Hero Banner

Control Panel Vendors (CPVs)

Onboarded as a CPV, ask questions and learn how to keep your platform secure

Level 1 Contributor

graph.microsoft.com CPV Application Consent / Grants


Continuing the discussion from the Yammer group, refering to this topic:


What are the grants that a CPV should set to call the graph.microsoft.com API?

Thank you


Hi @Maps

I have not the opportunity to test this just yet, but the enterprise application identifier for Microsoft Graph is 00000003-0000-0000-c000-000000000000. So, in theory you should be able to use this value when creating your application consent. Currently both the .NET and Java SDK samples are configuring the permissions for Azure AD Graph, which enables you to perform Azure AD operations using Microsoft. However, if you are looking to perform operations using other features of Microsoft Graph this will not work. 

If you are in position to test this with your integration box, it would be great to know if you encounter any issues. 

Level 1 Contributor

Hi @idwilliams ,

Thanks for the reply.

My concern is more if the grants/scopes should be set in the Azure AD Graph format:

enterpriseApplicationId: 00000002-0000-0000-c000-000000000000, scope:Domain.ReadWrite.All,User.ReadWrite.All,Directory.Read.All

Or in the ARM format:

enterpriseApplicationId: 797f4846-ba00-4fd7-ba43-dac1f8f63013, scope:user_impersonation

I am more inclined to try it in the Azure AD Graph format, and personally never had before seen the "user_impersonation" scope.

If you can clarify this, it will sure help.

I will also test this, as soon as I can.

Thank you


Hi @Maps

Currently the scopes are limited to what you see in the samples today. In the coming days our engineering teams will be allowing additional scopes. You can find a complete list of scopes required for each operation that Microsoft Graph supports in the documentation. At the top of each article you will find a permissions section, which includes the required permissions (from least to most privileged). You can find a sample of this at https://docs.microsoft.com/en-us/graph/api/user-list. 

With respect to the user_impersonation scope, that actually maps to the Access Azure Service Management as organization users (preview) permission. This the only permission available for the Windows Azure Service Management API. Please note that only delegated permissions are supported with the new CPV model. So, you want to ensure you are using the appropriate scopes. 

Visitor 1


Level 1 Contributor

Hey @Maps   I just joined and wanted to see if Microsoft responded to your message.  Since this app is new and MS is directing us to this for future, I wanted to gage the responsiveness.

For sure interested in graph api and currently using partner center api.  Have you completed your CPV?  We are developing app and see the CPV route making sense.  We are an indirect CSP provider as well.  Not sure if we should get a new tenant or keep our existing for Partner Center.

Level 1 Contributor

Hi @yfarmaz ,

@idwilliams, replied to my message (see below).

Yes, we have completed our CPV, and for the Azure AD Graph and the ARM Api's, the consents work with no issues.

Would like the API to have at least one more method, to get the existent application consents, and I have already shared this feedback with Microsoft on Yammer.

Thank you