CIPP-Permissions.json

[
  {
    "AppId": "aeb86249-8ea3-49e2-900b-54cc8e308f85",
    "DisplayName": "M365 License Manager",
    "DelegatedPermissions": [
      {
        "Id": "fc946a4f-bc4d-413b-a090-b2c86113ec4f",
        "Name": "LicenseManager.AccessAsUser",
        "Description": "Allows the application to impersonate the signed-in user when communicating with the M365 License Manager service."
      }
    ],
    "ApplicationPermissions": []
  },
  {
    "AppId": "00000003-0000-0000-c000-000000000000",
    "DisplayName": "Microsoft Graph",
    "DelegatedPermissions": [
      {
        "Id": "bdfbf15f-ee85-4955-8675-146e8e5296b5",
        "Name": "Application.ReadWrite.All",
        "Description": "Allows the app to create, read, update and delete applications and service principals on your behalf. Does not allow management of consent grants."
      },
      {
        "Id": "84bccea3-f856-4a8a-967b-dbe0a3d53a64",
        "Name": "AppRoleAssignment.ReadWrite.All",
        "Description": "Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on your behalf."
      },
      {
        "Id": "e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20",
        "Name": "AuditLog.Read.All",
        "Description": "Allows the app to read and query your audit log activities, on your behalf."
      },
      {
        "Id": "b27a61ec-b99c-4d6a-b126-c4375d08ae30",
        "Name": "BitlockerKey.Read.All",
        "Description": "Allows the app to read BitLocker keys for your owned devices. Allows read of the recovery key."
      },
      {
        "Id": "101147cf-4178-4455-9d58-02b5c164e759",
        "Name": "Channel.Create",
        "Description": "Create channels in any team, on your behalf."
      },
      {
        "Id": "cc83893a-e232-4723-b5af-bd0b01bcfe65",
        "Name": "Channel.Delete.All",
        "Description": "Delete channels in any team, on your behalf."
      },
      {
        "Id": "9d8982ae-4365-4f57-95e9-d6032a4c0b87",
        "Name": "Channel.ReadBasic.All",
        "Description": "Read channel names and channel descriptions, on your behalf."
      },
      {
        "Id": "2eadaff8-0bce-4198-a6b9-2cfc35a30075",
        "Name": "ChannelMember.Read.All",
        "Description": "Read the members of channels, on your behalf."
      },
      {
        "Id": "0c3e411a-ce45-4cd1-8f30-f99a3efa7b11",
        "Name": "ChannelMember.ReadWrite.All",
        "Description": "Add and remove members from channels, on your behalf. Also allows changing a member's role, for example from owner to non-owner."
      },
      {
        "Id": "2b61aa8a-6d36-4b2f-ac7b-f29867937c53",
        "Name": "ChannelMessage.Edit",
        "Description": "Allows the app to edit channel messages in Microsoft Teams, on your behalf."
      },
      {
        "Id": "767156cb-16ae-4d10-8f8b-41b657c8c8c8",
        "Name": "ChannelMessage.Read.All",
        "Description": "Allows the app to read a channel's messages in Microsoft Teams, on your behalf."
      },
      {
        "Id": "ebf0f66e-9fb1-49e4-a278-222f76911cf4",
        "Name": "ChannelMessage.Send",
        "Description": "Allows the app to send channel messages in Microsoft Teams, on your behalf."
      },
      {
        "Id": "233e0cf1-dd62-48bc-b65b-b38fe87fcf8e",
        "Name": "ChannelSettings.Read.All",
        "Description": "Read all channel names, channel descriptions, and channel settings, on your behalf."
      },
      {
        "Id": "d649fb7c-72b4-4eec-b2b4-b15acf79e378",
        "Name": "ChannelSettings.ReadWrite.All",
        "Description": "Read and write the names, descriptions, and settings of all channels, on your behalf."
      },
      {
        "Id": "f3bfad56-966e-4590-a536-82ecf548ac1e",
        "Name": "ConsentRequest.Read.All",
        "Description": "Allows the app to read consent requests and approvals, on your behalf."
      },
      {
        "Id": "885f682f-a990-4bad-a642-36736a74b0c7",
        "Name": "DelegatedAdminRelationship.ReadWrite.All",
        "Description": "Allows the app to manage (create-update-terminate) Delegated Admin relationships with customers and role assignments to security groups for active Delegated Admin relationships on your behalf."
      },
      {
        "Id": "41ce6ca6-6826-4807-84f1-1c82854f7ee5",
        "Name": "DelegatedPermissionGrant.ReadWrite.All",
        "Description": "Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on your behalf."
