Access for Microsoft Planner tasks is controlled by Group permissions. Shared permissions are currently only supported for work or school accounts. Even with Shared permissions, reads and writes may fail if the user who owns the shared content has not granted the accessing user permissions to modify content within the folder. These permissions are deprecated. Use the equivalent TeamsAppInstallation.
All permissions instead. For an app to read or write all agreements or agreement acceptances with delegated permissions, the signed-in user must be assigned the Global Administrator, Conditional Access Administrator or Security Administrator role.
To use the Universal Print service, the user or app's tenant must have an active Universal Print subscription in addition to the permissions listed earlier. Some permissions distinguish between print job metadata and payload. Metadata describes the configuration of a print job its name and document configuration, such as whether it should be stapled or printed in color. All PrintJob. All or a more prviliged permission because print jobs are stored within printers.
With the User. Read permission, an app can also read the basic company information of the signed-in user for a work or school account through the organization resource. The following properties are available: id, displayName, and verifiedDomains. For work or school accounts, the full profile includes all of the declared properties of the User resource.
On reads, only a limited number of properties are returned by default. The default properties are:. ReadWrite and User. All delegated permissions allow the app to update the following profile properties for work or school accounts:.
All application permission, the app can update all of the declared properties of work or school accounts except for password. All delegated or application permission, updating another user's businessPhones , mobilePhone or otherMails is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader and Reports Reader. To read or write direct reports directReports or the manager manager of a work or school account, the app must have either User.
All read only or User. The User. All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties:.
To read the group memberships of a user memberOf , the app must have either Group. All or Group. However, if the user also has membership in a directoryRole or an administrativeUnit , the app will need effective permissions to read those resources too, or Microsoft Graph will return an error. This means the app will also need Directory permissions , and, for delegated permissions, the signed-in user will also need sufficient privileges in the organization to access directory roles and administrative units.
All delegated or application permission, it is possible to update the identities identities of a user. This includes federated or social identities or local identities with email or name-based sign-in names. The CreatedByApp constraint associated with this permission indicates the service will apply implicit filtering to results based on the identity of the calling app, either the MSA app id or a set of app ids configured for a cross-platform application identity.
User authentication method permissions are used to manage authentication methods on users. With these permissions, a delegated user or application can register new authentication methods on a user, read the authentication methods the user already has registered, update those authentication methods, and remove them from the user.
With these permissions, all authentication methods can be read and managed on a user. This includes methods used for:. For an app to read or write all Windows update deployment settings with delegated permissions, the signed-in user must be assigned the Global Administrator, Intune Administrator, or Windows Update Deployment Administrator role.
This section shows some common scenarios that target user and group resources in an organization. The tables show the permissions that an app needs to be able to perform specific operations required by the scenario.
Note that in some cases the ability of the app to perform specific operations will depend on whether a permission is an application or delegated permission.
In the case of delegated permissions, the app's effective permissions will also depend on the privileges of the signed-in user within the organization. For more information, see Delegated permissions, Application permissions, and effective permissions.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note As a best practice, request the least privileged permissions that your app needs in order to access data and function correctly. Caution Permissions that allow granting authorization, such as AppRoleAssignment.
Note Currently, these permissions are supported only in the beta version of Microsoft Graph. Note Before December 3rd, , when the application permission Device. Note Before December 3rd, , when the application permission Directory. Caution Permissions that allow granting authorization, such as RoleManagement. Note These permissions are deprecated. Submit and view feedback for This product This page. View all page feedback.
In this article. Allows the app to read access reviews on behalf of the signed-in user. Allows the app to read and write access reviews on behalf of the signed-in user. Allows the app to read and write access reviews of groups and apps on behalf of the signed-in user. Allows the app to manage access reviews of groups and apps without a signed-in user.
Allows the app to read administrative units and administrative unit membership on behalf of the signed-in user. Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. Allows the app to read administrative units and administrative unit membership without a signed-in user. Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user.
Allows the app to read the signed-in user's activity statistics, such as how much time the user has spent on emails, in meetings, or in chat sessions.
Allows the app to create, read, update, and delete apps in the app catalogs. Allows the user to submit and app for admin review for publication in an organization's app catalog and allows user to cancel past submissions that have not been published. Allows the app to read apps in the app catalogs without a signed-in user. Allows the app to create, read, update, and delete apps in the app catalogs without a signed-in user.
