DeliverPoint Microsoft Graph permissions

This is a list of the Microsoft Graph permissions requested by the DeliverPoint SPFx web part for SharePoint Online.

 

Following is a list of all of the Microsoft Graph permissions requested by the current version of DeliverPoint for SharePoint Online. You may decide not to approve any for which you do not need the functionality provided by that permission.

These are all "Delegated" permissions, which a Global or Application Admin can approve on the API Access page in the SharePoint Admin Center. They will then be listed as API Permissions under the SharePoint Online Web Client Extensibility application in Entra in your tenant. 

AuditLogsQuery.Read.All (added in version 5.0.0.0): Allows DeliverPoint to produce audit reports. As of this writing, this is a beta endpoint, and must be approved via PowerShell rather than from the API Access page in the SharePoint Admin Center. See instructions here.

ChannelSettings.Read.All: Needed for retrieving team channels (needed by the "Teams view" mode of the tree view)  

Directory.Read.All: Read information from AD: list of users, AD groups, and members of AD groups. Necessary for reporting and also for retrieving data prior to starting permission management operations. This is a basic permission that should always be granted for DeliverPoint to function properly. 

Directory.ReadWrite.All: Necessary for DeliverPoint operations that require modification of M365 groups (i.e. adding/removing members to/from a M365 group).

Files.Read.All: Needed for OneDrive reporting - both the OneDrive Permissions and OneDrive Sharing Links reports.

Files.ReadWrite.All: Only needed if you want the option to remove OneDrive permissions or sharing links from within those reports. 

InformationProtectionPolicy.Read (added in version 4.2.0.0): Allows DeliverPoint to report on Sensitivity Labels.

Mail.Read: Necessary for full functionality of user avatars and profile cards.

Mail.Send (added in version 4.1.0.0): Allows sending an email to users who are granted permission to an object.

People.Read.All: Necessary for full functionality of user avatars and profile cards.

Presence.Read.All: Necessary for full functionality of user avatars and profile cards.

Sites.Read.All: Used for site-related usage in the Discover Usage and Permission Summary reports. Necessary for full functionality of user profile cards.

User.Read.All: Necessary for full functionality of user avatars and profile cards.

 

Published June 21, 2023

Updated Feb 25, 2025 (v5.0.0.0)

Updated March 21, 2025 (Microsoft change in Graph permission location)