IAMinerva
HomeBlogAbout
m3M365 NewscoMicrosoft CopilotteMicrosoft TeamsshSharePoint & OneDriveinIntune & SecurityexExchange & OutlookpoPower PlatformazAzure & Entra IDtuTutorials & GuidesevEvents & ConferencesseSecuritywiWindows
IAMinerva

Professional blog dedicated to the Microsoft 365 ecosystem.

Quick links

HomeBlogAboutNewsletter

Stay informed

Get the latest Microsoft 365 news delivered straight to your inbox.

© 2026 IAMinerva. All rights reserved.

Built withNext.js&Tailwind
Comprendre les permissions Graph pour les groupes
BlogM365 NewsUnderstanding Graph Permissions for Groups
M365 News#Microsoft Graph#Graph permissions#Group.Read.All

Understanding Graph Permissions for Groups

Discover how to configure and use Microsoft Graph permissions to effectively manage groups and their resources in M365.

Houssem MAKHLOUF
May 13, 2026
3 min read

TL;DR par Minerva

généré par IA

Discover how to configure and use Microsoft Graph permissions to effectively manage groups and their resources in M365.

Introduction

Microsoft Graph offers a powerful API that allows administrators to manage and query Microsoft 365 (M365) group data. However, choosing the appropriate permissions to access group properties and resources can be complex. This article explains in detail key permissions such as Group.Read.All and GroupMember.Read.All, and their implications in various application scenarios.

i

Good to know

Graph permissions are primarily divided between delegated permissions and application permissions, each suited to specific needs.

Graph Permissions

Delegated permissions vs application permissions

When to use Group.Read.All and GroupMember.Read.All

The Group.Read.All permission allows you to read group properties, while GroupMember.Read.All is designed to access basic information such as group members and owners. Here are the main distinctions:

  • Group.Read.All: Access to complete group content, including associated resources such as SharePoint files, calendar, and team conversations.
  • GroupMember.Read.All: Limited access to basic information, ideal for reporting or audit scenarios.
!

Caution

Do not combine Group.Read.All and GroupMember.Read.All unless strictly necessary. Their combination adds no additional value.

Delegated access with Group.Read.All

The delegated permission Group.Read.All allows a signed-in user to read all group information to which they have direct access or via an Entra ID administrator role. Here is a PowerShell example to access group details and associated conversations:

⚡PowerShell
1$Group = Get-MgGroup -Filter "displayName eq 'Ultimate Guide to Office 365'"
2[array]$Conversation = Get-MgGroupConversation -GroupId $Group.Id -Top 1
3$Conversation | Format-List Id, LastDeliveredDateTime, Preview, UniqueSenders
✦

Tip

Use delegated permission in interactive scenarios where the user can access discussions or files of a specific group.

Application permissions: More powerful

When you use Group.Read.All as an application permission, access is global to all Entra ID groups. This grants considerable power but requires rigorous access controls to prevent abuse. This permission does not support group calendars, an important limitation to note.

The minimal nature of GroupMember.Read.All

GroupMember.Read.All is specifically designed to provide:

  • The group identifier and display name.
  • The list of members, including transitive members.

This permission does not grant access to group resources. It is ideal for scripts or applications that need to answer questions like "Which groups does this user belong to?".

Here is an example to retrieve members with PowerShell:

⚡PowerShell
1[array]$Members = Get-MgGroupMember -GroupId $Group.Id
2$Members | Format-Table Id, DisplayName

Retrieving user information

While GroupMember.Read.All provides a solid foundation for group access, retrieving specific user properties such as display name or email address requires an additional permission, such as User.ReadBasic.All. Without this, only basic information will be exposed:

⚡PowerShell
1$Members.additionalProperties
×

Important

Make sure to add User.ReadBasic.All to your application if you need to access detailed user properties.

Conclusion

Choosing the appropriate Microsoft Graph permissions is based on a precise evaluation of your application's requirements:

  • GroupMember.Read.All: For limited access to group composition.
  • Group.Read.All: For complete management of group data and resources.
  • User.ReadBasic.All: To retrieve specific member details.
1

Define your needs

Identify whether your application needs access to group resources or only basic information.

2

Choose permissions

Select permissions with the least privilege model (e.g., start with GroupMember.Read.All).

3

Apply and test

Configure permissions in Entra ID and test usage scenarios using PowerShell.

Learn more

Explore our other articles on M365 group management and PowerShell script optimization through Microsoft Graph:

  • How to list hidden groups with Graph
  • Optimize Teams and Groups activity reports

Tags: Use these permissions to improve your PowerShell scripts or M365 applications.

Share:
HM

Houssem MAKHLOUF

Microsoft 365 enthusiast & IT professional.

Previous article

Microsoft Purview: Simplified DLP Diagnostics

Apr 17, 2026
Next article

How Many Global Admins Should I Have in Microsoft 365?

May 13, 2026

Related articles

Exécution de scripts PowerShell pour auditer des applications AI et gérer leurs enregistrements.copilot

Audit and Manage AI Applications with PowerShell

Audit unauthorized AI applications in Entra ID with PowerShell and Microsoft Graph to strengthen control and security.

Jun 28, 20264 min
Graphiques abstraits et géométriques avec des couches de couleurs translucides.exchange

Converting Exchange IDs for Microsoft 365 Graph API

Convert Exchange identifiers (storeId, entryId, RestId) for Graph API and targeted eDiscovery. Technical guide with complete PowerShell scripts.

Jun 28, 20267 min
Arbre stylisé en doré sur fond noir avec des éléments circulaires.azure

Choosing the Right Extension Type in Microsoft Entra

Discover Microsoft Entra extension types and choose the optimal configuration for your directory objects based on their usage.

Jun 27, 20264 min