Does EntitlementManagement.Read.All require admin consent?

Yes, Application permissions always require admin consent. An administrator must grant consent in the Azure portal.

How do I add EntitlementManagement.Read.All to my app registration?

Go to Azure Portal > App registrations > Your app > API permissions > Add permission > Microsoft Graph, then search for EntitlementManagement.Read.All and select it.

EntitlementManagement.Read.All Permission - Microsoft Graph API

Permission Details

Application Permission

Read all entitlement management resources

Allows the app to read access packages and related entitlement management resources without a signed-in user.

Permission ID: c74fd47d-ed3c-45c3-9a9e-b8676de685d2

Delegated Permission

Read all entitlement management resources

Allows the app to read access packages and related entitlement management resources on behalf of the signed-in user.

Permission ID: 5449aa12-1393-4ea2-a7c7-d0e06c1a56b2

Properties

Property	Type	Description
`id`	`string`	The unique identifier for an entity. Read-only.
`accessPackageAssignmentApprovals`	`microsoft.graph.approval collection`
`accessPackageAssignmentResourceRoles`	`microsoft.graph.accessPackageAssignmentResourceRole collection`	Represents the resource-specific role which a subject has been assigned through an access package assignment.
`accessPackageCatalogs`	`microsoft.graph.accessPackageCatalog collection`	A container of access packages.
`accessPackageResourceRoleScopes`	`microsoft.graph.accessPackageResourceRoleScope collection`	A reference to both a scope within a resource, and a role in that resource for that scope.
`accessPackageAssignmentRequests`	`microsoft.graph.accessPackageAssignmentRequest collection`	Represents access package assignment requests created by or on behalf of a user. DO NOT USE. TO BE RETIRED SOON. Use the assignmentRequests relationship instead.
`accessPackageResources`	`microsoft.graph.accessPackageResource collection`	A reference to a resource associated with an access package catalog.
`accessPackageResourceEnvironments`	`microsoft.graph.accessPackageResourceEnvironment collection`	A reference to the geolocation environment in which a resource is located.
`accessPackages`	`microsoft.graph.accessPackage collection`	Represents access package objects.
`accessPackageAssignmentPolicies`	`microsoft.graph.accessPackageAssignmentPolicy collection`	Represents the policy that governs which subjects can request or be assigned an access package via an access package assignment.
`accessPackageSuggestions`	`microsoft.graph.accessPackageSuggestion collection`
`availableAccessPackages`	`microsoft.graph.availableAccessPackage collection`
`controlConfigurations`	`microsoft.graph.controlConfiguration collection`	Represents the policies that control lifecycle and access to access packages across the organization.
`settings`	`object`	Represents the settings that control the behavior of Microsoft Entra entitlement management.
`assignmentRequests`	`microsoft.graph.accessPackageAssignmentRequest collection`	Represents access package assignment requests created by or on behalf of a user.

Showing 15 of 19 properties. View all on Microsoft Learn →

JSON Representation

JSON representation

{
  "id": "String",
  "accessPackageAssignmentApprovals": "[...]",
  "accessPackageAssignmentResourceRoles": "[...]",
  "accessPackageCatalogs": "[...]",
  "accessPackageResourceRoleScopes": "[...]",
  "accessPackageAssignmentRequests": "[...]",
  "accessPackageResources": "[...]",
  "accessPackageResourceEnvironments": "[...]",
  "accessPackages": "[...]",
  "accessPackageAssignmentPolicies": "[...]",
  "accessPackageSuggestions": "[...]",
  "availableAccessPackages": "[...]",
  "controlConfigurations": "[...]",
  "settings": "{...}",
  "assignmentRequests": "[...]",
  "accessPackageResourceRequests": "[...]",
  "accessPackageAssignments": "[...]",
  "subjects": "[...]",
  "connectedOrganizations": "[...]"
}

Relationships

Relationship	Type	Description
`accessPackageAssignmentApprovals`	`approval collection`	Approval stages for decisions associated with access package assignment requests.
`accessPackages`	`accessPackage collection`	Access packages define the collection of resource roles and the policies for how one or more users can get access to those resources.
`assignmentPolicies`	`accessPackageAssignmentPolicy collection`	Access package assignment policies govern which subjects may request or be assigned an access package via an access package assignment.
`assignmentRequests`	`accessPackageAssignmentRequest collection`	Access package assignment requests created by or on behalf of a subject.
`assignments`	`accessPackageAssignment collection`	The assignment of an access package to a subject for a period of time.
`catalogs`	`accessPackageCatalog collection`	A container for access packages.
`connectedOrganizations`	`connectedOrganization collection`	References to a directory or domain of another organization whose users can request access.
`resourceEnvironments`	`accessPackageResourceEnvironment collection`	A reference to the geolocation environments in which a resource is located.
`resourceRequests`	`accessPackageResourceRequest collection`	Represents a request to add or remove a resource to or from a catalog respectively.
`resourceRoleScopes`	`accessPackageResourceRoleScope collection`	A reference to both a scope within a resource, and a role in that resource for that scope.
`resources`	`accessPackageResource collection`	The resources associated with the catalogs.
`settings`	`entitlementManagementSettings`	The settings that control the behavior of Azure AD entitlement management.
`subjects`	`accessPackageSubject collection`	The subjects within entitlement management.