      },
      {
        "Id": "bac3b9c2-b516-4ef4-bd3b-c2ef73d8d804",
        "Name": "Device.Command",
        "Description": "Allows the app to launch another app or communicate with another app on a device that you own."
      },
      {
        "Id": "11d4cd79-5ba5-460f-803f-e22c8ab85ccd",
        "Name": "Device.Read",
        "Description": "Allows the app to see your list of devices."
      },
      {
        "Id": "951183d1-1a61-466f-a6d1-1fde911bfd95",
        "Name": "Device.Read.All",
        "Description": "Allows the app to read devices' configuration information on your behalf."
      },
      {
        "Id": "280b3b69-0437-44b1-bc20-3b2fca1ee3e9",
        "Name": "DeviceLocalCredential.Read.All",
        "Description": "Allows the app to read device local credential properties including passwords, on your behalf."
      },
      {
        "Id": "7b3f05d5-f68c-4b8d-8c59-a2ecd12f24af",
        "Name": "DeviceManagementApps.ReadWrite.All",
        "Description": "Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune."
      },
      {
        "Id": "0883f392-0a7a-443d-8c76-16a6d39c7b63",
        "Name": "DeviceManagementConfiguration.ReadWrite.All",
        "Description": "Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups."
      },
      {
        "Id": "3404d2bf-2b13-457e-a330-c24615765193",
        "Name": "DeviceManagementManagedDevices.PrivilegedOperations.All",
        "Description": "Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune."
      },
      {
        "Id": "44642bfe-8385-4adc-8fc6-fe3cb2c375c3",
        "Name": "DeviceManagementManagedDevices.ReadWrite.All",
        "Description": "Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner."
      },
      {
        "Id": "0c5e8a55-87a6-4556-93ab-adc52c4d862d",
        "Name": "DeviceManagementRBAC.ReadWrite.All",
        "Description": "Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings."
      },
      {
        "Id": "662ed50a-ac44-4eef-ad86-62eed9be2a29",
        "Name": "DeviceManagementServiceConfig.ReadWrite.All",
        "Description": "Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration."
      },
      {
        "Id": "0e263e50-5827-48a4-b97c-d940288653c7",
        "Name": "Directory.AccessAsUser.All",
        "Description": "Allows the app to have the same access to information in your work or school directory as you do."
      },
      {
        "Id": "c5366453-9fb0-48a5-a156-24f0c49a4b84",
        "Name": "Directory.ReadWrite.All",
        "Description": "Allows the app to read and write data in your organization's directory, such as other users, groups.  It does not allow the app to delete users or groups, or reset user passwords."
      },
      {
        "Id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",
        "Name": "Domain.Read.All",
        "Description": "Allows the app to read all domain properties on your behalf."
      },
      {
        "Id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
        "Name": "Group.ReadWrite.All",
        "Description": "Allows the app to create groups and read all group properties and memberships on your behalf.  Additionally allows the app to manage your groups and to update group content for groups you are a member of."
      },
      {
        "Id": "f81125ac-d3b7-4573-a3b2-7099cc39df9e",
        "Name": "GroupMember.ReadWrite.All",
        "Description": "Allows the app to list groups, read basic properties, read and update the membership of your groups. Group properties and owners cannot be updated and groups cannot be deleted."
      },
      {
        "Id": "9e4862a5-b68f-479e-848a-4e07e25c9916",
        "Name": "IdentityRiskEvent.ReadWrite.All",
        "Description": "Allows the app to read and update identity risk event information for all users in your organization on your behalf. Update operations include confirming risk event detections. "
      },
      {
        "Id": "bb6f654c-d7fd-4ae3-85c3-fc380934f515",
        "Name": "IdentityRiskyServicePrincipal.ReadWrite.All",
        "Description": "Allows the app to read and update identity risky service principal information for all service principals in your organization, on your behalf. Update operations include dismissing risky service principals."
      },
      {
        "Id": "e0a7cdbb-08b0-4697-8264-0069786e9674",
        "Name": "IdentityRiskyUser.ReadWrite.All",
        "Description": "Allows the app to read and update identity risky user information for all users in your organization on your behalf. Update operations include dismissing risky users."
      },
      {
        "Id": "e383f46e-2787-4529-855e-0e479a3ffac0",
        "Name": "Mail.Send",
        "Description": "Allows the app to send mail as you."
      },
      {
        "Id": "a367ab51-6b49-43bf-a716-a1fb06d2a174",
        "Name": "Mail.Send.Shared",
        "Description": "Allows the app to send mail as you or on-behalf of someone else."
      },
      {
        "Id": "818c620a-27a9-40bd-a6a5-d96f7d610b4b",
        "Name": "MailboxSettings.ReadWrite",
        "Description": "Allows the app to read, update, create, and delete your mailbox settings."
