As described by Microsoft, Microsoft Graph is the gateway to data and intelligence in Microsoft 365, and it exposes the granular permissions that control the access apps have to users, groups, mail and other resources in the environment.
With the Microsoft Graph API, we have been able to provide additional rich functionalities to some of our tools. For example, in DeliverPoint, we have incorporated it to query user permissions granted via Active Directory Security Groups and Microsoft 365 Groups. For the Lightning Conductor, it queries Microsoft 365 content including Users, Groups, OneDrive items and Planner Tasks.
The Microsoft Graph API Permissions
After an installation or update of our tools in your SharePoint App Catalog, it is recommended to approve the pending Microsoft Graph API permissions in the API Access page of the SharePoint admin center. Some of the permissions include:
Directory.Read.All: Read information from AD: list of users, AD groups, and members of AD groups. Necessary for reporting and also for retrieving data prior to starting permission management operations. This is a basic permission that should always be granted for DeliverPoint to function properly.
Directory.ReadWrite.All: Necessary for DeliverPoint operations that require modification of AD groups (i.e. adding/removing members to/from AD group).
Files.Read.All: Necessary for OneDrive reporting.
Files.ReadWrite.All: Necessary for operations related to OneDrive (i.e. deleting OneDrive permissions or sharing links).
Presence.Read.All, User.Read.All, Sites.Read.All, Mail.Read, People.Read.All: Necessary for full functionality of user avatars and profile cards.
(Files.Read.All is needed for OneDrive reporting – both the OneDrive Permissions and OneDrive Sharing Links reports. Files.ReadWrite.All is only needed if you want the option to remove OneDrive permissions or share links from within those reports.)