Graph Methods

Delegated access App-only access

Methods
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{accessPackageAssignmentRequestId}/stages/{approvalStageId}`
GET `/identityGovernance/entitlementManagement/accessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}?$expand=resourceRoleScopes($expand=role,scope)`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackagesIncompatibleWith`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups`
GET `/identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='allowedRequestor')`
GET `/identityGovernance/entitlementManagement/assignmentPolicies`
GET `/identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}`
GET `/identityGovernance/entitlementManagement/assignmentRequests`
GET `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}`
GET `/identityGovernance/entitlementManagement/assignmentRequests/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/assignments`
GET `/identityGovernance/entitlementManagement/assignments/{accessPackageAssignmentId}`
GET `/identityGovernance/entitlementManagement/assignments/additionalAccess(accessPackageId='parameterValue',incompatibleAccessPackageId='parameterValue')`
GET `/identityGovernance/entitlementManagement/assignments/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/catalogs`
GET `/identityGovernance/entitlementManagement/catalogs/{accessPackageCatalogId}`
GET `/identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions`
GET `/identityGovernance/entitlementManagement/catalogs/{catalogId}/customWorkflowExtensions/{accessPackageCustomWorkflowExtensionId}`
GET `/identityGovernance/entitlementManagement/catalogs/{catalogId}/resourceRoles?$filter=(originSystem+eq+%27{originSystemType}%27+and+resource/id+eq+%27{resourceId}%27)&$expand=resource`
GET `/identityGovernance/entitlementManagement/catalogs/{id}/resources`
GET `/identityGovernance/entitlementManagement/connectedOrganizations`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{connectedOrganizationId}`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors`
GET `/identityGovernance/entitlementManagement/resourceRequests`
GET `/identityGovernance/entitlementManagement/settings`
GET `/roleManagement/directory/roleAssignments`
GET `/roleManagement/directory/roleAssignments/{id}`
GET `/roleManagement/directory/roleDefinitions`
GET `/roleManagement/directory/roleDefinitions/{id}`
GET `identityGovernance/entitlementManagement/resourceEnvironments?$filter=originSystem eq 'SharePointOnline'`
POST `/identityGovernance/entitlementManagement/accessPackages/{accessPackageId}/getApplicablePolicyRequirements`

Methods
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentApprovals/{id}/steps/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentPolicies/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentRequests/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentResourceRoles`
GET `/identityGovernance/entitlementManagement/accessPackageAssignmentResourceRoles/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageAssignments`
GET `/identityGovernance/entitlementManagement/accessPackageAssignments/additionalAccess(accessPackageId='parameterValue',incompatibleAccessPackageId='parameterValue')`
GET `/identityGovernance/entitlementManagement/accessPackageAssignments/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageCustomWorkflowExtensions`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageCustomWorkflowExtensions/{accessPackageCustomWorkflowExtensionId}`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageResourceRoles?$filter=(originSystem+eq+%27{originSystemType}%27+and+accessPackageResource/id+eq+%27{resourceId}%27)&$expand=accessPackageResource`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/customAccessPackageWorkflowExtensions`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/customAccessPackageWorkflowExtensions/{customAccessPackageWorkflowExtensionId}`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{id}`
GET `/identityGovernance/entitlementManagement/accessPackageCatalogs/{id}/accessPackageResources`
GET `/identityGovernance/entitlementManagement/accessPackageResourceEnvironments/{accessPackageResourceEnvironmentId}`
GET `/identityGovernance/entitlementManagement/accessPackageResourceRequests`
GET `/identityGovernance/entitlementManagement/accessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}?$expand=accessPackageResourceRoleScopes($expand=accessPackageResourceRole,accessPackageResourceScope)`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/accessPackagesIncompatibleWith`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleAccessPackages`
GET `/identityGovernance/entitlementManagement/accessPackages/{id}/incompatibleGroups`
GET `/identityGovernance/entitlementManagement/accessPackages/filterByCurrentUser(on='allowedRequestor')`
GET `/identityGovernance/entitlementManagement/accessPackageSuggestions/filterByCurrentUser(on={on})`
GET `/identityGovernance/entitlementManagement/assignmentRequests`
GET `/identityGovernance/entitlementManagement/assignmentRequests/{accessPackageAssignmentRequestId}`
GET `/identityGovernance/entitlementManagement/assignmentRequests/filterByCurrentUser(on='parameterValue')`
GET `/identityGovernance/entitlementManagement/availableAccessPackages/{availableAccessPackage-id}/resourceRoleScopes`
GET `/identityGovernance/entitlementManagement/connectedOrganizations`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/externalSponsors`
GET `/identityGovernance/entitlementManagement/connectedOrganizations/{id}/internalSponsors`
GET `/identityGovernance/entitlementManagement/controlConfigurations/endUserSettings`
GET `/identityGovernance/entitlementManagement/settings`
GET `/roleManagement/cloudPC/roleDefinitions`
GET `/roleManagement/cloudPC/roleDefinitions/{id}`
GET `/roleManagement/directory/roleAssignments`
GET `/roleManagement/directory/roleAssignments/{id}`
GET `identityGovernance/entitlementManagement/accessPackageResourceEnvironments?$filter=originSystem eq 'SharePointOnline'`
POST `/identityGovernance/entitlementManagement/accessPackageCatalogs/{catalogId}/accessPackageCustomWorkflowExtensions`
POST `/identityGovernance/entitlementManagement/accessPackages/{id}/getApplicablePolicyRequirements`