      },
      {
        "Id": "f6a3db3e-f7e8-4ed2-a414-557c8c9830be",
        "Name": "Member.Read.Hidden",
        "Description": "Allows the app to read the memberships of hidden groups or administrative units on your behalf, for those hidden groups or adminstrative units that you have access to."
      },
      {
        "Id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
        "Name": "offline_access",
        "Description": "Allows the app to see and update the data you gave it access to, even when you are not currently using the app. This does not give the app any additional permissions."
      },
      {
        "Id": "37f7f235-527c-4136-accd-4a02d197296e",
        "Name": "openid",
        "Description": "Allows you to sign in to the app with your work or school account and allows the app to read your basic profile information."
      },
      {
        "Id": "46ca0847-7e6b-426e-9775-ea810a948356",
        "Name": "Organization.ReadWrite.All",
        "Description": "Allows the app to read and write the organization and related resources, on your behalf. Related resources include things like subscribed skus and tenant branding information."
      },
      {
        "Id": "346c19ff-3fb2-4e81-87a0-bac9e33990c1",
        "Name": "OrgSettings-Forms.ReadWrite.All",
        "Description": "Allows the app to read and write organization-wide Microsoft Forms settings on your behalf."
      },
      {
        "Id": "e67e6727-c080-415e-b521-e3f35d5248e9",
        "Name": "PeopleSettings.ReadWrite.All",
        "Description": "Allows the application to read and write tenant-wide people settings on your behalf."
      },
      {
        "Id": "4c06a06a-098a-4063-868e-5dfee3827264",
        "Name": "Place.ReadWrite.All",
        "Description": "Allows the app to manage organization places (conference rooms and room lists) for calendar events and other applications, on your behalf."
      },
      {
        "Id": "572fea84-0151-49b2-9301-11cb16974376",
        "Name": "Policy.Read.All",
        "Description": "Allows the app to read your organization's policies on your behalf."
      },
      {
        "Id": "b27add92-efb2-4f16-84f5-8108ba77985c",
        "Name": "Policy.ReadWrite.ApplicationConfiguration",
        "Description": "Allows the app to read and write your organization's application configuration policies on your behalf.  This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy  and tokenLifetimePolicy."
      },
      {
        "Id": "edb72de9-4252-4d03-a925-451deef99db7",
        "Name": "Policy.ReadWrite.AuthenticationFlows",
        "Description": "Allows the app to read and write the authentication flow policies for your tenant, on your behalf."
      },
      {
        "Id": "7e823077-d88e-468f-a337-e18f1f0e6c7c",
        "Name": "Policy.ReadWrite.AuthenticationMethod",
        "Description": "Allows the app to read and write the authentication method policies for your tenant, on your behalf."
      },
      {
        "Id": "edd3c878-b384-41fd-95ad-e7407dd775be",
        "Name": "Policy.ReadWrite.Authorization",
        "Description": "Allows the app to read and write your organization's authorization policy on your behalf. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default."
      },
      {
        "Id": "ad902697-1014-4ef5-81ef-2b4301988e8c",
        "Name": "Policy.ReadWrite.ConditionalAccess",
        "Description": "Allows the app to read and write your organization's conditional access policies on your behalf."
      },
      {
        "Id": "4d135e65-66b8-41a8-9f8b-081452c91774",
        "Name": "Policy.ReadWrite.ConsentRequest",
        "Description": "Allows the app to read and write your organization's consent request policy on your behalf."
      },
      {
        "Id": "40b534c3-9552-4550-901b-23879c90bcf9",
        "Name": "Policy.ReadWrite.DeviceConfiguration",
        "Description": "Allows the app to read and write your organization's device configuration policies on your behalf.  For example, device registration policy can limit initial provisioning controls using quota restrictions, additional authentication and authorization checks."
      },
      {
        "Id": "a8ead177-1889-4546-9387-f25e658e2a79",
        "Name": "Policy.ReadWrite.MobilityManagement",
        "Description": "Allows the app to read and write your organization's mobility management policies on your behalf.  For example, a mobility management policy can set the enrollment scope for a given mobility management application."
      },
      {
        "Id": "1d89d70c-dcac-4248-b214-903c457af83a",
        "Name": "PrivilegedAccess.Read.AzureResources",
        "Description": "Allows the app to read time-based assignment and just-in-time elevation of Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf."
      },
      {
        "Id": "a84a9652-ffd3-496e-a991-22ba5529156a",
        "Name": "PrivilegedAccess.ReadWrite.AzureResources",
        "Description": "Allows the app to request and manage time-based assignment and just-in-time elevation of user privileges to manage  your Azure resources (like your subscriptions, resource groups, storage, compute) on your behalf."
