Admin center
Settings
Permissions

Permissions

Each Guests App requires specific permissions to access or modify guest data stored in your Microsoft Entra ID. We've organized these permissions thoughtfully to provide you with maximum control and clarity, while adhering to the principle of least privilege.

As a Microsoft 365 administrator, you have the option to pre-consent the required permissions. By doing so, the app will gain access to specific resources within your organization. Users will not be prompted to review permissions if pre-consented.

⚠️

To unlock all Guests features, it's important to grant all necessary permissions.

Admin center permissions

All permissions for the Guests admin center are delegated, giving the app the same rights as the signed-in user within your organization.

  • User.Read: Required for sign-in and accessing basic organizational user details.

  • User.ReadWrite.All: Enables comprehensive guest management, including inviting, deleting, and editing guest accounts.

  • AppRoleAssignment.ReadWrite.All: Empowers application administrators to configure Guests App Roles. Note that this permission is essential alongside the Application.Read.All permission.

  • AuditLog.Read.All: Requires Microsoft Enterprise P1/P2 license for accessing recent activity information about guests.

  • Directory.Read.All: Facilitates retrieval of group, user, team, license, and other details. For assigning Guests App Roles, a combination of this permission and AppRoleAssignment.ReadWrite.All is needed.

  • GroupMember.ReadWrite.All: Necessary for adding invited guests to Teams.

Agent permissions

All permissions required for the Guests agent to perform compliance checks and updates in the background require application rights.

  • User.ReadWrite.All: Allows the Guests agent to read and update guest information, as well as automatically block or delete guests.

Teams app permissions

Note that some permissions for the Guests Teams app use application rights, providing the signed-in user with elevated privileges.

  • User.Read: Allows access during the sign-in process.

  • User.Read.All: Enables reading of all guest information.

  • AuditLog.Read.All: Retrieves recent activity information of guests (requires Microsoft Entra P1/P2 license).

  • GroupMember.ReadWrite.All: Required for adding invited guests to Teams.

  • User.ReadWrite.All: Provides authority to manage all guest information, including inviting, deleting, and editing guests. The app ensures that users can only manage guests based on your configuration.

  • Directory.Read.All: Grants the ability to read a guest's group memberships.

  • TeamsActivity.Send: Enables sending of activity notifications to hosts in Microsoft Teams whenever action is required.

  • AppCatalog.Read.All: Allows retrieval of the Guests Teams app ID from the app catalog.

Admin centerTeams app