In our application we have a background service, that “syncs” user data and group membership information to our database from the Microsoft Graph.
The permission model:
‘Directory.Read.All’ and ‘User.Read.All’:
Initially we only synced the “basic” user data to our database, but then some customers wanted to reuse some other data already stored in the graph. Our app required the ‘Directory.Read.All’ permission, because we thought that this would be the “highest” permission - this is wrong!
If you need “directory” information, e.g. memberships, the
Group.Read.All is a good starting point. But if you want to load specific user data, you might need to have the
User.Read.All permission as well.
Hope this helps!