      },
      {
        "Id": "14dad69e-099b-42c9-810b-d002981feec1",
        "Name": "profile",
        "Description": "Allows the app to see your basic profile (e.g., name, picture, user name, email address)"
      },
      {
        "Id": "02e97553-ed7b-43d0-ab3c-f8bace0d040c",
        "Name": "Reports.Read.All",
        "Description": "Allows an app to read all service usage reports on your behalf. Services that provide usage reports include Office 365 and Azure Active Directory."
      },
      {
        "Id": "b955410e-7715-4a88-a940-dfd551018df3",
        "Name": "ReportSettings.ReadWrite.All",
        "Description": "Allows the app to read and update admin report settings, such as whether to display concealed information in reports, on your behalf."
      },
      {
        "Id": "d01b97e9-cbc0-49fe-810a-750afd5527a3",
        "Name": "RoleManagement.ReadWrite.Directory",
        "Description": "Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on your behalf. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships."
      },
      {
        "Id": "dc38509c-b87d-4da0-bd92-6bec988bac4a",
        "Name": "SecurityActions.ReadWrite.All",
        "Description": "Allows the app to read and update security actions, on your behalf."
      },
      {
        "Id": "6aedf524-7e1c-45a7-bd76-ded8cab8d0fc",
        "Name": "SecurityEvents.ReadWrite.All",
        "Description": "Allows the app to read your organization’s security events on your behalf. Also allows you to update editable properties in security events."
      },
      {
        "Id": "128ca929-1a19-45e6-a3b8-435ec44a36ba",
        "Name": "SecurityIncident.ReadWrite.All",
        "Description": "Allows the app to read and write to all security incidents that you have access to."
      },
      {
        "Id": "55896846-df78-47a7-aa94-8d3d4442ca7f",
        "Name": "ServiceHealth.Read.All",
        "Description": "Allows the app to read your tenant's service health information on your behalf.Health information may include service issues or service health overviews."
      },
      {
        "Id": "eda39fa6-f8cf-4c3c-a909-432c683e4c9b",
        "Name": "ServiceMessage.Read.All",
        "Description": "Allows the app to read your tenant's service announcement messages on your behalf. Messages may include information about new or changed features."
      },
      {
        "Id": "aa07f155-3612-49b8-a147-6c590df35536",
        "Name": "SharePointTenantSettings.ReadWrite.All",
        "Description": "Allows the application to read and change the tenant-level settings of SharePoint and OneDrive on your behalf."
      },
      {
        "Id": "89fe6a52-be36-487e-b7d8-d061c450a026",
        "Name": "Sites.ReadWrite.All",
        "Description": "Allow the application to edit or delete documents and list items in all site collections on your behalf."
      },
      {
        "Id": "7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0",
        "Name": "Team.Create",
        "Description": "Allows the app to create teams on your behalf. "
      },
      {
        "Id": "485be79e-c497-4b35-9400-0e3fa7f2a5d4",
        "Name": "Team.ReadBasic.All",
        "Description": "Read the names and  descriptions of teams, on your behalf."
      },
      {
        "Id": "4a06efd2-f825-4e34-813e-82a57b03d1ee",
        "Name": "TeamMember.ReadWrite.All",
        "Description": "Add and remove members from teams, on your behalf. Also allows changing a member's role, for example from owner to non-owner."
      },
      {
        "Id": "2104a4db-3a2f-4ea0-9dba-143d457dc666",
        "Name": "TeamMember.ReadWriteNonOwnerRole.All",
        "Description": "Add and remove members from all teams, on your behalf. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role."
      },
      {
        "Id": "0e755559-83fb-4b44-91d0-4cc721b9323e",
        "Name": "TeamsActivity.Read",
        "Description": "Allows the app to read your teamwork activity feed."
      },
      {
        "Id": "48638b3c-ad68-4383-8ac4-e6880ee6ca57",
        "Name": "TeamSettings.Read.All",
        "Description": "Read all teams' settings, on your behalf."
      },
      {
        "Id": "39d65650-9d3e-4223-80db-a335590d027e",
        "Name": "TeamSettings.ReadWrite.All",
        "Description": "Read and change all teams' settings, on your behalf."
      },
      {
        "Id": "a9ff19c2-f369-4a95-9a25-ba9d460efc8e",
        "Name": "TeamsTab.Create",
        "Description": "Allows the app to create tabs in any team in Microsoft Teams, on your behalf. This does not grant the ability to read, modify or delete tabs after they are created, or give access to the content inside the tabs."
      },
      {
        "Id": "b98bfd41-87c6-45cc-b104-e2de4f0dafb9",
        "Name": "TeamsTab.ReadWrite.All",
        "Description": "Read and write tabs in any team in Microsoft Teams, on your behalf. This does not give access to the content inside the tabs."
