Skip to main content

Permissions

When using the CIPP SAM Wizard, the application and set permissions are created for you. If you have a manual SAM installation you'll need to setup these permissions yourself.

You may skip this step if you are planning to use the Secure Application Model Wizard within CIPP

Manual SAM setup

You should grant the following permissions to the secure application model registration, to add permissions follow these instructions:

  • Go to the Azure Portal.
  • Select Azure Active Directory, now select App Registrations.
  • Find your Secure App Model application. You can search based on the Application ID.
  • Go to API Permissions and select Add a permission.
  • Choose "Microsoft Graph" and "Delegated permission" or "Application Permissions"
  • Add the permission you need
  • Finally, select "Grant Admin Consent" for Company Name.

Permissions

For full functionality, CIPP needs the following permissions for the Secure Application Model registration. You can remove any permissions if you don't want the application to be able to use that functionality. This may cause you to see errors in the application.

Duplicate Permissions

Some permissions may appear duplicated in the Delegated and Application permissions tables below. This is by design and you do need to add both permissions!

Delegated Permissions

List of delegated permissions used by CIPP:
API / Permissions nameDescription
Application.Read.AllRead applications
Application.ReadWrite.AllRead and write all applications
AuditLog.Read.AllRead audit log data
Channel.CreateCreate channels
Channel.ReadBasic.AllRead the names and descriptions of channels
Channel.Delete.AllDelete Channels
ChannelMember.Read.AllRead the members of channels
ChannelMember.ReadWrite.AllAdd and remove members from channels
ChannelMessage.EditEdit users' channel messages
ChannelMessage.Read.AllRead users' channel messages
ChannelMessage.SendSend channel messages
ChannelSettings.Read.AllRead the names, descriptions, and settings of channels
ChannelSettings.ReadWrite.AllRead and write the names, descriptions, and settings of channels
ConsentRequest.Read.AllRead consent requests
Device.CommandCommunicate with user devices
Device.ReadRead user devices
Device.Read.AllRead all devices
DeviceManagementApps.ReadWrite.AllRead and write Microsoft Intune apps
DeviceManagementConfiguration.ReadWrite.AllRead and write Microsoft Intune Device Configuration and Policies
DeviceManagementManagedDevices.ReadWrite.AllRead and write Microsoft Intune devices
DeviceManagementRBAC.ReadWrite.AllRead and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.ReadWrite.AllRead and write Microsoft Intune configuration
Directory.AccessAsUser.AllAccess directory as the signed in user
Domain.Read.AllRead domain data
Group.ReadWrite.AllRead and write all groups
GroupMember.ReadWrite.AllRead and write group memberships
Mail.SendSend mail as a user
Mail.Send.SharedSend mail on behalf of others
Member.Read.HiddenRead hidden memberships
Organization.ReadWrite.AllRead and write organization information
Policy.Read.AllRead your organization's policies
Policy.ReadWrite.AuthenticationFlowsRead and write authentication flow policies
Policy.ReadWrite.AuthenticationMethodRead and write authentication method policies
Policy.ReadWrite.AuthorizationRead and write your organization's authorization policy
Policy.ReadWrite.ConditionalAccessRead and write conditional access policy
Policy.ReadWrite.ConsentRequestRead and write consent request policy
Policy.ReadWrite.DeviceConfigurationRead and write your organization's device configuration policies
PrivilegedAccess.Read.AzureResourcesRead privileged access to Azure resources
PrivilegedAccess.ReadWrite.AzureResourcesRead and write privileged access to Azure resources
profileView users' basic profile
Reports.Read.AllRead all usage reports
RoleManagement.ReadWrite.DirectoryRead and write directory RBAC settings
SecurityActions.ReadWrite.AllRead and update your organization's security actions
SecurityEvents.ReadWrite.AllRead and update your organization's security events
ServiceHealth.Read.AllRead service health
ServiceMessage.Read.AllRead service announcement messages
Sites.ReadWrite.AllEdit or delete items in all site collections
TeamMember.ReadWrite.AllAdd and remove members from teams
TeamMember.ReadWriteNonOwnerRole.AllAdd and remove members with non-owner role for all teams
TeamsActivity.ReadRead users' teamwork activity feed
TeamsActivity.SendSend a teamwork activity as the user
TeamsAppInstallation.ReadForChatRead installed Teams apps in chats
TeamsAppInstallation.ReadForTeamRead installed Teams apps in teams
TeamsAppInstallation.ReadForUserRead users' installed Teams apps
TeamsAppInstallation.ReadWriteForChatManage installed Teams apps in chats
TeamsAppInstallation.ReadWriteForTeamManage installed Teams apps in teams
TeamsAppInstallation.ReadWriteForUserManage users' installed Teams apps
TeamsAppInstallation.ReadWriteSelfForChatAllow the Teams app to manage itself in chats
TeamsAppInstallation.ReadWriteSelfForTeamAllow the app to manage itself in teams
TeamsAppInstallation.ReadWriteSelfForUserAllow the Teams app to manage itself for a user
TeamSettings.Read.AllRead teams' settings
TeamSettings.ReadWrite.AllRead and change teams' settings
TeamsTab.CreateCreate tabs in Microsoft Teams
TeamsTab.Read.AllRead tabs in Microsoft Teams
TeamsTab.ReadWrite.AllRead and write tabs in Microsoft Teams
TeamsTab.ReadWriteForChatAllow the Teams app to manage all tabs in chats
TeamsTab.ReadWriteForTeamAllow the Teams app to manage all tabs in teams
TeamsTab.ReadWriteForUserAllow the Teams app to manage all tabs for a user
Team.CreateCreate teams
Team.ReadBasic.AllRead the names and descriptions of teams
ThreatAssessment.ReadWrite.AllRead and write threat assessment requests
UnifiedGroupMember.Read.AsGuestRead unified group memberships as guest
User.ManageIdentities.AllManage user identities
User.ReadSign in and read user profile
User.ReadWrite.AllRead and write all users' full profiles
UserAuthenticationMethod.Read.AllRead all users' authentication methods
UserAuthenticationMethod.ReadWriteRead and write user authentication methods
UserAuthenticationMethod.ReadWrite.AllRead and write all users' authentication methods

