{"id":55808,"date":"2022-04-12T14:00:00","date_gmt":"2022-04-12T13:00:00","guid":{"rendered":"https:\/\/practical365.com\/?p=55808"},"modified":"2024-03-11T02:11:00","modified_gmt":"2024-03-11T06:11:00","slug":"microsoft-graph-api-permission","status":"publish","type":"post","link":"https:\/\/practical365.com\/microsoft-graph-api-permission\/","title":{"rendered":"How to Figure Out What Microsoft Graph Permissions You Need"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#When_Working_with_the_Microsoft_Graph_PowerShell_SDK\" >When Working with the Microsoft Graph PowerShell SDK<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Least_Permission_Model\" >Least Permission Model<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Guess_and_Over-permission\" >Guess and Over-permission<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Use_the_Graph_Explorer_to_Highlight_Graph_Permissions\" >Use the Graph Explorer to Highlight Graph Permissions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Cybersecurity_Risk_Management_for_Active_Directory\" >Cybersecurity Risk Management for Active Directory<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Read_the_Graph_documentation\" >Read the Graph documentation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Use_SDK_Help_to_Identify_Graph_Permissions\" >Use SDK Help to Identify Graph Permissions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Scoping\" >Scoping<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#Accumulated_Graph_Permissions\" >Accumulated Graph Permissions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/#More_Complex_More_Control\" >More Complex, More Control<\/a><\/li><\/ul><\/nav><\/div>\n<div id=\"bsf_rt_marker\"><\/div>\n<h2 class=\"wp-block-heading\" id=\"h-when-working-with-the-microsoft-graph-powershell-sdk\"><span class=\"ez-toc-section\" id=\"When_Working_with_the_Microsoft_Graph_PowerShell_SDK\"><\/span>When Working with the Microsoft Graph PowerShell SDK<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>By now, you should be aware that <a href=\"https:\/\/office365itpros.com\/2022\/03\/17\/azure-ad-powershell-deprecation\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft plans to retire the Azure AD and MSOL PowerShell modules<\/a> at the end of 2022 or soon after. The cmdlets in the retired modules will continue to function afterwards, but they won\u2019t have any support. Microsoft suggests that you upgrade scripts to <a href=\"https:\/\/docs.microsoft.com\/powershell\/microsoftgraph\/migration-steps?view=graph-powershell-beta&amp;WT.mc_id=M365-MVP-9501\" target=\"_blank\" rel=\"noreferrer noopener\">use cmdlets from the Microsoft Graph PowerShell SDK<\/a>. The actual conversion is often a matter of finding a matching cmdlet in <a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/microsoftgraph\/azuread-msoline-cmdlet-map?view=graph-powershell-beta&amp;WT.mc_id=M365-MVP-9501\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft\u2019s cmdlet map<\/a> and switching to it. However, other complexities get in the way before cmdlets will run smoothly. Figuring out the right Microsoft Graph API permissions to use to access data is just one of those complexities.<\/p>\n\n\n\n<div class=\"q-blockads-inside-content q-blockads-entity-placement\" id=\"q-blockads-615369380\"><div id=\"q-blockads-4156959665\"><p><a href=\"https:\/\/www.quest.com\/P365_On_Demand_Migration\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-62892\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone-300x31.jpg\" alt=\"\" width=\"861\" height=\"89\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone-300x31.jpg 300w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone-768x80.jpg 768w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/09\/1901-10-20-2025-Redone.jpg 860w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/a><\/p>\n<\/div><\/div><h2 class=\"wp-block-heading\" id=\"h-least-permission-model\"><span class=\"ez-toc-section\" id=\"Least_Permission_Model\"><\/span>Least Permission Model<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Permission handling differs significantly between the Azure AD PowerShell module and the Microsoft Graph PowerShell SDK. When you sign in using the <em>Connect-AzureAD<\/em> cmdlet, you can use all the administrative permissions owned by the account you sign in with. However, the Graph SDK operates on a least permission model, which means that you must request permissions to perform actions, even when connecting with a highly-permissioned account.