CIPP-SAM Permissions
How to ensure your SAM app for CIPP has the correct permissions.
Manual Permissions
At times you will need to change permissions for the CIPP-SAM application that is used by CIPP to access your tenants. Use the following instructions to update these permissions.
Go to the Azure Portal.
Select Microsoft Entra ID, now select App Registrations.
Find your Secure App Model application. You can search based on the Application ID.
Go to API Permissions and select Add a permission.
Choose "Microsoft Graph" and "Delegated permission" or "Application Permissions"
Add the permission you need
Finally, select "Grant Admin Consent" for Company Name.
Permissions
For full functionality, CIPP needs the following permissions for the Secure Application Model registration. You can remove any permissions if you don't want the application to be able to use that functionality. This may cause you to see errors in the application.
Duplicate Permissions Some permissions may appear duplicated in the Delegated and Application permissions tables below. This is by design and you do need to add both permissions!
Some permissions may come from other APIs than just Graph. you will see this both in the application, and the permission list below by having a name between brackets, e.g. (WindowsDefenderATP). This means you will need to click on "APIs my Organisation uses" instead of "Microsoft Graph" when adding these permissions. Look for the exact name between the brackets to find the correct resource to add.
LIST OF DELEGATED PERMISSIONS USED BY CIPP:
ActivityFeed.Read (Office 365 Management API)
Read activity data for your organization
AllSites.FullControl (Office 365 SharePoint Online)
Have full control of all site collections
Application.Read.All
Read applications
Application.ReadWrite.All
Read and write all applications
AuditLog.Read.All
Read audit log data
BitlockerKey.Read.All
Read BitLocker keys
Channel.Create
Create channels
Channel.ReadBasic.All
Read the names and descriptions of channels
Channel.Delete.All
Delete Channels
ChannelMember.Read.All
Read the members of channels
ChannelMember.ReadWrite.All
Add and remove members from channels
ChannelMessage.Edit
Edit users' channel messages
ChannelMessage.Read.All
Read users' channel messages
ChannelMessage.Send
Send channel messages
ChannelSettings.Read.All
Read the names, descriptions, and settings of channels
ChannelSettings.ReadWrite.All
Read and write the names, descriptions, and settings of channels
ConsentRequest.Read.All
Read consent requests
DelegatedAdminRelationship.ReadWrite.All
Manage Delegated Admin relationships with customers
Device.Command
Communicate with user devices
Device.Read
Read user devices
Device.Read.All
Read all devices
DeviceLocalCredential.Read.All
Read device local credential passwords
DeviceManagementApps.ReadWrite.All
Read and write Microsoft Intune apps
DeviceManagementConfiguration.ReadWrite.All
Read and write Microsoft Intune Device Configuration and Policies
DeviceManagementManagedDevices.PrivilegedOperations.All
Perform user-impacting remote actions on Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All
Read and write Microsoft Intune devices
DeviceManagementServiceConfig.Read.All
Read Microsoft Intune configuration
DeviceManagementRBAC.ReadWrite.All
Read and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.ReadWrite.All
Read and write Microsoft Intune configuration
Directory.AccessAsUser.All
Access directory as the signed in user
Domain.Read.All
Read domain data
Group.ReadWrite.All
Read and write all groups
GroupMember.ReadWrite.All
Read and write group memberships
Mail.Send
Send mail as a user
Mail.Send.Shared
Send mail on behalf of others
Member.Read.Hidden
Read hidden memberships
offline_access
Maintain access to data you have given it access to
openid
Sign users in
Organization.ReadWrite.All
Read and write organization information
Policy.Read.All
Read your organization's policies
Policy.ReadWrite.ApplicationConfiguration
Read and write your organization's application configuration policies
Policy.ReadWrite.AuthenticationFlows
Read and write authentication flow policies
Policy.ReadWrite.AuthenticationMethod
Read and write authentication method policies
Policy.ReadWrite.Authorization
Read and write your organization's authorization policy
Policy.ReadWrite.ConditionalAccess
Read and write conditional access policy
Policy.ReadWrite.ConsentRequest
Read and write consent request policy
Policy.ReadWrite.DeviceConfiguration
Read and write your organization's device configuration policies
PrivilegedAccess.Read.AzureResources
Read privileged access to Azure resources
PrivilegedAccess.ReadWrite.AzureResources
Read and write privileged access to Azure resources
profile
View users' basic profile
Reports.Read.All
Read all usage reports
ReportSettings.ReadWrite.All
Read and write admin report settings
RoleManagement.ReadWrite.Directory
Read and write directory RBAC settings
SecurityActions.ReadWrite.All
Read and update your organization's security actions
SecurityEvents.ReadWrite.All
Read and update your organization's security events
SecurityIncident.Read.All
Read incidents
SecurityIncident.ReadWrite.All
Read and write to incidents
ServiceHealth.Read.All
Read service health
ServiceMessage.Read.All
Read service announcement messages
SharePointTenantSettings.ReadWrite.All
Read and change SharePoint and OneDrive tenant settings
