| author | Jackson-Woods |
|---|---|
| ms.topic | include |
Important
For delegated access using work or school accounts where the signed-in user is acting on another user, they must be assigned a supported Microsoft Entra role or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
- A non-admin member or guest user with default user permissions
- Application Developer - read properties of application they own
- Directory Readers - read standard properties
- Global Secure Access Administrator - read standard properties
- Global Reader
- Directory Writers
- Hybrid Identity Administrator
- Security Administrator
- Cloud Application Administrator
- Application Administrator