<\/p>\n\n\n\n<p>The first step in updating a script from Azure AD cmdlets to SDK cmdlets is to consider what permissions the script needs to perform its processing. This rule applies no matter how you use SDK cmdlets \u2013 <a href=\"https:\/\/practical365.com\/connect-microsoft-graph-powershell-sdk\/\" target=\"_blank\" rel=\"noreferrer noopener\">interactively<\/a>, through a background job which uses <a href=\"https:\/\/practical365.com\/use-certificate-authentication-microsoft-graph-sdk\/\" target=\"_blank\" rel=\"noreferrer noopener\">certificate-based authentication<\/a>, or in an <a href=\"https:\/\/practical365.com\/microsoft-graph-sdk-powershell-azure-automation\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Automation runbook<\/a>. Unlike permissions inherited from signed-in accounts, the permissions used by the SDK are granted to the service principal used to run SDK cmdlets. For interactive sessions, the service principal is the Microsoft Graph<\/p>\n\n\n\n<p>The question then arises how to find the Microsoft Graph API permissions necessary to perform an action. You can accomplish the goal in four ways:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-guess-and-over-permission\"><span class=\"ez-toc-section\" id=\"Guess_and_Over-permission\"><\/span>Guess and Over-permission<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The first method is a guess and hope approach. In other words, grant all the permissions that a script might conceivably use or keep on adding permissions until the code runs. The danger here is that you end up with a heavily-permissioned service principal that becomes an attractive target for attackers. If you use interactive sessions to run SDK cmdlets, a fair chance exists that the Microsoft Graph PowerShell service principal will acquire many permissions over time and end up in a heavily-permissioned state (Figure 1). We\u2019ll return to this issue later.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"835\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Microsoft-Graph-PowerShell-1024x835.jpg\" alt=\"The Microsoft Graph PowerShell service principal can accumulate permissions\n\n\nMicrosoft Graph permissions\" class=\"wp-image-55809\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Microsoft-Graph-PowerShell-1024x835.jpg 1024w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Microsoft-Graph-PowerShell-300x245.jpg 300w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Microsoft-Graph-PowerShell-768x626.jpg 768w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Microsoft-Graph-PowerShell.jpg 1175w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 1: The Microsoft Graph PowerShell service principal can accumulate permissions<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Use_the_Graph_Explorer_to_Highlight_Graph_Permissions\"><\/span>Use the Graph Explorer to Highlight Graph Permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Next, if you run a query in the Graph Explorer, the explorer shows you the permissions required to run the query in the <em>Modify permissions<\/em> tab (Figure 2). The set of permissions shown include every valid permission which you could use, so you need to select the most appropriate permission. In this case, the query is to fetch the set of user accounts in the tenant (one of the <a href=\"https:\/\/office365itpros.com\/2022\/03\/24\/azure-ad-user-account-powershell\/\" target=\"_blank\" rel=\"noreferrer noopener\">basic set of user account operations<\/a>), so the <em>User.Read.All<\/em> permission is a good choice.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"709\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Explorer-Permissions-1024x709.jpg\" alt=\"The Graph Explorer lists the Graph permissions needed for an action\" class=\"wp-image-55810\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Explorer-Permissions-1024x709.jpg 1024w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Explorer-Permissions-300x208.jpg 300w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Explorer-Permissions-768x532.jpg 768w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Explorer-Permissions.jpg 1030w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 2: The Graph Explorer lists the Graph permissions needed for an action<\/figcaption><\/figure>\n<\/div>\n\n\r\n    <div id=\"qcb-cybersecurityriskmanagementforactivedirectory\" data-v3=\"Promo\" class=\"q-custom-block promo-block contact-v3 centered pt-v3 pb-v3 \">\r\n        <div class=\"container\">\r\n                        <div class=\"contact-info bg-cyan \">\r\n                <h2 class=\"title-v3\"><span class=\"ez-toc-section\" id=\"Cybersecurity_Risk_Management_for_Active_Directory\"><\/span>Cybersecurity Risk Management for Active Directory<span class=\"ez-toc-section-end\"><\/span><\/h2>                <div class=\"intro-v3 txt-v3\" data-v3-action=\"Content\">\r\n                    <p>Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.