From 2c40e31bd929e83d536102f8d48aa61941c1f61e Mon Sep 17 00:00:00 2001
From: Derek Morris <demorri@microsoft.com>
Date: Wed, 22 Jan 2025 10:29:10 -0800
Subject: [PATCH 1/3] Cover application permissions in group lookup

This brings the public docs in line with some internal conversations
about group lookup permissions, and emphasizes using narrower
permissions when appropriate.
---
 concepts/permissions-overview.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/concepts/permissions-overview.md b/concepts/permissions-overview.md
index bdd63c6dcef..13f11fcc936 100644
--- a/concepts/permissions-overview.md
+++ b/concepts/permissions-overview.md
@@ -115,8 +115,9 @@ This principle is applied to all relationships that are of [directoryObject](/gr
 For example, a group can have users, groups, applications, service principals, devices, and contacts as members. An app is granted the *GroupMember.Read.All* least privileged permission to [List group members](/graph/api/group-list-members). In the response object, only the **id** and **@odata.type** properties are populated for all the members that are returned. The other properties are indicated as `null`. For this API:
 - To read the basic properties of a group's members that are users, the app needs at least the *User.ReadBasic.All* permission.
 - To read the basic properties of a group's members that are groups, the app needs at least the *GroupMember.Read.All* permission.
-- To read the basic properties of a group's members that are devices, the app needs at least the *Device.Read.All* permission, and so on.
-- However, as an alternative to the individual resource-level permissions, the app can be assigned at least the *Directory.Read.All* permission to read *all properties for all member types*.
+- To read the basic properties of a group's members that are devices, the app needs at least the *Device.Read.All* permission.
+- To read the basic properties of a group's members that are service principals, the app needs at least the *Application.Read.All* permission.
+- As per the principle of least privilege, you should prefer using the above permissions as appropriate for your application. However, as an alternative to the individual resource-level permissions, the app can be assigned the *Directory.Read.All* permission to read *all properties for all member types*.
 
 ### Example
 

From fdd697d4ac60214c118b40d3284c501b4eaaf013 Mon Sep 17 00:00:00 2001
From: Faith Moraa Ombongi <ombongi.moraa.fe@gmail.com>
Date: Fri, 24 Jan 2025 12:19:53 +0300
Subject: [PATCH 2/3] Minor tweaks to limited info for container objects

---
 concepts/permissions-overview.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/concepts/permissions-overview.md b/concepts/permissions-overview.md
index 13f11fcc936..d236fb4c54c 100644
--- a/concepts/permissions-overview.md
+++ b/concepts/permissions-overview.md
@@ -112,12 +112,12 @@ Container objects such as groups support members of various types, for example u
 
 This principle is applied to all relationships that are of [directoryObject](/graph/api/resources/directoryobject) type. Examples include `/groups/{id}/members`, `/users/{id}/memberOf`, and `me/ownedObjects`.
 
-For example, a group can have users, groups, applications, service principals, devices, and contacts as members. An app is granted the *GroupMember.Read.All* least privileged permission to [List group members](/graph/api/group-list-members). In the response object, only the **id** and **@odata.type** properties are populated for all the members that are returned. The other properties are indicated as `null`. For this API:
-- To read the basic properties of a group's members that are users, the app needs at least the *User.ReadBasic.All* permission.
-- To read the basic properties of a group's members that are groups, the app needs at least the *GroupMember.Read.All* permission.
-- To read the basic properties of a group's members that are devices, the app needs at least the *Device.Read.All* permission.
-- To read the basic properties of a group's members that are service principals, the app needs at least the *Application.Read.All* permission.
-- As per the principle of least privilege, you should prefer using the above permissions as appropriate for your application. However, as an alternative to the individual resource-level permissions, the app can be assigned the *Directory.Read.All* permission to read *all properties for all member types*.
+For example, a group can have users, groups, applications, service principals, devices, and contacts as members. An app is granted the *GroupMember.Read.All* least privileged permission to [List group members](/graph/api/group-list-members). In the response object, only the **id** and **@odata.type** properties are populated for all the members that are returned. The other properties are indicated as `null`. For this API, and to return data for the other object types, the app needs the following additional permissions:
+- To read the basic properties of a group's members that are users, *User.ReadBasic.All* is the least privileged permission.
+- To read the basic properties of a group's members that are groups, *GroupMember.Read.All* is the least privileged permission.
+- To read the basic properties of a group's members that are devices, *Device.Read.All* is the least privileged permission.
+- To read the basic properties of a group's members that are service principals, *Application.Read.All* is the least privileged permission.
+- As per the principle of least privilege, you should prefer using the preceding permissions as appropriate for your application. However, as an alternative to the individual resource-level permissions, the app can be assigned the *Directory.Read.All* permission to read *all properties for all member types*.
 
 ### Example
 

From 1137b618d68c6523a490c51319f160a490ac0ec3 Mon Sep 17 00:00:00 2001
From: Faith Moraa Ombongi <ombongi.moraa.fe@gmail.com>
Date: Fri, 24 Jan 2025 12:21:05 +0300
Subject: [PATCH 3/3] Clarify permissions needed for group members.

---
 concepts/permissions-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/concepts/permissions-overview.md b/concepts/permissions-overview.md
index d236fb4c54c..65bc49ee754 100644
--- a/concepts/permissions-overview.md
+++ b/concepts/permissions-overview.md
@@ -112,7 +112,7 @@ Container objects such as groups support members of various types, for example u
 
 This principle is applied to all relationships that are of [directoryObject](/graph/api/resources/directoryobject) type. Examples include `/groups/{id}/members`, `/users/{id}/memberOf`, and `me/ownedObjects`.
 
-For example, a group can have users, groups, applications, service principals, devices, and contacts as members. An app is granted the *GroupMember.Read.All* least privileged permission to [List group members](/graph/api/group-list-members). In the response object, only the **id** and **@odata.type** properties are populated for all the members that are returned. The other properties are indicated as `null`. For this API, and to return data for the other object types, the app needs the following additional permissions:
+For example, a group can have users, groups, applications, service principals, devices, and contacts as members. An app is granted the *GroupMember.Read.All* least privileged permission to [List group members](/graph/api/group-list-members). In the response object, only the **id** and **@odata.type** properties are populated for all the members that are returned. The other properties are indicated as `null`. For this API, and to return more information for the group's members, the app needs the following additional permissions:
 - To read the basic properties of a group's members that are users, *User.ReadBasic.All* is the least privileged permission.
 - To read the basic properties of a group's members that are groups, *GroupMember.Read.All* is the least privileged permission.
 - To read the basic properties of a group's members that are devices, *Device.Read.All* is the least privileged permission.