Skip to content

docs: Clarify MTO tenant API permission-to-property mapping and role access#9902

Closed
srinivaspadala-msft wants to merge 3 commits into
microsoftgraph:mainfrom
srinivaspadala-msft:fix/mto-tenants-permission-clarity
Closed

docs: Clarify MTO tenant API permission-to-property mapping and role access#9902
srinivaspadala-msft wants to merge 3 commits into
microsoftgraph:mainfrom
srinivaspadala-msft:fix/mto-tenants-permission-clarity

Conversation

@srinivaspadala-msft
Copy link
Copy Markdown
Contributor

@srinivaspadala-msft srinivaspadala-msft commented May 14, 2026
edited
Loading

Important

Required for API changes:

Summary

Clarifies which permissions and Entra roles grant access to multitenant organization tenant data, and documents the properties returned at each permission level.

Addresses IcM 31000000597799 MSRC reported Directory.Read.All granting access to /tenantRelationships/multiTenantOrganization/tenants as an authorization bypass. Investigation confirmed this is by design; the documentation simply failed to list Directory.Read.All as a valid permission.

Changes

List tenants API (multitenantorganization-list-tenants.md, v1.0 + beta):

  • Added permission-to-property mapping showing which properties are returned for ReadBasic.All, Read.All, Directory.Read.All, and ReadWrite.All

Get tenant API (multitenantorganizationmember-get.md, v1.0 + beta):

  • Same permission-to-property mapping applied for consistency

RBAC include (rbac-multitenantorganization-apis-read.md, v1.0 + beta):

  • Clarified Security Reader / Global Reader only return displayName and tenantId
  • Added guidance on roles needed for full property access

Notes

  • Auto-generated permissions tables (DO NOT MODIFY) were not modified
  • All changes are to explanatory prose and RBAC role documentation only

@srinivaspadala-msft
docs: clarify MTO tenant API permission-to-property mapping and role …
86e66f7 
…access

- Add detailed permission-to-property mapping showing which properties
  are returned for each permission level
- Document that Directory.Read.All also grants full read access to
  multitenant organization tenant resources (delegated or application)
- Clarify that ReadBasic.All only returns displayName and tenantId,
  and only active tenants
- Expand RBAC role documentation to specify that Security Reader and
  Global Reader can only read basic tenant info
- Add guidance on which role is needed for full property access
- Updated for both v1.0 and beta API references

Addresses IcM 31000000597799

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@learn-build-service-prod
Copy link
Copy Markdown
Contributor

learn-build-service-prod Bot commented May 14, 2026

Learn Build status updates of commit 86e66f7:

✅ Validation status: passed

File Status Preview URL Details
api-reference/beta/api/multitenantorganization-list-tenants.md ✅Succeeded
api-reference/beta/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md ✅Succeeded
api-reference/v1.0/api/multitenantorganization-list-tenants.md ✅Succeeded
api-reference/v1.0/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md ✅Succeeded

For more details, please refer to the build report.

@srinivaspadala-msft
docs: add Directory.Read.All clarification to GET member endpoint
1e326a9 
Apply the same permission-to-property mapping to the
multitenantorganizationmember-get API (v1.0 and beta).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@srinivaspadala-msft srinivaspadala-msft added the ready for content review PR is ready for a content review - content development and tech review are complete. label May 14, 2026
@learn-build-service-prod
Copy link
Copy Markdown
Contributor

learn-build-service-prod Bot commented May 14, 2026

Learn Build status updates of commit 1e326a9:

✅ Validation status: passed

File Status Preview URL Details
api-reference/beta/api/multitenantorganization-list-tenants.md ✅Succeeded
api-reference/beta/api/multitenantorganizationmember-get.md ✅Succeeded
api-reference/beta/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md ✅Succeeded
api-reference/v1.0/api/multitenantorganization-list-tenants.md ✅Succeeded
api-reference/v1.0/api/multitenantorganizationmember-get.md ✅Succeeded
api-reference/v1.0/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md ✅Succeeded

For more details, please refer to the build report.

@srinivaspadala-msft
fix: make RBAC include generic (shared across 6 MTO endpoints)
d229c83 
The rbac-multitenantorganization-apis-read.md include is consumed by
6 different endpoints returning different resource types. Remove
member-specific property names (displayName, tenantId, role, state,
etc.) that are incorrect for the non-member endpoints (MTO object,
join request, sync policy template, partner config template).

Property-specific details remain in the individual API docs where
they are correct and scoped to the right resource type.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@learn-build-service-prod
Copy link
Copy Markdown
Contributor

learn-build-service-prod Bot commented May 14, 2026

Learn Build status updates of commit d229c83:

✅ Validation status: passed

File Status Preview URL Details
api-reference/beta/api/multitenantorganization-list-tenants.md ✅Succeeded
api-reference/beta/api/multitenantorganizationmember-get.md ✅Succeeded
api-reference/beta/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md ✅Succeeded
api-reference/v1.0/api/multitenantorganization-list-tenants.md ✅Succeeded
api-reference/v1.0/api/multitenantorganizationmember-get.md ✅Succeeded
api-reference/v1.0/includes/rbac-for-apis/rbac-multitenantorganization-apis-read.md ✅Succeeded

For more details, please refer to the build report.

@Danipocket
Copy link
Copy Markdown
Contributor

Danipocket commented May 14, 2026

@srinivaspadala-msft, please follow our guidelines and use the private repo. Thanks!

@Danipocket Danipocket added blocked PRs that are blocked from content review or getting merged for some reason. and removed ready for content review PR is ready for a content review - content development and tech review are complete. labels May 14, 2026
@srinivaspadala-msft
Copy link
Copy Markdown
Contributor Author

srinivaspadala-msft commented May 15, 2026

Closing moving to private repo per reviewer guidance (security-related IcM).

@srinivaspadala-msft srinivaspadala-msft deleted the fix/mto-tenants-permission-clarity branch May 15, 2026 02:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

blocked PRs that are blocked from content review or getting merged for some reason.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@srinivaspadala-msft @Danipocket