Sites.ReadWrite.All
Edit or delete items in all site collections
(Skype and Teams Tenant Admin AP)user_impersonation
Access Microsoft Teams and Skype for Business data as the signed in user
TeamMember.ReadWrite.All
Add and remove members from teams
TeamMember.ReadWriteNonOwnerRole.All
Add and remove members with non-owner role for all teams
TeamsActivity.Read
Read users' teamwork activity feed
TeamsActivity.Send
Send a teamwork activity as the user
TeamsAppInstallation.ReadForChat
Read installed Teams apps in chats
TeamsAppInstallation.ReadForTeam
Read installed Teams apps in teams
TeamsAppInstallation.ReadForUser
Read users' installed Teams apps
TeamsAppInstallation.ReadWriteForChat
Manage installed Teams apps in chats
TeamsAppInstallation.ReadWriteForTeam
Manage installed Teams apps in teams
TeamsAppInstallation.ReadWriteForUser
Manage users' installed Teams apps
TeamsAppInstallation.ReadWriteSelfForChat
Allow the Teams app to manage itself in chats
TeamsAppInstallation.ReadWriteSelfForTeam
Allow the app to manage itself in teams
TeamsAppInstallation.ReadWriteSelfForUser
Allow the Teams app to manage itself for a user
TeamSettings.Read.All
Read teams' settings
TeamSettings.ReadWrite.All
Read and change teams' settings
TeamsTab.Create
Create tabs in Microsoft Teams
TeamsTab.Read.All
Read tabs in Microsoft Teams
TeamsTab.ReadWrite.All
Read and write tabs in Microsoft Teams
TeamsTab.ReadWriteForChat
Allow the Teams app to manage all tabs in chats
TeamsTab.ReadWriteForTeam
Allow the Teams app to manage all tabs in teams
TeamsTab.ReadWriteForUser
Allow the Teams app to manage all tabs for a user
Team.Create
Create teams
Team.ReadBasic.All
Read the names and descriptions of teams
ThreatAssessment.ReadWrite.All
Read and write threat assessment requests
UnifiedGroupMember.Read.AsGuest
Read unified group memberships as guest
User.ManageIdentities.All
Manage user identities
User.Read
Sign in and read user profile
User.ReadWrite.All
Read and write all users' full profiles
UserAuthenticationMethod.Read.All
Read all users' authentication methods
UserAuthenticationMethod.ReadWrite
Read and write user authentication methods
UserAuthenticationMethod.ReadWrite.All
Read and write all users' authentication methods
Vulnerability.Read (WindowsDefenderATP)
Read Threat and Vulnerability Management vulnerability information
LIST OF APPLICATION PERMISSIONS USED BY CIPP:
Channel.Create
Create channels
Channel.ReadBasic.All
Read the names and descriptions of channels
ChannelMember.Read.All
Read the members of channels
ChannelMember.ReadWrite.All
Add and remove members from channels
Device.ReadWrite.All
Read and write devices
DeviceManagementApps.ReadWrite.All
Read and write Microsoft Intune apps
DeviceManagementConfiguration.ReadWrite.All
Read and write Microsoft Intune Device Configuration and Policies
DeviceManagementManagedDevices.PrivilegedOperations.All
Perform user-impacting remote actions on Microsoft Intune devices
DeviceManagementManagedDevices.Read.All
Read Microsoft Intune devices
DeviceManagementManagedDevices.ReadWrite.All
Read and write Microsoft Intune devices
DeviceManagementRBAC.Read.All
Read Microsoft Intune RBAC settings
DeviceManagementRBAC.ReadWrite.All
Read and write Microsoft Intune RBAC settings
DeviceManagementServiceConfig.Read.All
Read Microsoft Intune configuration
DeviceManagementServiceConfig.ReadWrite.All
Read and write Microsoft Intune configuration
Directory.Read.All
Read directory data
Domain.Read.All
Read Domains
Exchange.Manage (Office 365 Exchange Online)
Manage Exchange configuration
Files.ReadWrite.All
Read and write files in all site collections
Group.Create
Create groups
Group.Read.All
Read all groups
Group.ReadWrite.All
Read and write all groups
GroupMember.ReadWrite.All
Read and write group memberships
Mail.Send
Send mail as a user
Organization.ReadWrite.All
Read and write organization information
Policy.Read.All
Read your organization's policies
Policy.ReadWrite.ApplicationConfiguration
Read and write your organization's application configuration policies
Policy.ReadWrite.AuthenticationFlows
Read and write authentication flow policies
Policy.ReadWrite.AuthenticationMethod
Read and write authentication method policies
Policy.ReadWrite.ConditionalAccess
Read and write conditional access policy
Policy.ReadWrite.ConsentRequest
Read and write consent request policy
PrivilegedAccess.ReadWrite.AzureADGroup
Read and write privileged access to Azure AD groups
Reports.Read.All
Read all usage reports
RoleManagement.ReadWrite.Directory
Read and write directory RBAC settings
SecurityEvents.Read.All
Read your organization's security events
SecurityIncident.Read.All
Read all security incidents
SecurityIncident.ReadWrite.All
Read and write to all security incidents
SharePointTenantSettings.ReadWrite.All
Read and change SharePoint and OneDrive tenant settings
Sites.FullControl.All
Have full control of all site collections
Team.ReadBasic.All
Read the names and descriptions of teams
TeamMember.ReadWrite.All
Add and remove members from teams
TeamMember.ReadWriteNonOwnerRole.All
Add and remove members with non-owner role for all teams
User.ReadWrite.All
Read and write all users' full profiles
UserAuthenticationMethod.ReadWrite.All
Read and write all users' authentication methods
Vulnerability.Read.All (WindowsDefenderATP)
Read Threat and Vulnerability Management vulnerability information
Last updated