Home > Get Started > Required Permissions
Export to PDFRequired Permissions
Refer to the API permissions listed below to add the API permissions to your custom app in Azure Active Directory.
*Note: Some API methods in Microsoft Graph are under the beta version. The features we leverage are fully tested, but Microsoft may make changes in the future that will affect the related rules using beta version APIs. Until the beta version APIs are upgraded, we recommend reviewing the results of corresponding rules to confirm expectations. For more information on Microsoft Graph API methods under the beta version we are using, refer to Appendix D - Beta Version API in Use.
| API | Permission | Type | Why do we need it? |
|---|---|---|---|
| Microsoft Graph | User.ReadWrite.All(Read and write all users’ full profiles) | Application | Retrieve Microsoft 365 user basic information and user license information and change/unassign user licenses. |
| Microsoft Graph | Directory.Read.All(Read directory data) | Application | Retrieve Microsoft 365 user basic information and user license information. |
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Retrieve user activity time in the following Microsoft 365 apps: Teams, Viva Engage, SharePoint, Exchange, OneDrive, and Skype for Business. |
| Microsoft Graph | CallRecords.Read.All(Read all call records) | Application | Retrieve detailed PSTN calling activities and costs. |
| Microsoft Graph | AuditLog.Read.All(Read all audit log data) | Application | Retrieve users’ last sign-in time to determine if they are inactive users. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Retrieve and manage groups’ license assignment. |
| Microsoft Graph | UserAuthenticationMethod.Read.All(Read all users' authentication methods) | Application | Retrieve users’ MFA settings. |
| Microsoft Graph | Policy.Read.All(Read your organization's policies) | Application | Retrieve users’ MFA statuses. |
| SharePoint | Sites.ReadWrite.All(Read and write items in all site collections) | Application | Export license reports to SharePoint libraries. |
| SharePoint | Files.ReadWrite.All(Read and write files in all site collections) | Application | Export license reports to OneDrive |
To include user properties related to mailbox usage in the exported license reports, such as mailbox size and mailbox archive status, you need to in AvePoint Online Services and add a Microsoft 365 account with the Global Administrator role in the profile.