<\/p>\n                <\/div>\r\n                                    <div class=\"cta-v3 center\">\r\n                                                                                    <a data-v3-action=\"CTA Button\" class=\"btn-v3 btn-block-xs btn-default\" target=\"_blank\" href=\"https:\/\/www.quest.com\/P365_Cybersecurity_risk_management_for_Active_Directory\">Learn More!<\/a>\r\n                                                                        <\/div> <!-- \/* Ends CTA Buttons *\/ -->\r\n                            <\/div>\r\n        <\/div>\r\n    <\/div>\r\n\n\n\n<div class=\"q-blockads-content q-blockads-entity-placement\" id=\"q-blockads-4181343765\"><div id=\"q-blockads-1533143094\"><p><a href=\"https:\/\/www.quest.com\/Security_Guardian_P365\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-62893\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone-300x31.jpg\" alt=\"\" width=\"861\" height=\"89\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone-300x31.jpg 300w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone-768x80.jpg 768w, https:\/\/practical365.com\/wp-content\/uploads\/2024\/04\/1902-10-20-2025-Redone.jpg 860w\" sizes=\"auto, (max-width: 861px) 100vw, 861px\" \/><\/a><\/p>\n<\/div><\/div><h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Read_the_Graph_documentation\"><\/span>Read the Graph documentation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>All SDK cmdlets originate from Graph queries. Microsoft uses a process called <em>AutoRest<\/em> to process available Graph queries and create SDK cmdlets. This process happens monthly to create a new version of the SDK. The process also creates automated documentation, but the machine-generated text is often obtuse and difficult to follow, which is why I often revert to the underlying Graph documentation. Take the example of listing user accounts. A quick search brings us to the <a href=\"https:\/\/docs.microsoft.com\/en-us\/graph\/api\/user-list?view=graph-rest-1.0&amp;WT.mc_id=M365-MVP-9501\" target=\"_blank\" rel=\"noreferrer noopener\">List users<\/a> page, which lists the required permissions for both delegated (used to access data as the signed-in user) and application (used for background processes). In this case, the page confirms that <em>User.Read.All<\/em> is a good choice.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Use_SDK_Help_to_Identify_Graph_Permissions\"><\/span>Use SDK Help to Identify Graph Permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The SDK includes two cmdlets to help developers figure out what permissions they need to perform actions.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/microsoftgraph\/find-mg-graph-permission?view=graph-powershell-1.0&amp;WT.mc_id=M365-MVP-9501\" target=\"_blank\" rel=\"noreferrer noopener\">Find-MgGraphPermission<\/a><\/em>: Lists the delegated and application permissions for different actions.<\/li>\n\n\n\n<li><em><a href=\"https:\/\/docs.microsoft.com\/powershell\/microsoftgraph\/find-mg-graph-command?view=graph-powershell-1.0&amp;WT.mc_id=M365-MVP-9501\" target=\"_blank\" rel=\"noreferrer noopener\">Find-MgGraphCommand<\/a><\/em>: Lists the cmdlets available to interact with different types of objects, including the required permissions. The cmdlet works by taking the URI for an object to find the available commands.<\/li>\n<\/ul>\n\n\n\n<p>For example, let\u2019s assume that I want to interact with organization information stored in Azure AD. I could start by running the <em>Find-MgGraphPermission<\/em> cmdlet:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Find-MgGraphPermission organization | ? {$_.PermissionType -eq \"Application\"} | Format-List Name, Description\n\nName        : Organization.Read.All\nDescription : Allows the app to read the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed skus and tenant branding information.\n\nName        : Organization.ReadWrite.All\nDescription : Allows the app to read and write the organization and related resources, on behalf of the signed-in user. Related resources include things like subscribed skus and tenant branding information.\n<\/pre>\n\n\n\n<p>The command pipes its output to filter and display application permissions (the same delegated permissions are available). From the output, it\u2019s obvious that we should use the <em>Organization.Read.All<\/em> permission to read organization information (like the tenant name and identifier), and <em>Organization.ReadWrite.All<\/em> should we need to update a writeable setting.<\/p>\n\n\n\n<p>For brevity, I show only the permission name and description above. Here\u2019s the full output for the <em>Group.ReadWrite.All<\/em> permission, needed to update the properties of <a href=\"https:\/\/office365itpros.com\/2022\/03\/29\/azure-ad-group-management\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure AD groups, including Microsoft 365 groups<\/a>.