Check if you're using excessive Microsoft Graph API permissions
Microsoft Graph exposes hundreds of endpoints that allow you to tap into data and insights in Microsoft 365. To use these API endpoints, you need to request a correct set of permissions.
A common approach to security is to apply the principle of least privilege (PoLP). This principle applies to users, processes, and programs.
To check if your app is using more permissions than it needs:
- Enable the
GraphMinimalPermissionsGuidancePlugin
plugin. - Start recording.
- Use your app to issue requests as normal.
- Stop recording.
Dev Proxy returns a list of permissions scopes that are unnecessary in the activity summary based on the intercepted requests.
For example:
Evaluating delegated permissions for:
- GET /me
Permissions on the token:
AllSites.FullControl, User.Read
WARNING: The following permissions are unnecessary:
WARNING: AllSites.FullControl
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.