profile information
• Read app roles a specific instance of a service principal is assigned to, but cannot enumerate service principals
• Read application roles assigned to a specific service principal, but cannot enumerate service principals
• Read memberships for a specific service principal, but cannot enumerate service principals
• Read OAuth 2.0 permission grants for specific service principal, but cannot enumerate service principals
• Read objects owned by a specific service principal, but cannot enumerate service principals
• Read owners of a specific service principal, but cannot enumerate service principals
• Read policies of a specific service principal, but cannot enumerate service principals
• Read standard properties of a specific service principal, but cannot enumerate service principals
• Read basic guest profile properties of a specific user, but cannot enumerate users
• Invite guest users

To yourself:

• Read application role assignments for users
• Update basic properties of authentication methods for users
• Update authentication methods for users
• Delete authentication methods for users
• Read standard properties of authentication methods for users
• Read standard properties of authentication methods that do not include personally identifiable information for users
• Read deviceForResourceAccount of users
• Read the direct reports for users
• Read the "eligible member" of users
• Read the user that invited an external user to a tenant
• Read license details of users
• Read manager of users
• Read the group memberships of users
• Read delegated permission grants on users
• Read owned devices of users
• Read owned objects of users
• Reset passwords for all users
• Read "users.pendingMemberOf" property
• Read photo of users
• Read registered devices of users
• Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit
• Read sponsors of users
• Read basic properties on users

What a restricted guest user can do

Let's modify the script again and set $roleName = 'Restricted Guest User'

General:

• Read the owners of a specific application, but cannot enumerate applications
• Read policies of a specific application, but cannot enumerate applications
• Read standard properties of a specific application, but cannot enumerate applications
• Read basic properties on domains
• Read basic organization profile information
• Read app roles a specific instance of a service principal is assigned to, but cannot enumerate service principals
• Read application roles assigned to a specific service principal, but cannot enumerate service principals
• Read memberships for a specific service principal, but cannot enumerate service principals
• Read OAuth 2.0 permission grants for specific service principal, but cannot enumerate service principals
• Read objects owned by a specific service principal, but cannot enumerate service principals
• Read owners of a specific service principal, but cannot enumerate service principals
• Read policies of a specific service principal, but cannot enumerate service principals
• Read standard properties of a specific service principal, but cannot enumerate service principals

To yourself:

• Read application role assignments for users
• Update basic properties of authentication methods for users
• Update authentication methods for users
• Delete authentication methods for users
• Read standard properties of authentication methods for users
• Read standard properties of authentication methods that do not include personally identifiable information for users
• Read deviceForResourceAccount of users
• Read the direct reports for users
• Read the "eligible member" of users
• Read the user that invited an external user to a tenant
• Read license details of users
• Read manager of users
• Read the group memberships of users
• Read delegated permission grants on users
• Read owned devices of users
• Read owned objects of users
• Reset passwords for all users
• Read "users.pendingMemberOf" property
• Read photo of users
• Read registered devices of users
• Read user's membership of a Microsoft Entra role, that is scoped to an administrative unit
• Read sponsors of users
• Read basic properties on users

Summary

In this article, I showed you how to use the CLI for Microsoft 365 to read the role permissions for the User, Guest User, and Restricted Guest User roles.