Entra App-Only Access: User.ReadBasic.All Live
Image Source: Shutterstock.com
Microsoft Entra
Jan 11, 2024 1:00 PM

Entra App-Only Access: User.ReadBasic.All Live

by HubSite 365 about Rene Vlieger (ms365news.com)

Pro UserMicrosoft EntraLearning Selection

Explore New App-Only User.ReadBasic.All Permission for Enhanced Microsoft 365 Security

Key insights


New Permission Addition: Microsoft has introduced a new app-only User.ReadBasic.All permission allowing applications to access basic user information (ID, display name, first and last name, email address, and photo.), enhancing security and minimizing data access to just what's necessary. 

Addressed Bug Fix: A bug that previously allowed apps with User.ReadBasic.All delegated permission to filter on unauthorized properties has been resolved, tightening control over app permissions and data access.

Error Handling Update: Applications incorrectly using delegated User.ReadBasic.All permission to filter restricted properties will now receive a 403 error message, promoting correct permission usage.

Assessment and Adjustment: Organizations now have the ability to audit apps' permission needs and adjust to User.ReadBasic.All where suitable, potentially improving security protocols and privacy compliance.

Impending Rollout and Action Steps: The rollout will commence in mid-January 2024 and is expected to conclude by the end of January. Organizations may need to update their documentation to prepare for this change.

  • A new app-only User.ReadBasic.All permission has been made available by Microsoft.
  • Bug fix implemented, preventing apps from accessing unauthorized properties.
  • Apps misusing delegated permissions will trigger a 403 error message.
  • Opportunity for better assessment of permissions needed by applications.
  • Rollout planned for mid to late January 2024; organizations should update documentation.

Understanding Microsoft Entra's Latest Update

Microsoft's recent update to Entra's permissions represents a significant step in bolstering security and governance within Microsoft 365 ecosystems. By creating a distinction between app-only and delegated User.ReadBasic.All permissions, Microsoft ensures that applications only consume the least amount of user data necessary for functionality, thus adhering to the principle of least privilege. This change not only helps in reinforcing data privacy but also in reducing the risk of data breaches, as apps are now more restricted in the user information they can access. With the roll-out approaching, it's an ideal time for businesses and administrators within the Microsoft 365 environment to review and adjust their application permissions accordingly, to better align with these updated security measures.

Microsoft Entra, the acclaimed security and access management solution, has made a significant update with the introduction of the Entra App-Only User.ReadBasic.All Permission. Previously, only the delegated version of this permission, allowing access to basic user information like ID and names, was available. Now, following user feedback, Microsoft has unlocked the app-only level of this permission.

This update to Microsoft Entra also includes a critical bug fix that previously allowed apps with delegated permissions to inadvertently filter on unauthorized properties. With the fix in place, apps are now correctly restricted from accessing properties beyond their granted permission scope, enhancing overall security protocols.

Should any apps attempt to filter user properties without the required permissions, they will encounter a 403 error, indicating insufficient privileges. This error enforces proper permission usage and helps administrators enforce security guidelines effectively within their applications.

For administrators managing Microsoft Entra permissions, app-only User.ReadBasic.All provides a more secure and limited access option for applications. Evaluating your applications to determine if they require full access or can operate with basic access is an essential part of maintaining optimal security standards.

The rollout of this update is scheduled to begin in mid-January 2024, with completion expected before the end of January. The seamless implementation by Microsoft ensures minimal disruption to organizations and their operations.

Most organizations will not need to take any action if their applications are already compliant with the data access restrictions of User.ReadBasic.All. However, if applications require more extensive access for filtering operations, User.Read.All permission must be granted.

To stay ahead, organizations should consider revising their internal documentation to reflect these changes and ensure that all staff are informed of the new permissions available and how they might impact current and future application configurations.

  • App-only User.ReadBasic.All permission now available in Microsoft Entra
  • Security enhancement with bug fixes for filtering on unauthorized properties
  • Rollout starts mid-January 2024, ends late January 202

Rollout begins mid-January 2024

  • Completion expected by late January 2024

As for organizations, there's no immediate action required unless your apps rely on filtering user properties. If they do, you may need to adjust permissions to User.Read.All to avoid any operational disruptions. Otherwise, applications should operate as normal without any adjustments.

Lastly, to stay ahead, updating organizational documentation might be necessary to reflect these changes and ensure all procedures align with the new permission structure. We appreciate your attention to this update and encourage you to make the necessary preparations.

Read the full article Entra App-Only User.ReadBasic.All Permission is now available

People also ask

What is the difference between application permissions and delegated permissions?

Application permissions and delegated permissions are two types of access rights that can be granted to applications within the Microsoft identity platform, such as those that interact with Microsoft 365 services. Application permissions are granted directly to the application by an administrator and allow the app to perform actions on behalf of the organization without a signed-in user present. This type of permission is typically used by background services or server-to-server interactions. Conversely, delegated permissions are granted to applications on behalf of a signed-in user. These permissions delegate user rights to the application, allowing it to act as the signed-in user when making API calls. The level of access is limited to what the user is allowed to do.

How do I add permissions to Azure app registration?

To add permissions to an Azure app registration, you would need to go to the Azure portal, locate the Azure Active Directory service, and find the "App registrations" section. From there, select the application to which you want to add permissions. Navigate to the "API permissions" page where you can add various permissions based on the APIs your application requires access to. You can add both delegated and application permissions. After selecting the necessary permissions, you may need an admin to grant consent for the permissions to take effect if they require administrative approval.

What allows the app to read mail in all mailboxes without a signed-in user?

Allowing an app to read mail in all mailboxes without a signed-in user requires application permissions. This is typically done by granting the application the "Mail.Read" application permission within the Microsoft Graph API scope. An administrator must consent to these permissions at the tenant level. Once the application is granted these permissions and provided admin consent, it can use its own credentials to authenticate and read emails from all mailboxes in the organization through the Microsoft Graph API without any user context.

How do I grant permissions to a user in graph API?

Granting permissions to a user in the Microsoft Graph API actually refers to assigning delegated permissions to the app the user will be interacting with. Users themselves don't receive permissions directly within the Graph API; instead, they are granted through the application they use. To grant these permissions to the application, you need to configure its Azure app registration as mentioned earlier, adding the desired delegated permissions in the "API permissions" section. When a user logs in to the application, they will be prompted to consent to these permissions, or an admin may pre-consent on their behalf. Once consent is acquired, the application can make API calls on behalf of the user according to the permissions granted.



Entra App-Only User.ReadBasic.All Permission, Microsoft Entra Permissions, App-Only Permissions Release, User Read Basic All Access, New Entra Feature, Entra API Permissions, Entra Access Management, Entra Security Permissions, Advanced Entra Controls, Microsoft Identity Platform Update.