      },
      {
        "Id": "cac97e40-6730-457d-ad8d-4852fddab7ad",
        "Name": "ThreatAssessment.ReadWrite.All",
        "Description": "Allows an app to read your organization's threat assessment requests on your behalf. Also allows the app to create new requests to assess threats received by your organization on your behalf."
      },
      {
        "Id": "73e75199-7c3e-41bb-9357-167164dbb415",
        "Name": "UnifiedGroupMember.Read.AsGuest",
        "Description": "Allows the app to read basic unified group properties, memberships and owners of the group you are a member of."
      },
      {
        "Id": "637d7bec-b31e-4deb-acc9-24275642a2c9",
        "Name": "User.ManageIdentities.All",
        "Description": "Allows the app to read, update and delete identities that are associated with a user's account that you have access to. This controls the identities users can sign-in with."
      },
      {
        "Id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4",
        "Name": "User.ReadWrite.All",
        "Description": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf."
      },
      {
        "Id": "aec28ec7-4d02-4e8c-b864-50163aea77eb",
        "Name": "UserAuthenticationMethod.Read.All",
        "Description": "Allows the app to read authentication methods of all users you have access to in your organization. Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods."
      },
      {
        "Id": "48971fc1-70d7-4245-af77-0beb29b53ee2",
        "Name": "UserAuthenticationMethod.ReadWrite",
        "Description": "Allows the app to read and write your authentication methods, including phone numbers and Authenticator app settings.This does not allow the app to see secret information like your passwords, or to sign-in or otherwise use your authentication methods."
      },
      {
        "Id": "424b07a8-1209-4d17-9fe4-9018a93a1024",
        "Name": "TeamsTelephoneNumber.ReadWrite.All",
        "Description": "Allows the app to read and modify your tenant's acquired telephone number details on behalf of the signed-in admin user. Acquired telephone numbers may include attributes related to assigned object, emergency location, network site, etc."
      },
      {
        "Id": "b7887744-6746-4312-813d-72daeaee7e2d",
        "Name": "UserAuthenticationMethod.ReadWrite.All",
        "Description": "Allows the app to read and write authentication methods of all users you have access to in your organization.                       Authentication methods include things like a user’s phone numbers and Authenticator app settings. This does not allow                      the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods."
      }
    ],
    "ApplicationPermissions": [
      {
        "Id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9",
        "Name": "Application.ReadWrite.All",
        "Description": "Allows the app to create, read, update and delete applications and service principals without a signed-in user.  Does not allow management of consent grants."
      },
      {
        "Id": "b0afded3-3588-46d8-8b3d-9842eff778da",
        "Name": "AuditLog.Read.All",
        "Description": "Allows the app to read and query your audit log activities, without a signed-in user."
      },
      {
        "Id": "5e1e9171-754d-478c-812c-f1755a9a4c2d",
        "Name": "AuditLogsQuery.Read.All",
        "Description": "Allows the app to read and query audit logs from all services."
      },
      {
        "Id": "f3a65bd4-b703-46df-8f7e-0174fea562aa",
        "Name": "Channel.Create",
        "Description": "Create channels in any team, without a signed-in user."
      },
      {
        "Id": "59a6b24b-4225-4393-8165-ebaec5f55d7a",
        "Name": "Channel.ReadBasic.All",
        "Description": "Read all channel names and channel descriptions, without a signed-in user."
      },
      {
        "Id": "3b55498e-47ec-484f-8136-9013221c06a9",
        "Name": "ChannelMember.Read.All",
        "Description": "Read the members of all channels, without a signed-in user."
      },
      {
        "Id": "35930dcf-aceb-4bd1-b99a-8ffed403c974",
        "Name": "ChannelMember.ReadWrite.All",
        "Description": "Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner."
      },
      {
        "Id": "cac88765-0581-4025-9725-5ebc13f729ee",
        "Name": "CrossTenantInformation.ReadBasic.All",
        "Description": "Allows the application to obtain basic tenant information about another target tenant within the Azure AD ecosystem without a signed-in user."
      },
      {
        "Id": "1138cb37-bd11-4084-a2b7-9f71582aeddb",
        "Name": "Device.ReadWrite.All",
        "Description": "Allows the app to read and write all device properties without a signed in user.  Does not allow device creation, device deletion or update of device alternative security identifiers."
      },
      {
        "Id": "78145de6-330d-4800-a6ce-494ff2d33d07",
        "Name": "DeviceManagementApps.ReadWrite.All",
        "Description": "Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user."
      },
      {
        "Id": "9241abd9-d0e6-425a-bd4f-47ba86e767a4",
        "Name": "DeviceManagementConfiguration.ReadWrite.All",
        "Description": "Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user."
