From time to time, I get requests from company internal clients who want to automate some part of Planner. Examples of requests are the copying of Plans, exporting a plan to Excel and creating a task in a certain format.

Since the Flow connector is almost non-functional, I want to talk directly to the Graph API for Planner, but unfortunately, the required app permissions are Group.Read.All and Group.ReadWrite.All, which require admin consent.

Firstly, I think it is very suprising (and difficult to explain to the Admin!) that an app whose sole responsibility it is to create tasks in Planner needs the permission to read and write all O365 Groups.

Secondly, I do not understand why Group.ReadWrite.All even requires admin consent. It is a delegated permission, and O365 groups are meant to be created by the end users in a self-service kind of way - our users create and manage O365 groups all the time when they open a Teams channel or create a Planner.

In which way would that permission be more dangerous or risky than, e.g., Mail.ReadWrite or Files.ReadWrite (both of which do not require AC)?

Is there some sort of risk assessment one could refer to when applying for this permission? How could I get an informed opinion about the worst thing that could happen when an app has this permission?