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Id             : 62a82d76-70ea-41e2-9197-370581804d09\nPermissionType : Application\nConsent        : Admin\nName           : Group.ReadWrite.All\nDescription    : Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations.  All of these operations can be performed by the app without a signed-in user.\n<\/pre>\n\n\n\n<p>You could try a modified version of the commands to see what permissions are needed to interact with Users, Groups, Azure AD (Directory), Apps (Application), and so on.<\/p>\n\n\n\n<p>The <em>Find-MgGraphCommand<\/em> cmdlet passes part of a Graph URL to see what SDK cmdlets are available for that URL. A URL is something like Users or Groups to list cmdlets available for dealing with sets of objects. If you add {id}, it means that you want to see the cmdlets available to process individual objects.<\/p>\n\n\n\n<p>For example, let\u2019s see what cmdlets are available to process individual groups. The command and its output are shown below:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Find-MgGraphCommand -uri \"\/groups\/{id}\" | ? {$_.APIVersion -eq \"v1.0\"} | Fl Command, Method, Permissions\n\nCommand     : Get-MgGroup\nMethod      : GET\nPermissions : {Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, Group.Read.All...}\n\nCommand     : Remove-MgGroup\nMethod      : DELETE\nPermissions : {Directory.AccessAsUser.All, Group.ReadWrite.All}\n\nCommand     : Update-MgGroup\nMethod      : PATCH\nPermissions : {Directory.AccessAsUser.All, Directory.ReadWrite.All, Group.ReadWrite.All}\n<\/pre>\n\n\n\n<p>The Graph has two endpoints, V1.0 and beta. The V1.0 endpoint is the production version while the beta endpoint is under development. In many cases, you\u2019ll use cmdlets with the beta endpoint because they provide added functionality. For example, if you run the <em>Get-MgUser<\/em> cmdlet against the V1.0 endpoint, it doesn\u2019t return any license information for accounts, but it does when run against the beta endpoint.<\/p>\n\n\n\n<p>In this case, I\u2019ve filtered the output to show just the commands available in the V1.0 endpoint, and we can see that three cmdlets are available to list a group, delete a group, and update the properties of a group. We can also see that the <em>Group.Read.All<\/em> permission is sufficient to read group information, but we need <em>Group.ReadWriteAll<\/em> to delete or update a group.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Scoping\"><\/span>Scoping<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Once you\u2019ve found out which Microsoft Graph API permissions are needed for a script to perform whatever actions it takes care of, you state the set of required permissions when connecting to the Graph in the Scopes parameter for the Connect-MgGraph cmdlet. For example:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$RequiredScopes = (\"Organization.ReadWrite.All\u201d, \"Directory.Read.All\")\nConnect-MgGraph -Scope $RequiredScopes\n<\/pre>\n\n\n\n<p>For interactive sessions, if the Microsoft Graph PowerShell service principal doesn\u2019t have consent to use the requested permissions, you\u2019ll be prompted for consent (Figure 3).<\/p>\n\n\n<div class=\"wp-block-image is-resized\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"559\" src=\"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Permissions-Consent.jpg\" alt=\"\" class=\"wp-image-55811\" srcset=\"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Permissions-Consent.jpg 566w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Permissions-Consent-300x296.jpg 300w, https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/Graph-Permissions-Consent-100x100.jpg 100w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><figcaption class=\"wp-element-caption\">Figure 3: Requesting consent to use a Graph permission<\/figcaption><\/figure>\n<\/div>\n\n\n<p>If you allow the app to use the permission, the session can use the delegated permission for the duration of the session. Essentially, delegated permission means that the user can access data that they own but cannot access the data belonging to other users. However, it&#8217;s also possible that access to data can be gained through administrative roles assigned to an account. As Microsoft explains in <a href=\"https:\/\/docs.microsoft.com\/en-us\/graph\/auth\/auth-concepts#effective-permissions-in-delegated-vs-application-only-permission-scenarios\" target=\"_blank\" rel=\"noreferrer noopener\">their documentation<\/a>, &#8220;<em>the\u00a0effective permissions\u00a0of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user<\/em>.&#8221; In other words, if your account holds an administrator role, you&#8217;ll be able to access more data than if your account doesn&#8217;t.