ContactMonkey is significantly reducing its Microsoft Graph access from broad directory permissions (Directory.Read.All) to targeted group membership access (GroupMember.Read.All). This ensures ContactMonkey only accesses the specific data required for your distribution list expansions.
⚠️ Important: The Exchange Web Services (EWS) integration is also migrating to the Exchange Online Admin API. If your organization uses this expansion method, please follow the steps here to complete that update separately.
What is the GroupMember.Read.All Permission?
GroupMember.Read.All reduces the scope of the permissions required for our Microsoft Graph integration. By lowering this permission from Directory.Read.All to GroupMember.Read.All, you are ensuring that our presence in your Microsoft tenant is less intrusive, enhancing security for your organization while keeping ContactMonkey functionality the same.
Actions Required to Prepare Your Tenant
To enable this transition, your IT team will need to grant a specific permission for the integration. A ContactMonkey Admin or Owner can go to Settings → Integrations to see which account is being used for other Utility integrations.
1. Update API Permissions (IT Admin)
| API Resource | Permission Type | Scope |
| Microsoft Graph | Delegated | GroupMember.Read.All |
Your IT Administrator must update the ContactMonkey app registration in Microsoft Entra ID (Azure AD) with the above scopes.
To enable the GroupMember.Read.All permission, please use the following Admin Consent URL:
3. ContactMonkey "Flips the Switch" (Graph Specific)
Once administrative consent is granted, contact our Support team at support@contactmonkey.com. They will manually disable the legacy Directory.Read.All permission for your account.
- Note: This step must be completed before Step 4 can take place.
4. Account Reconnection
Once Support confirms the change from Step 3, a ContactMonkey admin must navigate back to Settings → Integrations:
- Graph Utility Tile: Click "Sign Out," then "Connect" again.
- Exchange Admin Utility Tile: Locate this new tile (beside the EWS tile) and click "Sign In" to initialize the new API connection.