<h2>Microsoft Entra ID Spoke (formerly Microsoft Azure Active Directory Spoke)</h2><br/><div style="overflow-x:auto"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta content="text/html; charset=UTF-8" /><meta name="copyright" content="(C) Copyright 2025" /><meta name="DC.rights.owner" content="(C) Copyright 2025" /><meta name="generator" content="DITA-OT" /><meta name="DC.type" content="concept" /><meta name="DC.title" content="Microsoft Entra ID Spoke (formerly Microsoft Azure Active Directory Spoke)" /><meta name="abstract" content="Manage users, applications, groups, devices, tenants, service principals, and passwords. Apply licenses and provision users in Office 365." /><meta name="description" content="Manage users, applications, groups, devices, tenants, service principals, and passwords. Apply licenses and provision users in Office 365." /><meta name="DC.creator" content="ServiceNow" /><meta name="DC.date.created" content="2023-08-03" /><meta name="DC.date.modified" content="2023-08-03" /><meta name="page-type" content="automation-engine" /><meta name="DC.format" content="XHTML" /><meta name="DC.identifier" content="microsoft-azure-ad-spoke" /><link rel="stylesheet" type="text/css" href="../../../CSS/commonltr.css" /><title>Microsoft Entra ID Spoke (formerly Microsoft Azure Active Directory Spoke)</title></head><body id="microsoft-azure-ad-spoke"> <h1 class="title topictitle1" id="ariaid-title1"><span class="ph">Microsoft</span> Entra ID Spoke (formerly Microsoft Azure Active Directory Spoke)</h1> <div class="body conbody"><p class="shortdesc"><span class="ph">Manage users, applications, groups, devices, tenants, service principals, and passwords. Apply licenses and provision users in Office 365.</span></p> <div class="section" id="microsoft-azure-ad-spoke__section_rsf_yvb_l3b"><h2 class="title sectiontitle"><span class="ph">Integration Hub</span> subscription</h2> <p class="p"><span class="ph">This spoke requires an Integration Hub subscription. For more information, see <a class="xref" href="https://www.servicenow.com/content/dam/servicenow-assets/public/en-us/doc-type/legal/snc-addendum-integrationhub.pdf" target="_blank" rel="noopener noreferrer">Legal schedules - IntegrationHub overview</a>.</span></p> </div> <div class="section" id="microsoft-azure-ad-spoke__section_j5x_vtv_bsb"><h2 class="title sectiontitle">Spoke version</h2> <p class="p"> <span class="ph">Microsoft</span> Entra ID spoke (formerly known as Microsoft Azure Active Directory spoke) v<span class="ph" id="microsoft-azure-ad-spoke__azure-ad-ver">4.3.2</span> is the latest version.</p> </div> <div class="section" id="microsoft-azure-ad-spoke__section_z5m_2wr_4xb"><h2 class="title sectiontitle">Spoke dependencies</h2> <div class="p">If you’re having trouble installing the app, ensure that these dependent plugins are installed:<ul class="ul" id="microsoft-azure-ad-spoke__ul_ywp_mnx_54b"><li class="li">Complex Object (com.glide.cobject)</li><li class="li">ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)</li><li class="li">IHUB Spoke Util Pack (com.snc.ihub_spoke_util_pack)</li><li class="li">ServiceNow IntegrationHub Action Step - PowerShell (com.glide.hub.action_step.powershell)</li><li class="li">ServiceNow IntegrationHub Action Template - Data Stream (com.glide.hub.action_type.datastream)</li><li class="li">ServiceNow IntegrationHub Action Step - REST (com.glide.hub.action_step.rest)</li><li class="li">Remote Directory Sync</li></ul> </div> </div> <div class="section" id="microsoft-azure-ad-spoke__section_j5k_qgf_kfb"><h2 class="title sectiontitle">Spoke flows</h2> <p class="p">The <span class="ph">Microsoft</span> Entra ID spoke provides sample flows in the draft state to demonstrate automating Entra ID tasks. To customize a sample flow, copy it to a new application scope. Available sample flows include:</p> <div class="p"> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="microsoft-azure-ad-spoke__table_lq3_4hf_kfb" class="table" frame="border" border="1" rules="all"><colgroup><col /><col /></colgroup><thead class="thead" style="text-align:left;"><tr class="row"><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e135">Flow</th><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e138">Description</th></tr></thead><tbody class="tbody"><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e135 ">User Offboarding</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e138 ">Disables a <span class="ph">Microsoft</span> Entra ID user account and removes the user from the <span class="ph">Microsoft</span> Entra ID groups when a <span class="ph">ServiceNow</span> user record is deactivated.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e135 ">User Onboarding</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e138 ">Creates and enables an <span class="ph">Microsoft</span> Entra ID user account when a <span class="ph">ServiceNow</span> user record is activated.</td></tr></tbody></table> </div> </div> </div> <div class="section" id="microsoft-azure-ad-spoke__section_s2z_hhf_kfb"><h2 class="title sectiontitle">Spoke subflows</h2> <p class="p">The <span class="ph">Microsoft</span> Entra ID spoke provides sample subflows in the draft state to demonstrate automating <span class="ph">Microsoft</span> Entra ID tasks. To customize a sample subflow, copy it to a new application scope. Available sample subflows include:</p> <div class="p"> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="microsoft-azure-ad-spoke__table_lxg_t3f_kfb" class="table" frame="border" border="1" rules="all"><colgroup><col /><col /></colgroup><thead class="thead" style="text-align:left;"><tr class="row"><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e210">Subflow</th><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e213">Description</th></tr></thead><tbody class="tbody"><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e210 ">Add User to Group</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e213 ">Looks up the groups that a <span class="ph">ServiceNow</span> User record belongs to, and adds the associated <span class="ph">Microsoft</span> Entra ID user account to the same <span class="ph">Microsoft</span> Entra ID groups.