Which permissions ServiceChanger requests
Overview of the Microsoft Graph permissions ServiceChanger uses, why, and what it deliberately does not request.
Short version
ServiceChanger requests the Graph permissions needed to manage group memberships and measure usage. It can write group membership, but otherwise only reads. No mail content, no files, no chats, and no rights to assign licenses.
How consent works
When connecting, you grant admin consent on ServiceChanger's enterprise application in your tenant. Access runs through that service principal, scoped to the application permissions you approve. See OAuth2 app registration.
The permissions
| Permission | Type | Why |
|---|---|---|
User.Read.All | Read | Read users and their attributes to evaluate rules. |
Group.Read.All | Read | Read groups and their properties. |
GroupMember.ReadWrite.All | Write | Add and remove group membership according to your rules. |
Directory.Read.All | Read | Read tenant metadata and relationships. |
Organization.Read.All | Read | Information about the tenant's license pools (SKUs). |
AuditLog.Read.All | Read | Sign-in activity from the sign-in reporting for license tracking. |
GroupMember.ReadWrite.All), not to editing users or managing the full group object.
Optional: email
If you want ServiceChanger to send notifications from a mailbox in your tenant, you can additionally approve mail scopes (Mail.Send and/or Mail.ReadWrite). This is optional and separate from the core functionality.
What ServiceChanger does not request
- No
User.ReadWrite.All. ServiceChanger does not change user attributes and does not assign licenses. - No mail, file, chat, contacts, or calendar permissions for the core function.
- No policy permissions such as
Policy.ReadWrite.All.
Sign-in activity on the Microsoft side
License tracking uses Entra ID's sign-in reporting. Detailed sign-in logs require an Entra ID P1 or P2 license on the Microsoft side. Without it, usage measurement is more limited.
Revoking
In Azure Portal: Microsoft Entra ID > Enterprise Applications > ServiceChanger > Delete. After that ServiceChanger can do nothing with your tenant. Existing memberships stay as they are.