M365 Changelog: App-Only User.ReadBasic.All Permission is now available

MC704030 – User.ReadBasic.All allows the app to retrieve basic user properties like ID, display name, first and last name, email address, and photo. Today only delegated User.ReadBasic.All is available. Microsoft heard customer feedback to enable app-only User.ReadBasic.All permission as well, to limit their app access to only basic user properties.

With the release of app-only User.ReadBasic.All, Microsoft also fixed a bug, which enabled the app to filter on properties it shouldn’t access with User.ReadBasic.All. The issue is now resolved, ensuring that apps with delegated permission can no longer filter on unauthorized properties. 

If your app uses delegated User.ReadBasic.All to filter properties beyond its access, it will now encounter a 403 error message, indicating “insufficient privileges to complete the operation.” You can grant the app User.Read.All permission, to ensure the filter operation succeeds. 

With app-only User.ReadBasic.All, you can evaluate the permission needs of apps in your tenant; for those requiring access to basic user properties only, consider granting User.ReadBasic.All permission instead of User.Read.All.  

When this will happen:

Standard Release: Microsoft will begin rolling out by mid-January 2024 and expect to complete by late January 2024.

How this will affect your organization:

No action is required if applications are not filtering on user properties that it does not have access to with User.ReadBasic.All. However, if a customer’s application needs the filter operation to succeed, they must grant the application User.Read.All permission.

What you need to do to prepare:

You may consider updating documentation as appropriate.