</td></tr></tbody></table> </div> </div> </div> <div class="section" id="microsoft-azure-ad-spoke__section_aqj_3hf_kfb"><h2 class="title sectiontitle">Spoke actions</h2> <p class="p">The <span class="ph">Microsoft</span> Entra ID spoke provides actions to automate <span class="ph">Microsoft</span> Entra ID tasks when events occur in <span class="ph">ServiceNow</span>. Available actions include:</p> <div class="p"> <div class="note"><span class="notetitle">Note:</span> <ul class="ul" id="microsoft-azure-ad-spoke__ul_mqr_slb_w5b"><li class="li">One of the mentioned permissions is required to call the API.</li><li class="li">Ensure that you are aware of these considerations:<ul class="ul" id="microsoft-azure-ad-spoke__ul_jtm_4mb_w5b"><li class="li">Select the Delegated permission if you intend to use the <span class="ph uicontrol">Authorization Code</span> grant type while registering <span class="ph">Microsoft</span> Entra ID as an OAuth provider.</li><li class="li">Select the Application permission if you intend to use the <span class="ph uicontrol">Client Credentials</span> grant type while registering <span class="ph">Microsoft</span> Entra ID as an OAuth provider.</li></ul> </li></ul> </div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="microsoft-azure-ad-spoke__table_khs_njf_kfb" class="table" frame="border" border="1" rules="all"><colgroup><col /><col /><col /><col /><col /></colgroup><thead class="thead" style="text-align:left;"><tr class="row"><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e317">Category</th><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e320">Action</th><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e323">Description</th><th class="entry cellrowborder" colspan="2" style="vertical-align:top;" id="d84414e328">Permissions Required (from least to most privileged)</th></tr></thead><tbody class="tbody"><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e317 ">Audit Logs</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Sign Ins Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieve the list of sign ins.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">AuditLog.Read.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">AuditLog.Read.All , Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="51" style="vertical-align:top;" headers="d84414e317 ">Group Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Add Owner to Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Add an owner to an existing group in <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Add User to Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Add an existing user to a group in <span class="ph">Microsoft</span> Entra ID.<div class="note"><span class="notetitle">Note:</span> Adding a user to a mail-enabled security group is not supported by the <span class="ph">Microsoft Graph Security API</span>. For more information, see <a class="xref" href="https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http" target="_blank" rel="noopener noreferrer">https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http</a>.</div> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Create Office 365 Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Creates an Office 365 group that can be shared with the other members in the group.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Group Membership Stream by Directory</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieve the list of group membership.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Directory.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Directory.Read.All, Group.Read.All, Group.ReadWrite.All, GroupMember.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Create Security Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Creates a security group when you want to grant access permissions to a group of users.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.Create, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Returns the Group information found based on the search criteria.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Group Members Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of members of the specified group.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Group Membership Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of groups for the specified user as a complex object.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read, GroupMember.Read.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Group Transitive Membership Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves list of groups for the specified user as a complex object.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Groups.Read.All, User.Read.All, Sites.FullControl.All, Sites.Selected</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Delete Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Deletes the specified group from Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Add Owners to Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Adds the specified users as owners to the specified group in the Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Remove Owner from Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Removes the owner from a group in <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Remove User from Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Removes an existing user from a group in <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Groups Stream by Directory</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of groups in the directory integration.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Groups Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Lists all the groups in an organization.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Add Users to Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 "> <p class="p">Add existing users to a group in <span class="ph">Microsoft</span> Entra ID.</p> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Update Office 365 Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Updates the specified office 365 group.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="12" style="vertical-align:top;" headers="d84414e317 ">License Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Subscribed SKU</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the details of the specified subscribed SKU.