Permissions required for configuring Azure AD

AccessReview

AccessReview.ReadWrite.All

Manage all access reviews that user can access

AdministrativeUnit

AdministrativeUnit.ReadWrite.All

Read and write all administrative units

Application

Application.ReadWrite.All

Read and write all applications

AppRoleAssignment

AppRoleAssignment.ReadWrite.All

Manage app permission grants and app role assignments

AuditLog

AuditLog.Read.All

Read all audit log data

CustomSecAttributeAssignment

CustomSecAttributeAssignment.ReadWrite.All

Read and write custom security attribute assignments

DelegatedPermissionGrant

DelegatedPermissionGrant.ReadWrite.All

Manage all delegated permission grants

DeviceManagementConfiguration

DeviceManagementConfiguration.ReadWrite.All

Read and write Microsoft Intune Device Configuration and Policies

DeviceManagementScripts

DeviceManagementScripts.ReadWrite.All

Read and write Microsoft Intune Scripts

Directory

Directory.ReadWrite.All

Read and write directory data

Domain

Domain.ReadWrite.All

Read and write domains

Group

Group.ReadWrite.All

Read and write all groups

Policy

Policy.Read.All

Read your organization's policies

Policy

Policy.ReadWrite.ConditionalAccess

Read and write your organization's conditional access policies

PrivilegedAssignmentSchedule

PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup

Read, create, and delete assignment schedules for access to Azure AD groups

PrivilegedEligibilitySchedule

PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup

Read, create, and delete eligibility schedules for access to Azure AD groups

Reports

Reports.Read.All

Read all usage reports

RoleAssignmentSchedule

RoleAssignmentSchedule.ReadWrite.Directory

Read, update, and delete all policies for privileged role assignments of your company's directory

RoleManagement

RoleManagement.ReadWrite.Directory

Read and write all directory RBAC settings

User

User-Mail.ReadWrite.All

Read and write all secondary mail addresses for users

User

User-Phone.ReadWrite.All

Read and write all user mobile phone and business phones

User

User.DeleteRestore.All

Delete and restore all users

User

User.ReadWrite.All

Read and write all users' full profiles

UserAuthenticationMethod

UserAuthenticationMethod.ReadWrite.All

Read and write all users' authentication methods

Directory

Directory.AccessAsUser.All

Access directory as the signed in user

RoleEligibilitySchedule

RoleEligibilitySchedule.ReadWrite.Directory

Read, update, and delete all eligible role assignments and schedules in your company's directory

AccessReview

AccessReview.Read.All

Read all access reviews that user can access

AdministrativeUnit

AdministrativeUnit.Read.All

Read all administrative units

Application

Application.Read.All

Read all applications

AppRoleAssignment

AppRoleAssignment.ReadWrite.All

Read app permission grants and app role assignments

AuditLog

AuditLog.Read.All

Read all audit log data

CustomSecAttributeAssignment

CustomSecAttributeAssignment.Read.All

Read custom security attribute assignments

DelegatedPermissionGrant

DelegatedPermissionGrant.Read.All

Read all delegated permission grants

DeviceManagementConfiguration

DeviceManagementConfiguration.Read.All

Read Microsoft Intune Device Configuration and Policies

DeviceManagementScripts

DeviceManagementScripts.Read.All

Read Microsoft Intune Scripts

Directory

Directory.Read.All

Read directory data

Domain

Domain.Read.All

Read domains

Group

Group.Read.All

Read all groups

Policy

Policy.Read.All

Read your organization's policies

Policy

Policy.Read.ConditionalAccess

Read your organization's conditional access policies

PrivilegedAssignmentSchedule

PrivilegedAssignmentSchedule.Read.AzureADGroup

Read assignment schedules for access to Azure AD groups

PrivilegedEligibilitySchedule

PrivilegedEligibilitySchedule.Read.AzureADGroup

Read eligibility schedules for access to Azure AD groups

RoleAssignmentSchedule

RoleAssignmentSchedule.Read.Directory

Read all policies for privileged role assignments of your company's directory

RoleManagement

RoleManagement.Read.Directory

Read all directory RBAC settings

User

User-Mail.ReadWrite.All

Read and write all secondary mail addresses for users

User

User-Phone.ReadWrite.All

Read and write all user mobile phone and business phones

User

User.Read.All

Read all users' full profiles

UserAuthenticationMethod

UserAuthenticationMethod.Read.All

Read all users' authentication methods