      },
      {
        "Id": "5b07b0dd-2377-4e44-a38d-703f09a0dc3c",
        "Name": "DeviceManagementManagedDevices.PrivilegedOperations.All",
        "Description": "Allows the app to perform remote high impact actions such as wiping the device or resetting the passcode on devices managed by Microsoft Intune, without a signed-in user."
      },
      {
        "Id": "2f51be20-0bb4-4fed-bf7b-db946066c75e",
        "Name": "DeviceManagementManagedDevices.Read.All",
        "Description": "Allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user."
      },
      {
        "Id": "243333ab-4d21-40cb-a475-36241daa0842",
        "Name": "DeviceManagementManagedDevices.ReadWrite.All",
        "Description": "Allows the app to read and write the properties of devices managed by Microsoft Intune, without a signed-in user. Does not allow high impact operations such as remote wipe and password reset on the device’s owner"
      },
      {
        "Id": "58ca0d9a-1575-47e1-a3cb-007ef2e4583b",
        "Name": "DeviceManagementRBAC.Read.All",
        "Description": "Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user."
      },
      {
        "Id": "e330c4f0-4170-414e-a55a-2f022ec2b57b",
        "Name": "DeviceManagementRBAC.ReadWrite.All",
        "Description": "Allows the app to read and write the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user."
      },
      {
        "Id": "9255e99d-faf5-445e-bbf7-cb71482737c4",
        "Name": "DeviceManagementScripts.ReadWrite.All",
        "Description": "Allows the app to read and write Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts, without a signed-in user."
      },
      {
        "Id": "06a5fe6d-c49d-46a7-b082-56b1b14103c7",
        "Name": "DeviceManagementServiceConfig.Read.All",
        "Description": "Allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user."
      },
      {
        "Id": "5ac13192-7ace-4fcf-b828-1a26f28068ee",
        "Name": "DeviceManagementServiceConfig.ReadWrite.All",
        "Description": "Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user."
      },
      {
        "Id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
        "Name": "Directory.Read.All",
        "Description": "Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user."
      },
      {
        "Id": "19dbc75e-c2e2-444c-a770-ec69d8559fc7",
        "Name": "Directory.ReadWrite.All",
        "Description": "Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user.  Does not allow user or group deletion."
      },
      {
        "Id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
        "Name": "Domain.Read.All",
        "Description": "Allows the app to read all domain properties without a signed-in user."
      },
      {
        "Id": "75359482-378d-4052-8f01-80520e7db3cd",
        "Name": "Files.ReadWrite.All",
        "Description": "Allows the app to read, create, update and delete all files in all site collections without a signed in user."
      },
      {
        "Id": "bf7b1a76-6e77-406b-b258-bf5c7720e98f",
        "Name": "Group.Create",
        "Description": "Allows the app to create groups without a signed-in user."
      },
      {
        "Id": "5b567255-7703-4780-807c-7be8301ae99b",
        "Name": "Group.Read.All",
        "Description": "Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user."
      },
      {
        "Id": "62a82d76-70ea-41e2-9197-370581804d09",
        "Name": "Group.ReadWrite.All",
        "Description": "Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user."
      },
      {
        "Id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695",
        "Name": "GroupMember.ReadWrite.All",
        "Description": "Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted."
      },
      {
        "Id": "19da66cb-0fb0-4390-b071-ebc76a349482",
        "Name": "InformationProtectionPolicy.Read.All",
        "Description": "Allows an app to read published sensitivity labels and label policy settings for the entire organization or a specific user, without a signed in user."
      },
      {
        "Id": "6931bccd-447a-43d1-b442-00a195474933",
        "Name": "MailboxSettings.ReadWrite",
        "Description": "Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail."
      },
      {
        "Id": "292d869f-3427-49a8-9dab-8c70152b74e9",
        "Name": "Organization.ReadWrite.All",
        "Description": "Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information."
      },
      {
        "Id": "2cb92fee-97a3-4034-8702-24a6f5d0d1e9",
        "Name": "OrgSettings-Forms.ReadWrite.All",
        "Description": "Allows the app to read and write organization-wide Microsoft Forms settings, without a signed-in user."
      },
      {
        "Id": "b6890674-9dd5-4e42-bb15-5af07f541ae1",
        "Name": "PeopleSettings.ReadWrite.All",
        "Description": "Allows the application to read and write tenant-wide people settings without a signed-in user."
      },
      {
        "Id": "913b9306-0ce1-42b8-9137-6a7df690a760",
        "Name": "Place.Read.All",
        "Description": "Allows the app to read company places (conference rooms and room lists) for calendar events and other applications, without a signed-in user."
