Graph API Permissions Reference
Find the correct Microsoft Graph API permission scopes for SharePoint and M365 operations.
Microsoft Graph API Permission Scopes — How to Use
When registering an Azure Active Directory (Entra ID) application for SharePoint or Microsoft 365 integration, selecting the correct Microsoft Graph permission scopes is critical for both security and functionality. Requesting too many permissions can fail an admin consent review; requesting too few causes API calls to fail with 403 Forbidden errors.
This reference covers delegated permissions (act on behalf of a signed-in user) and application permissions (daemon/service background access without a user). Application permissions for sensitive resources like Mail and Groups always require admin consent.
Delegated vs Application Permissions
- Delegated — The app acts on behalf of a signed-in user. The effective permissions are the intersection of the permission scope and the user's own permissions. Used in interactive web apps and SPAs.
- Application — The app acts as itself, not as a user. Suitable for background services, Azure Functions, and Microsoft 365 workflows. Always require admin consent.
Least Privilege Principle
Always request the minimum permission necessary. For read-only dashboards use Sites.Read.All rather than Sites.ReadWrite.All. For user profile lookups prefer User.Read (the signed-in user only) over User.ReadBasic.All or User.Read.All. This tool highlights the recommended least-privilege scope for each operation.