Tutorial TOC

Configure API Permissions

Application permissions control the data that the application will be able to access without a logged-in user being present.

Perform the following steps to configure application permissions.

  • Click API permissions from the App registration menu on the left.
  • Click + Add permission.
  • Select Microsoft Graph > Application permissions and add one or more of the following permissions, depending on the feature that you intend to configure.
WPO365 FeatureRequired application-level permission
User synchronizationUser.Read.All
Roles + Access *User.Read.All
GroupMember.Read.All
Audiences *User.Read.All
GroupMember.Read.All
Avatar *User.Read.All
Custom User Fields *User.Read.All
M365 APPS | Documents
Gutenberg Blocks | Documents

For “anonymous” users
Sites.Selected
Sites.Read.All optionally
M365 APPS | Employee Directory
For “anonymous” users
User.Read.All
Client secret expiration checkApplication.Read.All

* Please note For some scenarios it would be sufficient to add the delegated permission instead when the following criteria are met:

  • Users must sign in with Microsoft using the OpenID Connect protocol (instead of SAML 2.0).
  • The use of app-only tokens on the plugin’s Integration configuration page has not been enabled.
  • WPO365 User synchronization is not used.

If those criteria are met, then it is sufficient for a user to have delegated GroupMember.Read.All and delegated User.Read.All permissions.


  • Click  Add permissions.
  • Click to grant consent for all users in your tenant to use this App registration and its ability to provide ID tokens (and Access Tokens).

If the Grand admin consent for … is greyed out then you do not have sufficient permissions to continue. Since this is mandatory you must contact your Global Administrator and ask for help.


Related Features