Commands
`Get-MgEntitlementManagementAccessPackage`
`Get-MgEntitlementManagementAccessPackageApplicablePolicyRequirement`
`Get-MgEntitlementManagementAccessPackageAssignmentApprovalStage`
`Get-MgEntitlementManagementAccessPackageIncompatibleAccessPackage`
`Get-MgEntitlementManagementAccessPackageIncompatibleGroup`
`Get-MgEntitlementManagementAccessPackageIncompatibleWith`
`Get-MgEntitlementManagementAssignment`
`Get-MgEntitlementManagementAssignmentAdditional`
`Get-MgEntitlementManagementAssignmentPolicy`
`Get-MgEntitlementManagementAssignmentRequest`
`Get-MgEntitlementManagementCatalog`
`Get-MgEntitlementManagementCatalogCustomWorkflowExtension`
`Get-MgEntitlementManagementCatalogResource`
`Get-MgEntitlementManagementCatalogResourceRole`
`Get-MgEntitlementManagementConnectedOrganization`
`Get-MgEntitlementManagementConnectedOrganizationExternalSponsor`
`Get-MgEntitlementManagementConnectedOrganizationInternalSponsor`
`Get-MgEntitlementManagementResourceEnvironment`
`Get-MgEntitlementManagementResourceRequest`
`Get-MgEntitlementManagementSetting`
`Get-MgRoleManagementDirectoryRoleAssignment`
`Get-MgRoleManagementDirectoryRoleDefinition`
`Get-MgRoleManagementEntitlementManagementRoleAssignment`
`Get-MgRoleManagementEntitlementManagementRoleDefinition`
`Invoke-MgFilterEntitlementManagementAccessPackageByCurrentUser`
`Invoke-MgFilterEntitlementManagementAssignmentByCurrentUser`
`Invoke-MgFilterEntitlementManagementAssignmentRequestByCurrentUser`

Commands
`Get-MgBetaEntitlementManagementAccessPackage`
`Get-MgBetaEntitlementManagementAccessPackageApplicablePolicyRequirement`
`Get-MgBetaEntitlementManagementAccessPackageAssignment`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentAdditional`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentPolicy`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentRequest`
`Get-MgBetaEntitlementManagementAccessPackageAssignmentResourceRole`
`Get-MgBetaEntitlementManagementAccessPackageCatalog`
`Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageCustomWorkflowExtension`
`Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResource`
`Get-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageResourceRole`
`Get-MgBetaEntitlementManagementAccessPackageCatalogCustomAccessPackageWorkflowExtension`
`Get-MgBetaEntitlementManagementAccessPackageIncompatibleAccessPackage`
`Get-MgBetaEntitlementManagementAccessPackageIncompatibleGroup`
`Get-MgBetaEntitlementManagementAccessPackageIncompatibleWith`
`Get-MgBetaEntitlementManagementAccessPackageResourceEnvironment`
`Get-MgBetaEntitlementManagementAccessPackageResourceRequest`
`Get-MgBetaEntitlementManagementAssignmentRequest`
`Get-MgBetaEntitlementManagementAvailableAccessPackageResourceRoleScope`
`Get-MgBetaEntitlementManagementConnectedOrganization`
`Get-MgBetaEntitlementManagementConnectedOrganizationExternalSponsor`
`Get-MgBetaEntitlementManagementConnectedOrganizationInternalSponsor`
`Get-MgBetaEntitlementManagementSetting`
`Get-MgBetaRoleManagementDirectoryRoleAssignment`
`Get-MgBetaRoleManagementDirectoryRoleDefinition`
`Get-MgBetaRoleManagementExchangeRoleAssignment`
`Get-MgBetaRoleManagementExchangeRoleDefinition`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageAssignmentByCurrentUser`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageAssignmentRequestByCurrentUser`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageByCurrentUser`
`Invoke-MgBetaFilterEntitlementManagementAccessPackageSuggestionByCurrentUser`
`New-MgBetaEntitlementManagementAccessPackageCatalogAccessPackageCustomWorkflowExtension`

