Can users consent to UserActivity.ReadWrite.CreatedByApp themselves?

Yes, this delegated permission allows user consent. Users can grant this permission during sign-in without admin approval.

How do I add UserActivity.ReadWrite.CreatedByApp to my app registration?

Go to Azure Portal > App registrations > Your app > API permissions > Add permission > Microsoft Graph, then search for UserActivity.ReadWrite.CreatedByApp and select it.

UserActivity.ReadWrite.CreatedByApp Permission - Microsoft Graph API

Permission Details

Delegated Permission

Read and write app activity to users' activity feed

Allows the app to read and report the signed-in user's activity in the app.

Permission ID: 47607519-5fb1-47d9-99c7-da4b48f369b1

Properties

Property	Type	Description
`id`	`string`	The unique identifier for an entity. Read-only.
`expirationDateTime`	`date-time`Nullable	Set by the server. DateTime in UTC when the object expired on the server.
`historyItems`	`microsoft.graph.activityHistoryItem collection`	Optional. NavigationProperty/Containment; navigation property to the activity's activityHistoryItems.
`userTimezone`	`string`Nullable	Optional. The timezone in which the user's device used to generate the activity was located at activity creation time; values supplied as Olson IDs in order to support cross-platform representation.
`createdDateTime`	`date-time`Nullable	Set by the server. DateTime in UTC when the object was created on the server.
`activationUrl`	`string`	Required. URL used to launch the activity in the best native experience represented by the appId. Might launch a web-based app if no native app exists.
`contentUrl`	`string`Nullable	Optional. Used in the event the content can be rendered outside of a native or web-based app experience (for example, a pointer to an item in an RSS feed).
`activitySourceHost`	`string`	Required. URL for the domain representing the cross-platform identity mapping for the app. Mapping is stored either as a JSON file hosted on the domain or configurable via Windows Dev Center. The JSON file is named cross-platform-app-identifiers and is hosted at root of your HTTPS domain, either at the top level domain or include a sub domain. For example: https://contoso.com or https://myapp.contoso.com but NOT https://myapp.contoso.com/somepath. You must have a unique file and domain (or sub domain) per cross-platform app identity. For example, a separate file and domain is needed for Word vs. PowerPoint.
`appDisplayName`	`string`Nullable	Optional. Short text description of the app used to generate the activity for use in cases when the app is not installed on the userâ€™s local device.
`contentInfo`	`object`	Optional. A custom piece of data - JSON-LD extensible description of content according to schema.org syntax.
`lastModifiedDateTime`	`date-time`Nullable	Set by the server. DateTime in UTC when the object was modified on the server.
`visualElements`	`microsoft.graph.visualInfo`
`appActivityId`	`string`	Required. The unique activity ID in the context of the app - supplied by caller and immutable thereafter.
`status`	`object`	Set by the server. A status code used to identify valid objects. Values: active, updated, deleted, ignored.
`fallbackUrl`	`string`Nullable	Optional. URL used to launch the activity in a web-based app, if available.

JSON Representation

JSON representation

{
  "id": "String",
  "expirationDateTime": "String",
  "historyItems": "[...]",
  "userTimezone": "String",
  "createdDateTime": "String",
  "activationUrl": "String",
  "contentUrl": "String",
  "activitySourceHost": "String",
  "appDisplayName": "String",
  "contentInfo": "{...}",
  "lastModifiedDateTime": "String",
  "visualElements": "microsoft.graph.visualinfo",
  "appActivityId": "String",
  "status": "{...}",
  "fallbackUrl": "String"
}

Graph Methods

Delegated access App-only access

Methods
GET `/me/activities`
GET `/me/activities/recent`
PUT `/me/activities/{appActivityId}`
PUT `/me/activities/{id}/historyItems/{id}`
DELETE `/me/activities/{id}`
DELETE `/me/activities/{id}/historyItems/{id}`

Methods
GET `/me/activities`
GET `/me/activities/recent`
PUT `/me/activities/{appActivityId}`
PUT `/me/activities/{id}/historyItems/{id}`
DELETE `/me/activities/{id}`
DELETE `/me/activities/{id}/historyItems/{id}`

Commands
`Get-MgUserActivity`
`Invoke-MgRecentUserActivity`
`Remove-MgUserActivity`
`Remove-MgUserActivityHistoryItem`

Commands
`Get-MgBetaUserActivity`
`Invoke-MgBetaRecentUserActivity`
`Remove-MgBetaUserActivity`
`Remove-MgBetaUserActivityHistoryItem`

Code Examples

C# / .NET SDK

// Install: dotnet add package Microsoft.Graph
// Install: dotnet add package Azure.Identity
using Microsoft.Graph;
using Azure.Identity;

// Delegated permissions - interactive user sign-in
var scopes = new[] { "UserActivity.ReadWrite.CreatedByApp" };
var options = new InteractiveBrowserCredentialOptions
{
    ClientId = "YOUR_CLIENT_ID",
    TenantId = "YOUR_TENANT_ID",
    RedirectUri = new Uri("http://localhost")
};
var credential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(credential, scopes);

// Example: GET /me
var result = await graphClient.Me.GetAsync();
Console.WriteLine($"User: {result?.DisplayName}");

JavaScript / TypeScript

// npm install @azure/msal-browser @microsoft/microsoft-graph-client
import { PublicClientApplication } from "@azure/msal-browser";
import { Client } from "@microsoft/microsoft-graph-client";
import { AuthCodeMSALBrowserAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/authCodeMsalBrowser";

const msalConfig = {
    auth: {
        clientId: "YOUR_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_TENANT_ID"
    }
};

const pca = new PublicClientApplication(msalConfig);
await pca.initialize();

// Delegated: Login with required scope
const loginResponse = await pca.loginPopup({
    scopes: ["UserActivity.ReadWrite.CreatedByApp"]
});

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(pca, {
    account: loginResponse.account,
    scopes: ["UserActivity.ReadWrite.CreatedByApp"],
    interactionType: "popup"
});

const graphClient = Client.initWithMiddleware({ authProvider });

// Example: GET /me
const result = await graphClient.api("/me").get();
console.log(result);

PowerShell

# Install Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Delegated access - interactive sign-in
Connect-MgGraph -Scopes "UserActivity.ReadWrite.CreatedByApp"

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

# Example: GET /me
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"
$result | ConvertTo-Json -Depth 5


# Always disconnect when done
Disconnect-MgGraph

Python

# pip install msgraph-sdk azure-identity
from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from msgraph import GraphServiceClient
import asyncio

# Delegated permissions - interactive browser sign-in
credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)
scopes = ["UserActivity.ReadWrite.CreatedByApp"]
client = GraphServiceClient(credential, scopes)

async def get_data():
    # Example: GET /me
    result = await client.me.get()
    print(f"User: {result.display_name}")
    return result

asyncio.run(get_data())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Delegated permissions and search for UserActivity.ReadWrite.CreatedByApp

4

Grant Admin Consent

Users can consent to this permission themselves during sign-in.