<\/p>\n\n\n\n<p>If you grant consent on behalf of the organization, Entra ID adds the permission to the service principal, and it becomes available for all sessions thereafter. Consent granted to the service principal is for an application permission, meaning that the user can access data from across the organization.<\/p>\n\n\n\n<p>After connecting, you can check what permissions are active by running:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(Get-MgContext).Scopes<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Accumulated_Graph_Permissions\"><\/span>Accumulated Graph Permissions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The constant accumulation of permissions by the Microsoft Graph PowerShell service principal is something to guard against. If you want to remove all the permissions from the service principal, you can do so through the Azure AD admin center (as in Figure 1), or you can remove the service principal. When this happens, the SDK detects that the service principal is missing the next time someone attempts to sign in and recreates it (the <em>AppId<\/em> for the service principal is always 14d82eec-204b-4c2f-b7e8-296a70dab67e).<\/p>\n\n\n\n<p>To create the service principal, connect to the Graph with the <em>Application.ReadWrite.All<\/em> permission and run these commands:<\/p>\n\n\n\n<p>The <em>Remove-MgServicePrincipal<\/em> cmdlet won\u2019t prompt for confirmation. Fortunately, soon Azure AD will prove the ability to <a href=\"https:\/\/office365itpros.com\/2022\/03\/23\/delete-azure-ad-user-accounts\/\" target=\"_blank\" rel=\"noreferrer noopener\">restore soft-deleted service principal objects<\/a>, just in case you make a mistake.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$SDKServicePrincipalId = (Get-MgServicePrincipal -all | ? {$_.DisplayName -eq \"Microsoft Graph PowerShell\"}).Id\nRemove-MgServicePrincipal -ServicePrincipalId $SDKServicePrincipalID\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"More_Complex_More_Control\"><\/span>More Complex, More Control<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Working with the Microsoft Graph PowerShell SDK requires more attention to permissions than is the norm (up to now) with PowerShell modules. Instead of assuming administrative permissions, you must request permissions and use just the required set. It takes a little getting used to and is part of the checklist for conversion of scripts based on the Azure AD and MSOL modules. Like most other things in life, we\u2019ll get used to permission management for connections in time.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Microsoft Graph operates on a least permission model, which means that developers are forced to ask for permissions for the actions they wish to perform. This is a very different approach to the way traditional PowerShell modules work, so it&#8217;s an area to focus on when converting scripts which use cmdlets from the Azure AD and MSOL modules to the Microsoft Graph PowerShell SDK. In this article, we look at four ways to find out what permissions are needed to perform different actions and explain how the Graph use the permissions.<\/p>\n","protected":false},"author":84,"featured_media":55915,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[9890,9055],"tags":[10122,10468,10467,10242,10470,10119,10469],"class_list":["post-55808","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-graph","category-powershell","tag-connect-mggraph","tag-find-mggraphcommand","tag-find-mggraphpermission","tag-graph-explorer","tag-graph-permissions","tag-microsoft-graph-powershell-sdk","tag-remove-mgserviceprincipal","entry","has-media"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>How to Figure Out What Microsoft Graph Permissions You Need | Practical365<\/title>\n<meta name=\"description\" content=\"Many Microsoft Graph API permissions are available to developers. The Graph works on a least permission model, so what permissions to use.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Figure Out What Microsoft Graph Permissions You Need\" \/>\n<meta property=\"og:description\" content=\"Many Microsoft Graph API permissions are available to developers. The Graph works on a least permission model, so what permissions to use.