Allows the app to read applications and service principals on behalf of the signed-in user. Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. Allows the app to manage permission grants for application permissions to any API including Microsoft Graph and application assignments for any app, on behalf of the signed-in user.
Allows the app to manage delegated permission grants for any API including Microsoft Graph , on behalf of the signed-in user. Allows the app to read applications and service principals without a signed-in user. Allows the calling app to create, and manage read, update, update application secrets and delete applications and service principals without a signed-in user.
Does not allow management of consent grants or application assignments to users or groups. Allows the calling app to create other applications and service principals, and fully manage those applications and service principals read, update, update application secrets and delete , without a signed-in user.
It cannot update any applications that it is not an owner of. Allows the app to manage permission grants for application permissions to any API including Microsoft Graph and application assignments for any app, without a signed-in user. Allows the app to grant or revoke any delegated permission for any API including Microsoft Graph , without a signed-in user. Allows the app to read and query your audit log activities, on behalf of the signed-in user.
Allows the app to read and query your audit log activities, without a signed-in user. Allows an app to read the BitLocker key's properties for all devices in the tenant. The recovery key is not returned. Allows an app to read the BitLocker keys for all devices in the tenant. The recovery key is returned. Allows an app to read Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Intended for read-only applications. Typical target user is the customer of a booking business.
Allows an app to read and write Bookings appointments and customers, and additionally allows reading businesses, services, and staff on behalf of the signed-in user. Intended for scheduling applications which need to manipulate appointments and customers. Cannot change fundamental information about the booking business, nor its services and staff members. Allows an app to read and write Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user.
Does not allow create, delete, or publish of Bookings businesses. Intended for management applications that manipulate existing businesses, their services and staff members. Cannot create, delete, or change the publishing status of a booking business. Typical target user is the support staff of an organization.
Allows an app to read, write, and manage Bookings appointments, businesses, customers, services, and staff on behalf of the signed-in user. Allows the app to have full access. Intended for a full management experience. Typical target user is the administrator of an organization.
Allows the app to read events in all calendars that the user can access, including delegate and shared calendars. Allows the app to create, read, update, and delete events in user calendars. Allows the app to create, read, update and delete events in all calendars the user has permissions to access. This includes delegate and shared calendars. Allows the app to read events of all calendars without a signed-in user. Allows the app to create, read, update, and delete events of all calendars without a signed-in user.
Allows the app to place outbound calls to multiple users and add participants to meetings in your organization, without a signed-in user. Allows the app to join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined with the privileges of a directory user to meetings in your tenant.
Allows the app to anonymously join group calls and scheduled meetings in your organization, without a signed-in user. The app will be joined as a guest to meetings in your tenant. Allows the app to get direct access to media streams in a call, without a signed-in user. Allows the app to read call records for all calls and online meetings without a signed-in user. Allows the app to read all PSTN and direct routing call log data without a signed-in user.
Read channel names and channel descriptions, on behalf of the signed-in user. Read all channel names and channel descriptions, without a signed-in user. Add and remove members from channels, on behalf of the signed-in user. Also allows changing a member's role, for example from owner to non-owner.
Add and remove members from all channels, without a signed-in user. Allows an app to delete channel messages in Microsoft Teams, on behalf of the signed-in user. Allows an app to edit channel messages in Microsoft Teams, on behalf of the signed-in user. Allows an app to read a channel's messages in Microsoft Teams, on behalf of the signed-in user.
Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user. Allows the app to read all channel messages in Microsoft Teams, without a signed-in user. Read all channel names, channel descriptions, and channel settings, on behalf of the signed-in user.
Read and write the names, descriptions, and settings of all channels, on behalf of the signed-in user. Read all channel names, channel descriptions, and channel settings, without a signed-in user. Read and write the names, descriptions, and settings of all channels, without a signed-in user.
Allows an app to read your or group chat messages in Microsoft Teams, on your behalf. Allows an app to read the members and descriptions of and group chats threads, on behalf of the signed-in user. Allows an app to read and send your or group chat messages in Microsoft Teams, on your behalf.
Allows the app to read all or group chat messages in Microsoft Teams, without a signed-in user. Allows the app to read this chat's settings, without a signed-in user. Allows the app to read and write this chat's settings, without a signed-in user. Allows the app to read this chat's messages, without a signed-in user.
Allows the app to manage the chat, the chat's members, and grant access to the chat's data, without a signed-in user. Allows the app to read the Teams apps that are installed in this chat along with the permissions granted to each app, without a signed-in user.
