Skip to content

Weekly Permissions sync 2026-05-13 #1527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
marabooy wants to merge 1 commit into
base: master
Choose a base branch
from
+258 −12
Open

Weekly Permissions sync 2026-05-13 #1527

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
218 changes: 213 additions & 5 deletions permissions/new/permissions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1145,7 +1145,7 @@
"POST"
],
"paths": {
"/servicePrincipals/microsoft.graph.agentIdentity": "least=DelegatedWork"
"/servicePrincipals/microsoft.graph.agentIdentity": "least=Application,DelegatedWork"
}
}
],
Expand All @@ -1172,8 +1172,6 @@
"POST"
],
"paths": {
"/servicePrincipals(appid={value})/microsoft.graph.agentIdentityBlueprintPrincipal/identities": "least=Application",
"/servicePrincipals/{id}/microsoft.graph.agentIdentityBlueprintPrincipal/identities": "least=Application",
"/servicePrincipals/microsoft.graph.agentIdentity": ""
}
}
Expand Down Expand Up @@ -17742,6 +17740,18 @@
"/devicemanagement/manageddevices/{id}/wipe": "",
"/devicemanagement/manageddevices/executeaction": ""
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET"
],
"paths": {
"/devicemanagement/manageddevices/{id}/getsyncstatus": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
Expand Down Expand Up @@ -28227,6 +28237,56 @@
"ownerSecurityGroup": "GroupsIDCSG"
}
},
"Group-NestingSupport.ReadWrite.All": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read and write groups' disableNesting property",
"adminDescription": "Allows the app to read and write groups' disableNesting property on behalf of the signed-in user.",
"userDisplayName": "Read and write groups' disableNesting property",
"userDescription": "Allows the app to read and write the disableNesting property on your behalf.",
"requiresAdminConsent": true,
"privilegeLevel": 2
},
"Application": {
"adminDisplayName": "Read and write groups' disableNesting property",
"adminDescription": "Allows the app to read and write groups' disableNesting property without a signed-in user.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"GET"
],
"paths": {
"/groups": "least=DelegatedWork,Application",
"/groups/{id}": "least=DelegatedWork,Application",
"/groups/delta": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"PATCH"
],
"paths": {
"/groups/{id}": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "AADGroupsPreAuth"
}
},
"Group-OnPremisesSyncBehavior.ReadWrite.All": {
"authorizationType": "oAuth2",
"schemes": {
Expand Down Expand Up @@ -32026,7 +32086,7 @@
"/identitygovernance/lifecycleworkflows/workflows": "",
"/identitygovernance/lifecycleworkflows/workflows({id})/previewscope": "least=DelegatedWork,Application",
"/identitygovernance/lifecycleworkflows/workflows({id})/previewtaskfailures": "least=DelegatedWork,Application",
"/identitygovernance/lifecycleworkflows/workflows/{id}": "least=DelegatedWork,Application",
"/identitygovernance/lifecycleworkflows/workflows/{id}": "",
"/identitygovernance/lifecycleworkflows/workflows/{id}/executionscope": "least=DelegatedWork,Application",
"/identitygovernance/lifecycleworkflows/workflows/{id}/tasks": "least=DelegatedWork,Application",
"/identitygovernance/lifecycleworkflows/workflows/{id}/tasks/{id}": "least=DelegatedWork,Application",
Expand Down Expand Up @@ -32069,7 +32129,8 @@
"GET"
],
"paths": {
"/identitygovernance/lifecycleworkflows/workflows": "least=DelegatedWork,Application"
"/identitygovernance/lifecycleworkflows/workflows": "least=DelegatedWork,Application",
"/identitygovernance/lifecycleworkflows/workflows/{id}": "least=DelegatedWork,Application"
}
}
],
Expand Down Expand Up @@ -33568,6 +33629,72 @@
"ownerSecurityGroup": "stisaprvc"
}
},
"MailTips.ReadBasic.All": {
"authorizationType": "oAuth2",
"schemes": {
"Application": {