      },
      {
        "Id": "246dd0d5-5bd0-4def-940b-0421030a5b68",
        "Name": "Policy.Read.All",
        "Description": "Allows the app to read all your organization's policies without a signed in user."
      },
      {
        "Id": "be74164b-cff1-491c-8741-e671cb536e13",
        "Name": "Policy.ReadWrite.ApplicationConfiguration",
        "Description": "Allows the app to read and write your organization's application configuration policies, without a signed-in user.  This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy  and tokenLifetimePolicy."
      },
      {
        "Id": "25f85f3c-f66c-4205-8cd5-de92dd7f0cec",
        "Name": "Policy.ReadWrite.AuthenticationFlows",
        "Description": "Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user."
      },
      {
        "Id": "29c18626-4985-4dcd-85c0-193eef327366",
        "Name": "Policy.ReadWrite.AuthenticationMethod",
        "Description": "Allows the app to read and write all authentication method policies for the tenant, without a signed-in user. "
      },
      {
        "Id": "01c0a623-fc9b-48e9-b794-0756f8e8f067",
        "Name": "Policy.ReadWrite.ConditionalAccess",
        "Description": "Allows the app to read and write your organization's conditional access policies, without a signed-in user."
      },
      {
        "Id": "999f8c63-0a38-4f1b-91fd-ed1947bdd1a9",
        "Name": "Policy.ReadWrite.ConsentRequest",
        "Description": "Allows the app to read and write your organization's consent requests policy without a signed-in user."
      },
      {
        "Id": "338163d7-f101-4c92-94ba-ca46fe52447c",
        "Name": "Policy.ReadWrite.CrossTenantAccess",
        "Description": "Allows the app to read and write your organization's cross tenant access policies without a signed-in user."
      },
      {
        "Id": "2f6817f8-7b12-4f0f-bc18-eeaf60705a9e",
        "Name": "PrivilegedAccess.ReadWrite.AzureADGroup",
        "Description": "Allows the app to request and manage time-based assignment and just-in-time elevation (including scheduled elevation) of Azure AD groups in your organization, without a signed-in user."
      },
      {
        "Id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
        "Name": "Reports.Read.All",
        "Description": "Allows an app to read all service usage reports without a signed-in user.  Services that provide usage reports include Office 365 and Azure Active Directory."
      },
      {
        "Id": "2a60023f-3219-47ad-baa4-40e17cd02a1d",
        "Name": "ReportSettings.ReadWrite.All",
        "Description": "Allows the app to read and update all admin report settings, such as whether to display concealed information in reports, without a signed-in user."
      },
      {
        "Id": "025d3225-3f02-4882-b4c0-cd5b541a4e80",
        "Name": "RoleManagement.ReadWrite.Exchange",
        "Description": "Allows the app to read and manage the role-based access control (RBAC) settings for your organization's Exchange Online service, without a signed-in user. This includes reading, creating, updating, and deleting Exchange management role definitions, role groups, role group membership, role assignments, management scopes, and role assignment policies."
      },
      {
        "Id": "04c55753-2244-4c25-87fc-704ab82a4f69",
        "Name": "SecurityAnalyzedMessage.ReadWrite.All",
        "Description": "Read email metadata and security detection details, and execute remediation actions like deleting an email, without a signed-in user."
      },
      {
        "Id": "bf394140-e372-4bf9-a898-299cfc7564e5",
        "Name": "SecurityEvents.Read.All",
        "Description": "Allows the app to read your organization’s security events without a signed-in user."
      },
      {
        "Id": "45cc0394-e837-488b-a098-1918f48d186c",
        "Name": "SecurityIncident.Read.All",
        "Description": "Allows the app to read all security incidents, without a signed-in user."
      },
      {
        "Id": "34bf0e97-1971-4929-b999-9e2442d941d7",
        "Name": "SecurityIncident.ReadWrite.All",
        "Description": "Allows the app to read and write to all security incidents, without a signed-in user."
      },
      {
        "Id": "19b94e34-907c-4f43-bde9-38b1909ed408",
        "Name": "SharePointTenantSettings.ReadWrite.All",
        "Description": "Allows the application to read and change the tenant-level settings of SharePoint and OneDrive, without a signed-in user."
      },
      {
        "Id": "a82116e5-55eb-4c41-a434-62fe8a61c773",
        "Name": "Sites.FullControl.All",
        "Description": "Allows the app to have full control of all site collections without a signed in user."
      },
      {
        "Id": "0121dc95-1b9f-4aed-8bac-58c5ac466691",
        "Name": "TeamMember.ReadWrite.All",
        "Description": "Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner."
