Oct 06 2022 03:05 AM
Hi, folks.
The Azure AD Graph right, User.ReadBasic.All, has very limited use internal to a tenant but would be quite powerful in B2B scenarios where external partners/customers/etc. are unwilling to provide unintended access to personally identifiable information (PII) or other business-confidential information.
Unfortunately, User.ReadBasic.All is not made available as a right that can be delegated to servicePrincipal identities using the "application" model.
On its own, it doesn't make a lot of sense, but paired with something like Group.Read.All (which is still too powerful but that would require a separate request on the Feedback hub) begins to address real-world privacy concerns through providing customer-managed reduced data sets.
If you work in B2B spaces like identity management, multi-tenant applications, etc. where the current out-of-the-box rights, roles and functionalities (like access packages) simply aren't suitably aligned against privacy concerns (in the Australian context, these are often driven by legislative requirements), then please take a moment to have a read of the feedback request I've made below and if it resonates with you, vote on it.
References:
Cheers,
Lain