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/practical365.com\/microsoft-graph-api-permission\/\" \/>\n<meta property=\"og:site_name\" content=\"Practical 365\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Practical365\" \/>\n<meta property=\"article:published_time\" content=\"2022-04-12T13:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-11T06:11:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"734\" \/>\n\t<meta property=\"og:image:height\" content=\"396\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Tony Redmond\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/12Knocksinna\" \/>\n<meta name=\"twitter:site\" content=\"@Practical365\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tony Redmond\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/\"},\"author\":{\"name\":\"Tony Redmond\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/person\\\/19d7b2f404dd1da1d87586fb07015a19\"},\"headline\":\"How to Figure Out What Microsoft Graph Permissions You Need\",\"datePublished\":\"2022-04-12T13:00:00+00:00\",\"dateModified\":\"2024-03-11T06:11:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/\"},\"wordCount\":1537,\"commentCount\":32,\"publisher\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg\",\"keywords\":[\"Connect-MgGraph\",\"Find-MgGraphCommand\",\"Find-MgGraphPermission\",\"Graph Explorer\",\"Graph permissions\",\"Microsoft Graph PowerShell SDK\",\"Remove-MgServicePrincipal\"],\"articleSection\":[\"Microsoft Graph\",\"PowerShell\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/\",\"url\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/\",\"name\":\"How to Figure Out What Microsoft Graph Permissions You Need | Practical365\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg\",\"datePublished\":\"2022-04-12T13:00:00+00:00\",\"dateModified\":\"2024-03-11T06:11:00+00:00\",\"description\":\"Many Microsoft Graph API permissions are available to developers. The Graph works on a least permission model, so what permissions to use.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#primaryimage\",\"url\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg\",\"contentUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/04\\\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg\",\"width\":734,\"height\":396,\"caption\":\"Microsoft Graph permissions\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/practical365.com\\\/microsoft-graph-api-permission\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/practical365.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PowerShell\",\"item\":\"https:\\\/\\\/practical365.com\\\/powershell\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Figure Out What Microsoft Graph Permissions You Need\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#website\",\"url\":\"https:\\\/\\\/practical365.com\\\/\",\"name\":\"Practical 365\",\"description\":\"Practical Office 365 News, Tips, and Tutorials\",\"publisher\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/practical365.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#organization\",\"name\":\"Practical 365\",\"url\":\"https:\\\/\\\/practical365.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/Logo-P365-stacked.jpg\",\"contentUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/Logo-P365-stacked.jpg\",\"width\":1176,\"height\":696,\"caption\":\"Practical 365\"},\"image\":{\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/Practical365\",\"https:\\\/\\\/x.com\\\/Practical365\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/practical365-com\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/practical365.com\\\/#\\\/schema\\\/person\\\/19d7b2f404dd1da1d87586fb07015a19\",\"name\":\"Tony Redmond\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg\",\"url\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/practical365.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg\",\"caption\":\"Tony Redmond\"},\"description\":\"Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.\",\"sameAs\":[\"https:\\\/\\\/office365itpros.com\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/12Knocksinna\"],\"url\":\"https:\\\/\\\/practical365.com\\\/author\\\/tony-redmondredmondassociates-org\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"How to Figure Out What Microsoft Graph Permissions You Need | Practical365","description":"Many Microsoft Graph API permissions are available to developers. The Graph works on a least permission model, so what permissions to use.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/practical365.com\/microsoft-graph-api-permission\/","og_locale":"en_US","og_type":"article","og_title":"How to Figure Out What Microsoft Graph Permissions You Need","og_description":"Many Microsoft Graph API permissions are available to developers. The Graph works on a least permission model, so what permissions to use.","og_url":"https:\/\/practical365.com\/microsoft-graph-api-permission\/","og_site_name":"Practical 365","article_publisher":"https:\/\/www.facebook.com\/Practical365","article_published_time":"2022-04-12T13:00:00+00:00","article_modified_time":"2024-03-11T06:11:00+00:00","og_image":[{"width":734,"height":396,"url":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg","type":"image\/jpeg"}],"author":"Tony Redmond","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/12Knocksinna","twitter_site":"@Practical365","twitter_misc":{"Written by":"Tony Redmond","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/#article","isPartOf":{"@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/"},"author":{"name":"Tony