Home > Get Started > Required Permissions
Export to PDFRequired Permissions
Refer to the API permissions listed below to add the API permissions to your custom app in Azure Active Directory.
Some API methods in Microsoft Graph are under the beta version. The features we leverage are fully tested, but Microsoft may make changes in the future that will affect the related rules using beta version APIs. Until the beta version APIs are upgraded, we recommend reviewing the results of corresponding rules to confirm expectations. For more information on Microsoft Graph API methods under the beta version we are using, refer to Appendix D - Beta Version API in Use.
| API | Permission | Type | Why do we need it? |
|---|---|---|---|
| Microsoft Graph | User.ReadWrite.All (Read and write all users’ full profiles) | Application | Retrieve Microsoft 365 user basic information and user license information and change/unassign user licenses. |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve Microsoft 365 user basic information and user license information. |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Retrieve user activity time in the following Microsoft 365 apps: Teams, Viva Engage, SharePoint, Exchange, OneDrive, and Skype for Business. |
| Microsoft Graph | CallRecords.Read.All (Read all call records) | Application | Retrieve detailed PSTN calling activities and costs. |
| Microsoft Graph | AuditLog.Read.All (Read all audit log data) | Application | Retrieve users’ last sign-in time to determine if they are inactive users. |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Application | Retrieve and manage groups’ license assignment. |
| Microsoft Graph | UserAuthenticationMethod.Read.All (Read all users' authentication methods) | Application | Retrieve users’ MFA settings. |
| Microsoft Graph | Policy.Read.All (Read your organization's policies) | Application | Retrieve users’ MFA statuses. |
| Microsoft Graph | IdentityRiskyUser.Read.All (Read all identity risky user information) | Application | Access and evaluate license usage and activities for holders of the Microsoft Entra ID P2 licenses. |
| Microsoft Graph | Files.ReadWrite.All (Read and write files in all site collections) | Application | Export license reports to OneDrive |
| SharePoint | Sites.ReadWrite.All (Read and write items in all site collections) | Application | Export license reports to SharePoint libraries. |
To include user properties related to mailbox usage in the exported license reports, such as mailbox size and mailbox archive status, you need to Manage Service Account Profiles in AvePoint Online Services and add a Microsoft 365 account with the Global Administrator role in the profile.