Allows the app to read basic properties—such as name, schedule, organizer, and join link—of a meeting associated with this chat, without a signed-in user. Allows the app to access media streams in calls associated with this chat or meeting, without a signed-in user.
Allows the app to join calls associated with this chat or meeting, without a signed-in user. Allows the app to create new notifications in the teamwork activity feeds of the users in this chat, without a signed-in user. Allows an app to send and group chat messages in Microsoft Teams, on behalf of the signed-in user. Allows the app to read Cloud PC objects such as provisioning policies, on behalf of the signed-in user. Allows the app to create, read, update, and delete Cloud PC objects such as on-premises connections, provisioning policies, and device images, on behalf of the user.
Allows the app to read Cloud PC objects such as provisioning policies, without a signed-in user. Allows the app to create, read, update, and delete Cloud PC objects such as on-premises connections, provisioning policies, and device images, without a signed-in user.
Allows the app to read consent requests and approvals on behalf of the signed-in user. Allows the app to read app consent requests and approvals, and deny or approve those requests on behalf of the signed-in user. Allows the app to read app consent requests and approvals without a signed-in user. Allows the app to read app consent requests and approvals, and deny or approve those requests without a signed-in user.
Allows the app to read contacts that the user has permissions to access, including the user's own and shared contacts. Allows the app to create, read, update and delete contacts that the user has permissions to, including the user's own and shared contacts.
Allows the app to read all contacts in all mailboxes without a signed-in user. Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. Allows the app to read and write custom security attribute assignments for all principals in the tenant on behalf of a signed in user. Allows the app to read and write custom security attribute definitions for the tenant on behalf of a signed in user.
Allows the app to read and write custom security attribute assignments for all principals in the tenant without a signed in user. Allows the app to read and write custom security attribute definitions for the tenant without a signed in user. Allows the app to read a user's list of devices on behalf of the signed-in user. Allows the app to read your organization's devices' configuration information on behalf of the signed-in user.
Allows the app to launch another app or communicate with another app on a user's device on behalf of the signed-in user. Allows the app to read your organization's devices' configuration information without a signed-in user. Allows the app to read and write all device properties without a signed in user.
Does not allow device creation, device deletion, or update of device alternative security identifiers. Allows the app to read data in your organization's directory, such as users, groups and apps. Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.
Allows the app to have the same access to information in the directory as the signed-in user. Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user.
Does not allow user or group deletion. Allows the app to read all domain properties on behalf of the signed-in user. Allows the app to read and write all domain properties on behalf of the signed-in user. Also allows the app to add, verify, and remove domains. Allows the app to read all domain properties without a signed-in user. Allows the app to read eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user.
Allows the app to read and write eDiscovery objects such as cases, custodians, review sets and other related objects on behalf of the signed-in user. Allows the app to manage education app settings on behalf of the user. Allows the app to read assignments without grades on behalf of the user. Allows the app to read and write assignments without grades on behalf of the user. Allows the app to read assignments and their grades on behalf of the user.
Allows the app to read and write assignments and their grades on behalf of the user. Allows the app to read a limited subset of the properties from the structure of schools and classes in an organization's roster and a limited subset of properties about users to be read on behalf of the user. Includes name, status, education role, email address and photo. Allows the app to read the structure of schools and classes in an organization's roster and education-specific information about users to be read on behalf of the user.
Allows the app to read and write the structure of schools and classes in an organization's roster and education-specific information about users to be read and written on behalf of the user. Read the state and settings of all Microsoft education apps on behalf of the user. Manage the state and settings of all Microsoft education apps on behalf of the user. Allows the app to read and write assignments without grades for all users.
Allows the app to read and write assignments and their grades for all users. Allows the app to read a limited subset of both the structure of schools and classes in an organization's roster and education-specific information about all users. Allows the app to read the structure of schools and classes in the organization's roster and education-specific information about all users to be read.
Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written.
Allows the app to request access to read and manage access packages and related entitlement management resources on behalf of the signed-in user. Allows the app to request access to read access packages and related entitlement management resources on behalf of the signed-in user. Allows the app to read and manage access packages and related entitlement management resources. Allows the app to read access packages and related entitlement management resources. Allows the app to read, create, update, and delete the signed-in user's files.
Allows the app to read, create, update, and delete all files the signed-in user can access. Preview Allows the app to read, create, update, and delete files in the application's folder. Limited support in Microsoft Graph; see Remarks Preview Allows the app to read files that the user selects.