"adminDisplayName": "Read mail tips for all users",
"adminDescription": "Allows the app to read mail tips for all users in the organization without a signed-in user. Mail tips include automatic replies, mailbox status, custom tips, and delivery information.",
"requiresAdminConsent": true,
"privilegeLevel": 4
}
},
"pathSets": [
{
"schemeKeys": [
"Application"
],
"methods": [
"POST"
],
"paths": {
"/users/{id}/getmailtips": ""
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "stisaprvc"
}
},
"MailTips.ReadBasic.Shared": {
"authorizationType": "oAuth2",
"schemes": {
"DelegatedWork": {
"adminDisplayName": "Read mail tips for accessible mailboxes",
"adminDescription": "Allows the app to read mail tips on behalf of the signed-in user for mailboxes they have access to, including their own mailbox and shared mailboxes. Mail tips include automatic replies, mailbox status, custom tips, and delivery information.",
"userDisplayName": "Read mail tips for mailboxes you can access",
"userDescription": "Allows the app to read mail tips on your behalf for mailboxes you have access to, including your own mailbox and shared mailboxes.",
"requiresAdminConsent": false,
"privilegeLevel": 3
},
"DelegatedPersonal": {
"adminDisplayName": "Read mail tips for accessible mailboxes",
"adminDescription": "Allows the app to read mail tips on behalf of the signed-in user for mailboxes they have access to. Mail tips include automatic replies, mailbox status, custom tips, and delivery information.",
"userDisplayName": "Read mail tips for mailboxes you can access",
"userDescription": "Allows the app to read mail tips on your behalf for mailboxes you have access to, including your own mailbox.",
"requiresAdminConsent": false,
"privilegeLevel": 2
}
},
"pathSets": [
{
"schemeKeys": [
"DelegatedWork",
"DelegatedPersonal"
],
"methods": [
"POST"
],
"paths": {
"/me/getmailtips": "",
"/users/{id}/getmailtips": ""
}
}
],
"ownerInfo": {
"ownerSecurityGroup": "stisaprvc"
}
},
"ManagedTenants.Read.All": {
"authorizationType": "oAuth2",
"schemes": {
Expand Down Expand Up @@ -34236,6 +34363,19 @@
"/networkAccess/tlsInspectionPolicies/{id}/policyRules/{id}": "least=DelegatedWork,Application",
"/networkAccess/tlsPolicies": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"POST"
],
"paths": {
"/networkAccess/classifyMcpTools": "least=DelegatedWork,Application",
"/networkAccess/discoverMcpTools": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
Expand Down Expand Up @@ -34364,12 +34504,14 @@
"POST"
],
"paths": {
"/networkAccess/classifyMcpTools": "",
"/networkAccess/cloudFirewallPolicies": "least=DelegatedWork,Application",
"/networkAccess/cloudFirewallPolicies/{id}/policyRules": "least=DelegatedWork,Application",
"/networkAccess/connectivity/branches": "least=DelegatedWork,Application",
"/networkAccess/connectivity/branches/{id}/deviceLinks": "least=DelegatedWork,Application",
"/networkAccess/contentPolicies": "least=DelegatedWork,Application",
"/networkAccess/contentPolicies/{id}/policyRules": "least=DelegatedWork,Application",
"/networkAccess/discoverMcpTools": "",
"/networkAccess/fileDlpPolicies": "least=DelegatedWork,Application",
"/networkAccess/filteringPolicies": "least=DelegatedWork,Application",
"/networkAccess/filteringPolicies/{id}/policyRules": "least=DelegatedWork,Application",
Expand Down Expand Up @@ -37780,6 +37922,7 @@
"/applications/{id}/tokenissuancepolicies": "AlsoRequires=Application.ReadWrite.All",
"/applications/{id}/tokenlifetimepolicies": "AlsoRequires=Application.ReadWrite.All",
"/identity/conditionalaccess/namedlocations": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans": "least=DelegatedWork,Application",
"/identity/conditionalaccess/policies": "least=DelegatedWork,Application",
"/serviceprincipals(appid={value})/claimsmappingpolicies": "AlsoRequires=Application.ReadWrite.All",
