M365 Graph Permissions Lookup

Decode Microsoft Graph permission GUIDs, scope names, and Entra role IDs into clear descriptions, permission types, and admin consent requirements.

Lookup Graph Permissions Easily

Turn cryptic Microsoft Graph permission GUIDs and scope names into clear, readable descriptions. Search for a single permission by name, GUID, or keyword, or use Bulk decode to paste multiple entries from an app manifest, consent grant, or token—including a token’s wids array. The results identify each permission or Entra role, distinguish delegated from application access, and show when admin consent is required. Everything is processed locally in your browser, so nothing you paste is uploaded or sent elsewhere.

Data from Microsoft's Graph permissions reference and Entra built-in roles. Not affiliated with or endorsed by Microsoft.

How the Graph Permissions Lookup Tool Works

App manifests, consent grants, and tokens identify Microsoft Graph permissions by GUID or by terse scope names. This tool translates them into what they actually allow, using Microsoft's published permission definitions (598 delegated scopes and 534 application permissions), and flags which ones need admin consent.

It also decodes Entra built-in role template IDs (135 roles), so you can paste the wids array from a token and see which directory roles the user holds.

Delegated permissions act on behalf of a signed-in user; application permissions let an app act on its own with no user present, which is why the application variants are the ones to scrutinize. Everything runs in your browser from data embedded in this page. Nothing you paste is sent anywhere.