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Subscribed SKUs</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of commercial subscriptions that an organization has acquired.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Organization.Read.All, Directory.Read.All, Directory.ReadWrite.All, Organization.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Assign User License</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Onboards an existing user in the <span class="ph">Microsoft</span> Entra ID to Office 365 and grant access to services.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Remove User License</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Removes a license from a user in <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="9" style="vertical-align:top;" headers="d84414e317 ">Application Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up App Roles Assignments Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of the app roles that have been assigned to a user.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, Directory.Read.All, AppRoleAssignment.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Directory.Read.All, AppRoleAssignment.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Revoke User Application Access</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Removes an app role assignment that has been granted to a user.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">AppRoleAssignment.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">AppRoleAssignment.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Applications Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of applications.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application.Read.All, Application.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application.Read.All and User.Read, Application.ReadWrite.All and User.Read</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application.Read.All, Application.ReadWrite.OwnedBy, Application.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="15" style="vertical-align:top;" headers="d84414e317 ">Device Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Add Device to Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Adds an existing device to a group in the Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Is Device in Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Checks if an existing device is a member of a group in Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Device.Read.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Add Devices to Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Adds the specified devices to the specified group in Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Devices Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Lists all the devices in an organization or devices that satisfy the specified filter query, if any.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Device.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Device.Read.All, Device.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Remove Device from Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Remove an existing device from a group in the Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e317 ">Organization Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Tenant</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves details of the currently authenticated tenant.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfig.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">DeviceManagementServiceConfig.Read.All, DeviceManagementServiceConfig.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e317 ">User Authentication</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e320 ">Revoke User SignIn Sessions</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e323 ">Revokes the user signin sessions so that administrators can automate invalidating all the sign in session of a specified user.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 "> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 "> </td></tr><tr class="row"><td class="entry cellrowborder" rowspan="6" style="vertical-align:top;" headers="d84414e317 ">Service Principal Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up App Role Assigned to Service Principal Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of service principal assignments.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application.Read.All, Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Service Principals Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of service principals.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application.Read.All, Application.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="12" style="vertical-align:top;" headers="d84414e317 ">Password Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Reset Password</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Resets the password of the Entra ID user account.<div class="note"><span class="notetitle">Note:</span> This spoke action resets the password of users created in Entra ID only and does not reset the password of the federated users.</div> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Password Expiration</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves Password expiration details for the provided user from <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Change Password</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Changes the password of a user in <span class="ph">Microsoft</span> Entra ID. Ensure that the password meets the Entra ID password requirements.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Generate Random Password</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Generates the random password as per the default Entra ID password policy.<div class="note"><span class="notetitle">Note:</span> You must install the KMF plugin before executing this action.</div> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e328 ">None.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="42" style="vertical-align:top;" headers="d84414e317 ">User Management</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up User</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves a user account from Entra.