Azure Consent and Permissions
Configuring these levels is a core security control in Microsoft Entra ID that categorizes application permissions based on risk, dictating whether regular users can independently grant apps access to their data or if IT administrator approval is required to prevent malicious data leaks.
Classification
- Low - These permissions allow an application to securely sign a user in and read their basic profile information (like name and email) without posing a risk to sensitive company data.
- Medium - These permissions grant read-only access to personal user data, such as calendars or contacts, representing a moderate risk that doesn't expose broad organizational assets.
- High - These permissions provide extensive access to sensitive company resources—such as reading emails, modifying files, or viewing the entire corporate directory—and should always require strict administrator review.
Recomended Assignment
-
Low
API Permission Description Microsoft Graph offline_access Maintain access to data you have given it access to Microsoft Graph email View users' email address Microsoft Graph User.Read Sign in and read user profile Microsoft Graph profile View users' basic profile Microsoft Graph openid Sign users in -
Medium
API Permission Description Microsoft Graph Calendars.Read Read user calendars Microsoft Graph User.ReadBasic.All Read all users' basic profiles Microsoft Graph Contacts.Read Read user contacts Microsoft Graph Tasks.Read Read user's tasks and task lists -
High
API Permission Description Microsoft Graph Mail.Send Send mail as a user Microsoft Graph Files.Read.All Read all files that user can access Microsoft Graph Files.ReadWrite.All Have full access to all files user can access Microsoft Graph Mail.ReadWrite Read and write access to user mail Microsoft Graph Mail.Read Read user mail