Principle of least privilege
As a best practice, Microsoft recommends to follow the principle of least privilege when requesting permissions for your app.
What are the least privileged permissions to access info about the users and to update the users properties?
You may already know the User.Read, User.ReadWrite, User.Read.All, and User.ReadWrite.All permissions, but recently Microsoft introduced granular permissions that allow you to read and write specific user properties or perform specific operations on users.
Granular user permissions
The following table shows all Graph API permissions that allow you to read and write user properties or perform specific operation on user.
| Permission | Description |
|---|---|
| User-ConvertToInternal.ReadWrite.All | Allows to convert an external user to internal via the beta/users/{id}/convertExternalToInternalMemberUser endpoint |
| User-LifeCycleInfo.Read.All | Allows to read the employeeLeaveDateTime property |
| User-LifeCycleInfo.ReadWrite.All | Allows to update the employeeLeaveDateTime property. Requires the User.Read.All permission as well. |
| User-Mail.ReadWrite.All | Allows to update the otherMails property |
| User-PasswordProfile.ReadWrite.All | Allows to update the passwordProfile property |
| User-Phone.ReadWrite.All | Allows to update the businessPhones and mobilePhone properties |
| User.DeleteRestore.All | Allows to delete a user, restore a deleted user from the recycle bin, or permanently delete a deleted user from the recycle bin and allows retrieving deleted users via the /directory/deleteditems/microsoft.graph.user endpoint. |
| User.EnableDisableAccount.All | Allows to update the accountEnabled property. Requires the User.Read.All permission as well. |
| User.Export.All | Allows to export an organizational user's data via the /users/{id}/exportPersonalData endpoint |
| User.Invite.All | Allows to create a new invitation or reset the redemption status for a guest user via the /invitations endpoint |
| User.ManageIdentities.All | Allows to update the identities property |
| User.Read | Allows to read all properties of a signed-in user |
| User.Read.All | Allows to read all properties of any user |
| User.ReadBasic.All | Allows to read the displayName, givenName, id, mail, photo, securityIdentifier, surname and userPrincipalName property |
| User.ReadWrite | Allows to update all properties of a signed-in user |
| User.ReadWrite.All | Allows to update all properties of any user and allows to delete users. |
| User.RevokeSessions.All | Allows to invalidate all the refresh tokens issued to applications for any user excluding the guest users via the /users/{id}/revokeSignInSessions and /beta/users/{id}/invalidateAllRefreshTokens endpoints |
| UserAuthenticationMethod.Read | Allows to read authentication methods of signed-in user |
| UserAuthenticationMethod.Read.All | Allows to read authentication methods of all users |
| UserAuthenticationMethod.ReadWrite | Allows to update authentication methods of signed-in user |
| UserAuthenticationMethod.ReadWrite.All | Allows to update authentication methods of all users |
| CustomSecAttributeAssignment.Read.All | Allows to read the customSecurityAttributes property. Requires the User.Read.All permission as well. |
| CustomSecAttributeAssignment.ReadWrite.All | Allows to update the customSecurityAttributes property. Requires the User.Read.All permission as well. |
| AuditLog.Read.All | Allows to read the signInActivity property. Requires the User.Read.All permission as well. |
Conclusion
With granular permissions, you can grant your app only the permissions it needs to perform its tasks. This way, you can follow the principle of least privilege and reduce the risk of unauthorized access to your users' data.