      },
      {
        "Id": "4437522e-9a86-4a41-a7da-e380edd4a97d",
        "Name": "TeamMember.ReadWriteNonOwnerRole.All",
        "Description": "Add and remove members from all teams, without a signed-in user. Does not allow adding or removing a member with the owner role. Additionally, does not allow the app to elevate an existing member to the owner role."
      },
      {
        "Id": "741f803b-c850-494e-b5df-cde7c675a1ca",
        "Name": "User.ReadWrite.All",
        "Description": "Allows the app to read and update user profiles without a signed in user."
      },
      {
        "Id": "0a42382f-155c-4eb1-9bdc-21548ccaa387",
        "Name": "TeamsTelephoneNumber.ReadWrite.All",
        "Description": "Allows the app to read your tenant's acquired telephone number details, without a signed-in user. Acquired telephone numbers may include attributes related to assigned object, emergency location, network site, etc."
      },
      {
        "Id": "50483e42-d915-4231-9639-7fdb7fd190e5",
        "Name": "UserAuthenticationMethod.ReadWrite.All",
        "Description": "Allows the application to read and write authentication methods of all users in your organization, without a signed-in user.                       Authentication methods include things like a user’s phone numbers and Authenticator app settings. This                      does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods"
      }
    ]
  },
  {
    "AppId": "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd",
    "DisplayName": "Microsoft Partner Center",
    "DelegatedPermissions": [
      {
        "Id": "1cebfa2a-fb4d-419e-b5f9-839b4383e05a",
        "Name": "user_impersonation",
        "Description": "Allow the application to access Partner Center on your behalf"
      }
    ],
    "ApplicationPermissions": []
  },
  {
    "AppId": "00000002-0000-0ff1-ce00-000000000000",
    "DisplayName": "Office 365 Exchange Online",
    "DelegatedPermissions": [
      {
        "Id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
        "Name": "Exchange.Manage",
        "Description": "Allows the app to manage your organization's Exchange environment, such as mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign you the appropriate roles."
      },
      {
        "Id": "bbd1ca91-75e0-4814-ad94-9c5dbbae3415",
        "Name": "Calendars.ReadWrite.All",
        "Description": "Allows the app to read, update, create and delete events in all calendars in your organization you have permissions to access. This includes delegate and shared calendars. "
      },
      {
        "Id": "2e83d72d-8895-4b66-9eea-abb43449ab8b",
        "Name": "MailboxSettings.ReadWrite",
        "Description": "Allows the app to read, update, create, and delete your mailbox settings."
      }
    ],
    "ApplicationPermissions": [
      {
        "Id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
        "Name": "Exchange.ManageAsApp",
        "Description": "Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app."
      },
      {
        "Id": "ef54d2bf-783f-4e0f-bca1-3210c0444d99",
        "Name": "Calendars.ReadWrite.All",
        "Description": "Allows the app to create, read, update, and delete events of all calendars without a signed-in user."
      },
      {
        "Id": "f9156939-25cd-4ba8-abfe-7fabcf003749",
        "Name": "MailboxSettings.ReadWrite",
        "Description": "Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail."
      }
    ]
  },
  {
    "AppId": "00000003-0000-0ff1-ce00-000000000000",
    "DisplayName": "Office 365 SharePoint Online",
    "DelegatedPermissions": [
      {
        "Id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
        "Name": "AllSites.FullControl",
        "Description": "Allows the app to have full control of all site collections on your behalf."
      },
      {
        "Id": "AllProfiles.Manage",
        "Name": "AllProfiles.Manage",
        "Description": "Manually added"
      }
    ],
    "ApplicationPermissions": []
  },
  {
    "AppId": "48ac35b8-9aa8-4d74-927d-1f4a14a0b239",
    "DisplayName": "Skype and Teams Tenant Admin API",
    "DelegatedPermissions": [
      {
        "Id": "e60370c1-e451-437e-aa6e-d76df38e5f15",
        "Name": "user_impersonation",
        "Description": "Access Microsoft Teams and Skype for Business data based on the user's role membership"
      }
    ],
    "ApplicationPermissions": []
  },
  {
    "AppId": "fc780465-2017-40d4-a0c5-307022471b92",
    "DisplayName": "WindowsDefenderATP",
    "DelegatedPermissions": [
      {
        "Id": "63a677ce-818c-4409-9d12-5c6d2e2a6bfe",
        "Name": "Vulnerability.Read",
        "Description": "Allows the app to read Threat and Vulnerability Management vulnerability information on behalf of the signed-in user"
      }
    ],
    "ApplicationPermissions": [
      {
        "Id": "41269fc5-d04d-4bfd-bce7-43a51cea049a",
        "Name": "Vulnerability.Read.All",
        "Description": "Allows the app to read any Threat and Vulnerability Management vulnerability information"
      }
    ]
  }
]