Copilot for Microsoft 365 Tech Accelerator
Feb 28 2024 07:00 AM - Feb 29 2024 10:30 AM (PST)
Microsoft Tech Community

Less privileged permission to update user schema extension

Less privileged permission to update user schema extension
0

Upvotes

Upvote

 Jul 07 2021
0 Comments 
New

As it stands creating a schema extension for a user, means that the permissions needed to set that extension for a user requires User.Readwrite.All.
Irregardles of whether you only want to update the delegated/current users schema extension.

Ideally User.ReadWrite would suffice to update only the delegated/current users schema extension, with User.Read.All being sufficent to read those from other users.

While the documentation states that "For example, for an app to be able to update the signed-in user's profile with custom app data, the app must have been granted the User.ReadWrite.All permission." it feels as quite a large privilege.

https://docs.microsoft.com/en-us/graph/extensibility-overview#permissions

https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http
https://docs.microsoft.com/en-us/graph/permissions-reference#remarks-30