Redmond","@id":"https:\/\/practical365.com\/#\/schema\/person\/19d7b2f404dd1da1d87586fb07015a19"},"headline":"How to Figure Out What Microsoft Graph Permissions You Need","datePublished":"2022-04-12T13:00:00+00:00","dateModified":"2024-03-11T06:11:00+00:00","mainEntityOfPage":{"@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/"},"wordCount":1537,"commentCount":32,"publisher":{"@id":"https:\/\/practical365.com\/#organization"},"image":{"@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/#primaryimage"},"thumbnailUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg","keywords":["Connect-MgGraph","Find-MgGraphCommand","Find-MgGraphPermission","Graph Explorer","Graph permissions","Microsoft Graph PowerShell SDK","Remove-MgServicePrincipal"],"articleSection":["Microsoft Graph","PowerShell"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/practical365.com\/microsoft-graph-api-permission\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/","url":"https:\/\/practical365.com\/microsoft-graph-api-permission\/","name":"How to Figure Out What Microsoft Graph Permissions You Need | Practical365","isPartOf":{"@id":"https:\/\/practical365.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/#primaryimage"},"image":{"@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/#primaryimage"},"thumbnailUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg","datePublished":"2022-04-12T13:00:00+00:00","dateModified":"2024-03-11T06:11:00+00:00","description":"Many Microsoft Graph API permissions are available to developers. The Graph works on a least permission model, so what permissions to use.","breadcrumb":{"@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/practical365.com\/microsoft-graph-api-permission\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/#primaryimage","url":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg","contentUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/04\/436-04-04-2022-BLOG-Figuring-Out-What-Microsoft-Graph-Permissions-You-Need-LOW-1.jpg","width":734,"height":396,"caption":"Microsoft Graph permissions"},{"@type":"BreadcrumbList","@id":"https:\/\/practical365.com\/microsoft-graph-api-permission\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/practical365.com\/"},{"@type":"ListItem","position":2,"name":"PowerShell","item":"https:\/\/practical365.com\/powershell\/"},{"@type":"ListItem","position":3,"name":"How to Figure Out What Microsoft Graph Permissions You Need"}]},{"@type":"WebSite","@id":"https:\/\/practical365.com\/#website","url":"https:\/\/practical365.com\/","name":"Practical 365","description":"Practical Office 365 News, Tips, and Tutorials","publisher":{"@id":"https:\/\/practical365.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/practical365.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/practical365.com\/#organization","name":"Practical 365","url":"https:\/\/practical365.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/practical365.com\/#\/schema\/logo\/image\/","url":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/Logo-P365-stacked.jpg","contentUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/Logo-P365-stacked.jpg","width":1176,"height":696,"caption":"Practical 365"},"image":{"@id":"https:\/\/practical365.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Practical365","https:\/\/x.com\/Practical365","https:\/\/www.linkedin.com\/company\/practical365-com"]},{"@type":"Person","@id":"https:\/\/practical365.com\/#\/schema\/person\/19d7b2f404dd1da1d87586fb07015a19","name":"Tony Redmond","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg","url":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg","contentUrl":"https:\/\/practical365.com\/wp-content\/uploads\/2022\/06\/cropped-TonyRedmondHeadShot2016-1200-96x96.jpg","caption":"Tony Redmond"},"description":"Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.","sameAs":["https:\/\/office365itpros.com","https:\/\/x.com\/https:\/\/twitter.com\/12Knocksinna"],"url":"https:\/\/practical365.com\/author\/tony-redmondredmondassociates-org\/"}]}},"_links":{"self":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/posts\/55808","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/users\/84"}],"replies":[{"embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/comments?post=55808"}],"version-history":[{"count":0,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/posts\/55808\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/media\/55915"}],"wp:attachment":[{"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/media?parent=55808"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/categories?post=55808"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/practical365.com\/wp-json\/wp\/v2\/tags?post=55808"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}