Overview

Pia uses app registration permissions in the Microsoft Office 365 Graph API. These permissions are used by Pia during executions of Pia automations to perform actions for the clients such as adding users to a group or creating a new user or creating a shared mailbox etc.

To learn more about how to authorise Pia for your clients, go to this article.

To learn more about how each automations uses the Graph API, click here.

info

Pia's automations may not use all requested Graph API permissions. Some permissions requested are to enable future Pia automations. The permissions which are granted cannot be dynamically changed (you cannot select permissions individually on a per client basis). This is a limitation from Microsoft.

Permissions

Permission Name	Description	Permission Type
Directory.AccessAsUser.All	Access directory as the signed in user	Delegated
Mail.Read	Read user mail	Delegated
offline_access	Maintain access to data you have given it access to	Delegated
AppCatalog.ReadWrite.All	Read and write to all app catalogs	Delegated
AuditLog.Read.All	Read audit log data	Delegated
DeviceManagementConfiguration.ReadWrite.All	Read and write Microsoft Intune Device Configuration and Policies	Delegated
DeviceManagementRBAC.ReadWrite.All	Read and write Microsoft Intune RBAC settings	Delegated
DeviceManagementManagedDevices.PrivilegedOperations.All	Perform user-impacting remote actions on Microsoft Intune devices	Delegated
Calendars.ReadWrite.Shared	Read and write user and shared calendars	Delegated
User.Read	Sign in and read user profile	Delegated
Group.ReadWrite.All	Read and write all groups	Delegated
Mail.Send	Send mail as a user	Delegated
IdentityRiskEvent.Read.All	Read identity risk event information	Delegated
AppRoleAssignment.ReadWrite.All	Manage app permission grants and app role assignments	Delegated
BitlockerKey.Read.All	Read BitLocker keys	Delegated
UserAuthenticationMethod.ReadWrite.All	Read and write all users' authentication methods	Delegated
ConsentRequest.ReadWrite.All	Read and write consent requests	Delegated
Device.ReadWrite.All	Read and write devices	Delegated
User.ReadWrite.All	Read and write all users' full profiles	Delegated
UserAuthenticationMethod.ReadWrite.All	Read and write all users' authentication methods	Application
WindowsUpdates.ReadWrite.All	Read and write all Windows update deployment settings	Application
Directory.ReadWrite.All	Read and write directory data	Application
Group.ReadWrite.All	Read and write all groups	Application
DeviceManagementServiceConfig.ReadWrite.All	Read and write Microsoft Intune configuration	Application
TeamMember.ReadWrite.All	Add and remove members from all teams	Application
Organization.ReadWrite.All	Read and write organization information	Application
ConsentRequest.ReadWrite.All	Read and write all consent requests	Application
AppRoleAssignment.ReadWrite.All	Manage app permission grants and app role assignments	Application
User.ManageIdentities.All	Manage all users' identities	Application
MailboxSettings.ReadWrite	Read and write all user mailbox settings	Application
ChannelMember.ReadWrite.All	Add and remove members from all channels	Application
RoleManagement.ReadWrite.Directory	Read and write all directory RBAC settings	Application
GroupMember.ReadWrite.All	Read and write all group memberships	Application
IdentityRiskEvent.Read.All	Read all identity risk event information	Application
AdministrativeUnit.ReadWrite.All	Read and write all administrative units	Application
AuditLog.Read.All	Read all audit log data	Application
DeviceManagementConfiguration.ReadWrite.All	Read and write Microsoft Intune device configuration and policies	Application
DeviceManagementManagedDevices.PrivilegedOperations.All	Perform user-impacting remote actions on Microsoft Intune devices	Application
ServiceHealth.Read.All	Read service health	Application
DeviceManagementRBAC.ReadWrite.All	Read and write Microsoft Intune RBAC settings	Application