Application Permissions for the Azure App for Teams

Application.ReadWrite.All

Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants.

Yes

Channel.Create

Creates channels in any team, without a signed-in user.

Yes

Channel.ReadBasic.All

Read all channel names and channel descriptions, without a signed-in user.

Yes

Channel.Settings.ReadWrite.All

Read and write the names, descriptions, and settings of all channels, without a signed-in user.

Yes

Files.ReadWrite.All

Allows the app to read, create, update and delete all files in all site collections without a signed-in user.

Yes

Group.ReadWrite.All

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All these operations can be performed by the app without a signed-in user.

Yes

Sites.FullControl.All

Allows the app to have full control of all site collections without a signed-in user.

Yes

Team.ReadBasic.All

Get a list of all teams, without a signed-in user.

Yes

TeamMember.ReadWrite.All

Add and remove members from all teams, without a signed-in user. Also allows changing a team member's role, for example from owner to non-owner.

Yes

User.Read.All

Allows the app to read user profiles without a signed-in user.

Yes

Notes.ReadWrite.All

Allows the app to read, share, and modify all the OneNote notebooks in your organization, without a signed-in user.

Yes

Chat.Read.All

Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams.

Yes

ChannelMessage.Read.All

Allows the app to read all channel messages in Microsoft Teams

Yes

Reports.Read.All

Allows an app to read all service usage reports on behalf of the signed-in user. Services that provide usage reports include Microsoft 365 and Azure Active Directory.

No

ChannelMember.ReadWrite.All

Add and remove members from all channels, without a signed-in user. Also allows changing a member's role, for example from owner to non-owner.

Yes

Tasks.ReadWrite.All

Allows the app to create, read, update and delete all users' tasks and task lists in your organization, without a signed-in user.

No (for Planner app)

TeamworkTag.ReadWrite.All

Allows the app to read and write tags in Teams without a signed-in user.

No (Yes, for tag backups)

TeamsAppInstallation.ReadWriteForTeam.All

Allows the app to read, install, upgrade, and uninstall Teams apps in any team, without a signed-in user. Does not give the ability to read application-specific settings.

Yes

Directory.Read.All

Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

Yes

ChannelMessage.Read.All

Allows an app to send channel messages in Microsoft Teams, on behalf of the signed-in user.

Yes

ChannelMessage.Send

Allows the app to have the same access to information in the directory as the signed-in user.

Yes

Directory.AccessAsUser.All

Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.

Yes

Group.ReadWrite.All

Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.

Yes

offline_access

Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions.

Yes

openid

Allows users to sign-in to the app with their work or school accounts and allows the app to see basic user profile information.

Yes