"/serviceprincipals(appid={value})/homerealmdiscoverypolicies": "AlsoRequires=Application.ReadWrite.All",
Expand Down Expand Up @@ -37905,6 +38048,7 @@
"/policies/crosstenantaccesspolicy/partners/{id}/m365Capabilities/crossTenantPlacesRoomBooking": "least=DelegatedWork,Application",
"/policies/defaultappmanagementpolicy": "least=DelegatedWork,Application",
"/policies/externalidentitiespolicy": "least=DelegatedWork,Application",
"/policies/federatedtokenvalidationpolicy": "least=DelegatedWork,Application",
"/policies/homerealmdiscoverypolicies": "least=DelegatedWork,Application",
"/policies/homerealmdiscoverypolicies/{id}": "least=DelegatedWork,Application",
"/policies/homerealmdiscoverypolicies/{id}/appliesto": "least=DelegatedWork,Application",
Expand All @@ -37931,6 +38075,9 @@
],
"paths": {
"/identity/conditionalaccess/namedlocations/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/policies/{id}": "least=DelegatedWork,Application"
}
},
Expand Down Expand Up @@ -38364,6 +38511,10 @@
],
"paths": {
"/identity/conditionalaccess/authenticationcontextclassreferences": "",
"/identity/conditionalaccess/plans": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/settings": "least=DelegatedWork,Application"
}
},
Expand Down Expand Up @@ -38822,6 +38973,20 @@
"paths": {
"/policies/authenticationflowspolicy": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"DELETE",
"GET",
"PATCH"
],
"paths": {
"/policies/federatedtokenvalidationpolicy": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
Expand Down Expand Up @@ -39215,6 +39380,10 @@
"/identity/conditionalaccess/authenticationstrength/authenticationmethodmodes/{id}": "",
"/identity/conditionalaccess/authenticationstrength/combinations": "",
"/identity/conditionalaccess/authenticationstrength/policies/{id}/combinationconfigurations": "",
"/identity/conditionalaccess/plans": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application",
"/policies/authenticationstrengthpolicies": "",
"/policies/authenticationstrengthpolicies/{id}/usage": "",
"/policies/authenticationstrengthpolicies/findbymethodmode(authenticationmethodmodes={value})": ""
Expand Down Expand Up @@ -39259,6 +39428,8 @@
"paths": {
"/identity/conditionalaccess/evaluate": "",
"/identity/conditionalaccess/namedlocations": "",
"/identity/conditionalaccess/plans": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules": "least=DelegatedWork,Application",
"/identity/conditionalaccess/policies": "",
"/policies/authenticationstrengthpolicies/{id}/updateallowedcombinations": "least=DelegatedWork,Application"
}
Expand All @@ -39274,6 +39445,8 @@
],
"paths": {
"/identity/conditionalaccess/namedlocations/{id}": "",
"/identity/conditionalaccess/plans/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/plans/{id}/rules/{id}": "least=DelegatedWork,Application",
"/identity/conditionalaccess/policies/{id}": ""
}
},
Expand Down Expand Up @@ -43182,6 +43355,17 @@
"paths": {
"/admin/reportsettings": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"GET"
],
"paths": {
"/admin/reportsettings/sharepoint/apiusagereportmetrics": "least=DelegatedWork"
}
}
],
"ownerInfo": {
Expand Down Expand Up @@ -43219,6 +43403,18 @@
"paths": {
"/admin/reportsettings": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork"
],
"methods": [
"POST"
],
"paths": {
"/admin/reportsettings/sharepoint/disableapiusagereport": "least=DelegatedWork",
"/admin/reportsettings/sharepoint/enableapiusagereport": "least=DelegatedWork"
}
}
],
"ownerInfo": {
Expand Down Expand Up @@ -45282,6 +45478,18 @@
"paths": {
"/security/alerts_v2/{id}/comments": "least=DelegatedWork,Application"
}
},
{
"schemeKeys": [
"DelegatedWork",
"Application"
],
"methods": [
"POST"
],
"paths": {
"/security/alerts_v2": "least=DelegatedWork,Application"
}
}
],
"ownerInfo": {
Expand Down
Loading