Code Examples

C# / .NET SDK

// Install: dotnet add package Microsoft.Graph
// Install: dotnet add package Azure.Identity
using Microsoft.Graph;
using Azure.Identity;

// Delegated permissions - interactive user sign-in
var scopes = new[] { "EntitlementManagement.Read.All" };
var options = new InteractiveBrowserCredentialOptions
{
    ClientId = "YOUR_CLIENT_ID",
    TenantId = "YOUR_TENANT_ID",
    RedirectUri = new Uri("http://localhost")
};
var credential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(credential, scopes);

// Example: GET /me
var result = await graphClient.Me.GetAsync();
Console.WriteLine($"User: {result?.DisplayName}");

// Application permissions - daemon/service app
var tenantId = "YOUR_TENANT_ID";
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";

var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(credential);

// Example: GET /users/{user-id}
var users = await graphClient.Users.GetAsync();
foreach (var user in users?.Value ?? [])
{
    Console.WriteLine($"User: {user.DisplayName}");
}

JavaScript / TypeScript

// npm install @azure/msal-browser @microsoft/microsoft-graph-client
import { PublicClientApplication } from "@azure/msal-browser";
import { Client } from "@microsoft/microsoft-graph-client";
import { AuthCodeMSALBrowserAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/authCodeMsalBrowser";

const msalConfig = {
    auth: {
        clientId: "YOUR_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_TENANT_ID"
    }
};

const pca = new PublicClientApplication(msalConfig);
await pca.initialize();

// Delegated: Login with required scope
const loginResponse = await pca.loginPopup({
    scopes: ["EntitlementManagement.Read.All"]
});

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(pca, {
    account: loginResponse.account,
    scopes: ["EntitlementManagement.Read.All"],
    interactionType: "popup"
});

const graphClient = Client.initWithMiddleware({ authProvider });

// Example: GET /me
const result = await graphClient.api("/me").get();
console.log(result);

// Application: Use client credentials (Node.js backend only)
// npm install @azure/identity @microsoft/microsoft-graph-client
import { ClientSecretCredential } from "@azure/identity";
import { TokenCredentialAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials";

const credential = new ClientSecretCredential(
    "YOUR_TENANT_ID",
    "YOUR_CLIENT_ID", 
    "YOUR_CLIENT_SECRET"
);

const authProvider = new TokenCredentialAuthenticationProvider(credential, {
    scopes: ["https://graph.microsoft.com/.default"]
});

const graphClient = Client.initWithMiddleware({ authProvider });
const result = await graphClient.api("/users").get();
console.log(result);

PowerShell

# Install Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Delegated access - interactive sign-in
Connect-MgGraph -Scopes "EntitlementManagement.Read.All"

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

# Example: GET /me
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"
$result | ConvertTo-Json -Depth 5

# Application access with certificate
$params = @{
    ClientId = "YOUR_CLIENT_ID"
    TenantId = "YOUR_TENANT_ID"
    CertificateThumbprint = "YOUR_CERT_THUMBPRINT"
}
Connect-MgGraph @params

# Or with client secret (not recommended for production)
# Connect-MgGraph -ClientSecretCredential $credential

# Example: GET /users
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users"
$result | ConvertTo-Json -Depth 5

# Always disconnect when done
Disconnect-MgGraph

Python

# pip install msgraph-sdk azure-identity
from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from msgraph import GraphServiceClient
import asyncio

# Delegated permissions - interactive browser sign-in
credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)
scopes = ["EntitlementManagement.Read.All"]
client = GraphServiceClient(credential, scopes)

async def get_data():
    # Example: GET /me
    result = await client.me.get()
    print(f"User: {result.display_name}")
    return result

asyncio.run(get_data())

# Application permissions - client credentials
credential = ClientSecretCredential(
    tenant_id="YOUR_TENANT_ID",
    client_id="YOUR_CLIENT_ID",
    client_secret="YOUR_CLIENT_SECRET"
)
scopes = ["https://graph.microsoft.com/.default"]
client = GraphServiceClient(credential, scopes)

async def get_users():
    # Example: GET /users
    result = await client.users.get()
    for user in result.value:
        print(f"User: {user.display_name}")
    return result

asyncio.run(get_users())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or Delegated permissions and search for EntitlementManagement.Read.All

4

Grant Admin Consent

Application permissions always require admin consent. Click "Grant admin consent" in the Azure portal.