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Users Stream by Directory</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of users from a directory.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Revoke User SignIn Sessions</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Invalidates all signed in sessions of a user.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Create User</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Creates a user with the given details.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Delete User</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Deletes a user from <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Disable User</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Disables a user in <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Enable User</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Enables a user account in the <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Fetch Latest Delta Token for Users</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Returns the latest delta token for the users.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Is User Enabled</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Checks whether the specified user account is enabled in <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read, User.ReadWrite</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Is User in Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Checks whether the specified user account is a member of the specified group in Entra.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, User.Read.All, Directory.Read.All, User.ReadWrite.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Users Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Lists all the users in an organization or users satisfying the specified search query, filter and next token if any.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Update User</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Updates user properties in Entra ID with the provided details.<div class="note"><span class="notetitle">Note:</span> Entra ID does not allow updating values to null. Null or empty values are discarded in Entra ID when null is passed as an input.</div> </td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All, Directory.AccessAsUser.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Does User owns Group</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Checks if an existing user is a owner of a group in Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">GroupMember.Read.All, Group.Read.All, GroupMember.ReadWrite.All, Group.ReadWrite.All, Directory.Read.All</td></tr><tr class="row"><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e320 ">Look up Incremental Changes for Users Stream</td><td class="entry cellrowborder" rowspan="3" style="vertical-align:top;" headers="d84414e323 ">Retrieves the list of users in Entra ID. By using Delta Token, enables you discover changes to users without having to fetch the entire set of users.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (work or school account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read, User.ReadWrite, User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Delegated (personal Microsoft account)</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Not supported.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">Application</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e328 ">User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All</td></tr></tbody></table> </div> </div> </div> <div class="section" id="microsoft-azure-ad-spoke__section_bfx_zlf_kfb"><h2 class="title sectiontitle"><span class="ph">Microsoft</span> Entra ID account requirements</h2> <p class="p">The <span class="ph">Microsoft</span> Entra ID spoke requires creating a custom app on your <span class="ph">Microsoft</span> Entra ID account to generate OAuth 2.0 tokens. See: <a class="xref" href="../../integrationhub-store-spokes/task/set-up-azure.html#configure-azure-ad-account" title="Create a custom app using your Azure portal to enable OAuth 2.0 authentication with the Microsoft Entra ID spoke.">Create an Microsoft Entra ID application</a>.</p> </div> <div class="section" id="microsoft-azure-ad-spoke__section_sjq_vnf_kfb"><h2 class="title sectiontitle">Connection and credential alias requirements</h2> <p class="p"><span class="ph">Integration Hub</span> uses aliases to manage connection and credential information, and OAuth credentials. Using an alias eliminates the need to configure multiple credentials and connection information profiles when using multiple environments. If the connection or credential information changes, you don't need to update any actions that use the connection.</p> <p class="p">This spoke uses the AzureAD alias record to authorize actions on <span class="ph">Microsoft</span> Entra ID.</p> <div class="p"> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="microsoft-azure-ad-spoke__table_nnk_g2h_gfb" class="table" frame="border" border="1" rules="all"><colgroup><col style="width:33.33333333333333%" /><col style="width:33.33333333333333%" /><col style="width:33.33333333333333%" /></colgroup><thead class="thead" style="text-align:left;"><tr class="row"><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e2415">Connection alias</th><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e2418">Description</th><th class="entry cellrowborder" style="vertical-align:top;" id="d84414e2421">Connection URL</th></tr></thead><tbody class="tbody"><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e2415 ">AzureAD</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e2418 ">Connection to <span class="ph">Microsoft</span> Entra ID.</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d84414e2421 ">https://graph.microsoft.com</td></tr></tbody></table> </div> </div> <p class="p"><span class="ph">For information about setting up the spoke, see</span> <a class="xref" href="../../integrationhub-store-spokes/task/set-up-azure.html" title="Integrate the ServiceNow instance and your Microsoft Entra ID spoke account by creating a custom OAuth application in Microsoft Entra ID spoke to authenticate ServiceNow requests.">Set up Microsoft Entra ID spoke</a>.</p> </div> </div> </body></html></div>