The Microsoft.Graph.* modules which are used by the Provisioning Script require the user to have the permissions that need to be granted for the Microsoft Graph PowerShell Enterprise application:
| Permission |
Permission Type |
Granted By | Purpose |
|---|---|---|---|
| Application.ReadWrite.All | Delegated | Tenant Admin | Read and write all applications |
| AppRoleAssignment.ReadWrite.All | Delegated | Tenant Admin | Manage app permission grants and app role assignments |
| DelegatePermissionGrant.ReadWrite.All | Delegated | Tenant Admin | Manage all delegated permission grants |
| Domain.Read.All | Delegated | Tenant Admin | Read domains |
| Organization.Read.All | Delegated | Tenant Admin | Read organization information |
| User.ReadWrite.All | Delegated | Tenant Admin | Read and write all users' full profiles |
| openid | Delegated | Tenant Admin | Sign users in |
| profile | Delegated | Tenant Admin | View user's basic profile |
| offline_access | Delegated | Tenant Admin | Maintain access to data you have given it access |