Application Permissions

List of application permissions used by CIPP:
API / Permissions nameDescription
Channel.CreateCreate channels
Channel.ReadBasic.AllRead the names and descriptions of channels
ChannelMember.Read.AllRead the members of channels
ChannelMember.ReadWrite.AllAdd and remove members from channels
Device.ReadWrite.AllRead and write devices
DeviceManagementApps.ReadWrite.AllRead and write Microsoft Intune apps
DeviceManagementConfiguration.ReadWrite.AllRead and write Microsoft Intune Device Configuration and Policies
DeviceManagementManagedDevices.PrivilegedOperations.AllPerform user-impacting remote actions on Microsoft Intune devices
DeviceManagementManagedDevices.Read.AllRead Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.AllRead and write Microsoft Intune devices
DeviceManagementRBAC.Read.AllRead Microsoft Intune RBAC settings
DeviceManagementRBAC.ReadWrite.AllRead and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.Read.AllRead Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.AllRead and write Microsoft Intune configuration
Directory.Read.AllRead directory data
Group.CreateCreate groups
Group.Read.AllRead all groups
Group.ReadWrite.AllRead and write all groups
GroupMember.ReadWrite.AllRead and write group memberships
Mail.SendSend mail as a user
Organization.ReadWrite.AllRead and write organization information
Policy.Read.AllRead your organization's policies
Policy.ReadWrite.AuthenticationFlowsRead and write authentication flow policies
Policy.ReadWrite.AuthenticationMethodRead and write authentication method policies
Policy.ReadWrite.ConditionalAccessRead and write conditional access policy
Policy.ReadWrite.ConsentRequestRead and write consent request policy
PrivilegedAccess.ReadWrite.AzureADGroupRead and write privileged access to Azure AD groups
Reports.Read.AllRead all usage reports
RoleManagement.ReadWrite.DirectoryRead and write directory RBAC settings
SecurityEvents.Read.AllRead your organization's security events
Sites.FullControl.AllHave full control of all site collections
Team.ReadBasic.AllRead the names and descriptions of teams
TeamMember.ReadWrite.AllAdd and remove members from teams
TeamMember.ReadWriteNonOwnerRole.AllAdd and remove members with non-owner role for all teams
User.ReadWrite.AllRead and write all users' full profiles
UserAuthenticationMethod.ReadWrite.AllRead and write all users' authentication methods