Merge pull request #9499 from Penguinwizzard/user/demorri/permissions…

…_doc_cover_application_read Cover application permissions in group lookup
microsoftgraph · Jan 24, 2025 · de13755 · de13755
2 parents 18384c1 + 1137b61
commit de13755
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/concepts/permissions-overview.md b/concepts/permissions-overview.md
@@ -112,11 +112,12 @@ Container objects such as groups support members of various types, for example u
 
 This principle is applied to all relationships that are of [directoryObject](/graph/api/resources/directoryobject) type. Examples include `/groups/{id}/members`, `/users/{id}/memberOf`, and `me/ownedObjects`.
 
-For example, a group can have users, groups, applications, service principals, devices, and contacts as members. An app is granted the *GroupMember.Read.All* least privileged permission to [List group members](/graph/api/group-list-members). In the response object, only the **id** and **@odata.type** properties are populated for all the members that are returned. The other properties are indicated as `null`. For this API:
-- To read the basic properties of a group's members that are users, the app needs at least the *User.ReadBasic.All* permission.
-- To read the basic properties of a group's members that are groups, the app needs at least the *GroupMember.Read.All* permission.
-- To read the basic properties of a group's members that are devices, the app needs at least the *Device.Read.All* permission, and so on.
-- However, as an alternative to the individual resource-level permissions, the app can be assigned at least the *Directory.Read.All* permission to read *all properties for all member types*.
+For example, a group can have users, groups, applications, service principals, devices, and contacts as members. An app is granted the *GroupMember.Read.All* least privileged permission to [List group members](/graph/api/group-list-members). In the response object, only the **id** and **@odata.type** properties are populated for all the members that are returned. The other properties are indicated as `null`. For this API, and to return more information for the group's members, the app needs the following additional permissions:
+- To read the basic properties of a group's members that are users, *User.ReadBasic.All* is the least privileged permission.
+- To read the basic properties of a group's members that are groups, *GroupMember.Read.All* is the least privileged permission.
+- To read the basic properties of a group's members that are devices, *Device.Read.All* is the least privileged permission.
+- To read the basic properties of a group's members that are service principals, *Application.Read.All* is the least privileged permission.
+- As per the principle of least privilege, you should prefer using the preceding permissions as appropriate for your application. However, as an alternative to the individual resource-level permissions, the app can be assigned the *Directory.Read.All* permission to read *all properties for all member types*.
 
 ### Example