The app has access for several hours after the user selects a file. Limited support in Microsoft Graph; see Remarks Preview Allows the app to read and write files that the user selects.
Allows the app to read all files in all site collections without a signed in user. Allows the app to read, create, update, and delete all files in all site collections without a signed in user. Allows the app to read and write financials data on behalf of the signed-in user. Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.
Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendar, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content.
Allows the app to list groups, read basic group properties and read membership of all groups the signed-in user has access to. Allows the app to list groups, read basic properties, read and update the membership of the groups the signed-in user has access to.
Group properties and owners cannot be updated and groups cannot be deleted. Allows the app to read basic unified group properties, memberships, and owners of the group the signed-in guest is a member of. Allows the app to read memberships for all groups without a signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups.
Note: Not all group APIs support access using app-only permissions. See known issues for examples. Allows the app to create groups, read and update group memberships, and delete groups. Also allows the app to read and write calendar, conversations, files, and other group content for all groups. All of these operations can be performed by the app without a signed-in user. Note: This permission is exposed in the Azure portal for a feature that is not available for general use.
Do not use this permission as it is subject to change. Allows the app to read memberships and basic group properties for all groups without a signed-in user. Allows the app to list groups, read basic properties, read and update the membership of the groups without a signed-in user. Allows the calling app to create groups without a signed-in user. Does not allow read, update, or deletion of any groups. Allows the app to read identity risk event information for all users in your organization on behalf of the signed-in user.
Allows the app to read identity user risk information for all users in your organization on behalf of the signed-in user. Allows the app to read and update identity user risk information for all users in your organization on behalf of the signed-in user. Allows the app to read identity risk event information for all users in your organization without a signed-in user. Allows the app to read identity user risk information for all users in your organization without a signed-in user.
Allows the app to read and update identity user risk information for all users in your organization without a signed-in user. I'm trying to find a solution for a view-only calendar to put on our Intranet, so that people can check what company events or related events are happening in their near future. We have Exchange Server and we host all our internet and intranet servers in house.
Can I just use the URL method? I don't think they're going to go for a lot of work. I tried to work with a JS calendar, but none of them do what I need. I have several desktops that i use and would like to have google calendar as my main calendar. I have a blackberry Z10 which is connected to my corporate notes server yes And I also have a google account that I would like to be able to do the following: Use my blackberry to add a calendar appointment or schedule a meeting with someone from my GMAIL account and have it sync with my outlook calendars on my desktops.
Also I would like to be able to use any of my desktops using Outlook and to connect to my gmail and calendar to sync with my outlook calendar and be able to schedule and add calendar appointments that will show up in my google calendar. I know this is a tall order, but there are sometimes when I can not carry my blackberry in to a customers location and I am just given a desktop to use with internet access.
It would greatly help me schedule my time if I could do this. Any help is greatly appreciated!!! Many thanks in advance for your help! I think the best option for this is CompanionLink it can sync outlook to google - then the BB syncs with google directly. I forgot my password and it is constantly prompting me. What can I do to find out my password? My other option is to stop publishing my calendar since I don't really use that feature as I thought I might.
I'm not sure how to do either of these things. I saw that after I go to Tools and Accounts I can get to published calendar and I can choose to remove it but I want to make sure that won't mess anything else up. Can you help? Removing it won't message anything up. The password is your Microsoft account formerly LiveID account password. Schedule Management. Calendar Printing Tools. Calendar Reminder Tools. Time and Billing Tools. Meeting Productivity Tools. Duplicate Remover Tools. Sending and Retrieval Tools.
Mass Mail Tools. Compose Tools. Calendars can also be viewed with either a public or private password protected web site address, which is included with our iCal WebDAV Hosting accounts. Step 1 Open Outlook and click the Calendar tab towards the bottom in the left column.
Step 2 If you don't have an existing calendar that you intend to publish, create a new calendar. Step 4 For the location, copy the Publish to address found in your setup letter. Note that each account includes a Private passowrd-protected address and a Public non-protected address.
Do NOT include the file name. The address should end as shown in the example. Step 5 Click Advanced and uncheck the Update Frequency which will be checked by default. Automatic Uploads should be selected. Step 6 You will be prompted for the username and password. Use the information provided in the set up letter.
If you are using Windows Active Directory there will be a Domain visible under the password, and you will need to put a backslash in front of the username.
0コメント