Home > Get Started > Permissions for App Authorization > Permissions for Microsoft 365 Management
Export to PDFPermissions for Microsoft 365 Management
Refer to the table below for detailed API permissions and EnPower features that require them.
Note the following:
For detailed steps, refer to Assign Administrator Roles to the App section in Create App Profile.
| EnPower feature | Permission | API | Type |
|---|---|---|---|
| Restore deleted users | User.DeleteRestore.All(Delete and restore all users) | Microsoft Graph | Application |
| Manage users’ and Groups’ administrative units | AdministrativeUnit.ReadWrite.All(Read and write all administrative units.) | Microsoft Graph | Application |
| View the user sign-in report | AuditLog.Read.All(Read all audit log data) | Microsoft Graph | Application |
| View Teams PSTN and SMS report | CallRecords.Read.All(Read all call records) | Microsoft Graph | Application |
| Create Teams channels | Channel.Create(Create channels) | Microsoft Graph | Application |
| Delete Teams channels | Channel.Delete.All(Delete channels) | Microsoft Graph | Application |
| View Teams channels | Channel.ReadBasic.All(Read the names and descriptions of all channels) | Microsoft Graph | Application |
| Manage Teams channels’ settings | ChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels) | Microsoft Graph | Application |
| Create Groups | Group.Create(Create Groups) | Microsoft Graph | Application |
| View and manage Groups’ information and settings | Group.ReadWrite.All(Read and write all groups) | Microsoft Graph | Application |
| Delete, permanently delete, and restore Groups | Group.ReadWrite.All(Read and write all groups) | Microsoft Graph | Application |
| Create Group team sites | Group.ReadWrite.All(Read and write all groups) | Microsoft Graph | Application |
| Manage Group members | GroupMember.ReadWrite.All(Read and write all group memberships) | Microsoft Graph | Application |
| Send emails to the created users | Mail.Send(Send mail as any user) | Microsoft Graph | Application |
| View usage-related report charts on Dashboards | Reports.Read.All(Read all usage reports) | Microsoft Graph | Application |
| Manage users’ or Groups’ roles | RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings) | Microsoft Graph | Application |
| Scan OneDrive in your organization by the Auto Discovery scan profile to EnPower for management | Sites.ReadWrite.All(Read and write items in all site collections) | Microsoft Graph | Application |
| Create Teams | Team.Create(Create Teams) | Microsoft Graph | Application |
| View and manage Teams’ information | Team.ReadBasic.All(Get a list of all Teams) | Microsoft Graph | Application |
| View and manage Team members | TeamMember.ReadWrite.All(Add and remove members from all Teams) | Microsoft Graph | Application |
| View and manage Teams’ settings | TeamSettings.ReadWrite.All(Read and change all Teams' settings) | Microsoft Graph | Application |
| Archive Teams and update the associated SharePoint Online site to read-only status for Team members | TeamSettings.ReadWrite.All(Read and change all Teams' settings) | Microsoft Graph | Application |
| Create Teams | Teamwork.Migrate.All(Create chat and channel messages with anyone's identity and with any timestamp) | Microsoft Graph | Application |
| Invite guest users | User.Invite.All(Invite guest users to the organization) | Microsoft Graph | Application |
| View user details | User.ReadWrite.All(Read and write all users' full profiles) | Microsoft Graph | Application |
| Block user sign-in | User.ReadWrite.All(Read and write all users' full profiles) | Microsoft Graph | Application |
| Update user profile and phone numbers | User.ReadWrite.All(Read and write all users' full profiles) | Microsoft Graph | Application |
| Reset user password | User.ReadWrite.All(Read and write all users' full profiles) | Microsoft Graph | Application |
| Delete, permanently delete, and restore deleted users | User.ReadWrite.All(Read and write all users' full profiles) | Microsoft Graph | Application |
| View user licenses | Organization.Read.All(Read organization information) | Microsoft Graph | Application |
| Apply sensitivity labels to SharePoint Online sites | InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization) | Microsoft Graph | Application |
| Display names of users, Groups, and sites in reports | ReportSettings.Read.All(Read all admin report settings) | Microsoft Graph | Application |
| Retrieve users’ sign-in logs | Directory.ReadWrite.All(Read and write directory data) | Microsoft Graph | Application |
| Update users’ MFA settings | UserAuthenticationMethod.ReadWrite.All(Read and write all users' authentication methods) | Microsoft Graph | Application |
| Update users’ MFA settings | Policy.ReadWrite.AuthenticationMethod(Read and write all authentication method policies) | Microsoft Graph | Application |
| Assign sensitivity label to Groups and archive Teams | Group.ReadWrite.All(Read and write all groups) | Microsoft Graph | Delegated Permissions |
| Manage Teams policies | User.Read.All(Read all users’ full profiles) | Microsoft Graph | Delegated Permissions |
| Manage Teams policies | user_impersonation(Access Microsoft Teams data as the signed in user) | Skype and Teams Tenant Admin API | Delegated |
| Scan your OneDrive by the Auto Discovery scan profile to EnPower for management | User.ReadWrite.All(Read and write user profiles) | SharePoint | Application |
| Scan your SharePoint Online sites by the Auto Discovery scan profile to EnPower for management | Sites.FullControl.All(Have full control of all site collections) | SharePoint | Application |
| Scan your mailboxes by the Auto Discovery scan profile to EnPower for management | Exchange.ManageAsApp(Manage Exchange as application)*Note: The app must have the Exchange Administrator role, or you need to assign custom Exchange Online role groups to the app. For how to assign roles or Exchange Online role groups to the app, refer to the instructions in How to Assign the Exchange Administrator Role to an App?. | Office 365 Exchange Online | Application |
| Apply sensitivity labels | Content.DelegatedReader(Read protected content on behalf of a user) | Azure Rights Management Services | Application |
| Apply sensitivity labels | Content.DelegatedWriter(Create protected content on behalf of a user) | Azure Rights Management Services | Application |
| Apply sensitivity labels | Content.SuperUser(Read all protected content for this tenant) | Azure Rights Management Services | Application |
| Apply sensitivity labels | Content.Writer(Create protected content) | Azure Rights Management Services | Application |
| Apply sensitivity labels | UnifiedPolicy.Tenant.Read(Read all unified policies of the tenant) | Microsoft Information Protection Sync Service | Application |
| Trigger dynamic workflows triggered by events or activity-related conditions. | ActivityFeed.Read | - | - |
| Customize email sender in AvePoint Online Services. | Mail.Send(Send mail as any user)*Note: This permission is not contained in the EnPower service app. To customize the email sender, you need to configure a custom app with this permission added. | Microsoft Graph | Application |
On this page