Skip to main content
  1. ContactMonkey Help Center
  2. Integrations
  3. Distribution List Expansion

Migrating to the GroupMember.Read.All Permission for Microsoft Graph

ContactMonkey is significantly reducing its Microsoft Graph access from broad directory permissions (Directory.Read.All) to targeted group membership access (GroupMember.Read.All). This ensures ContactMonkey only accesses the specific data required for your distribution list expansions.

⚠️ Important: The Exchange Web Services (EWS) integration is also migrating to the Exchange Online Admin API. If your organization uses this expansion method, please follow the steps here to complete that update separately.

What is the GroupMember.Read.All Permission?

GroupMember.Read.All reduces the scope of the permissions required for our Microsoft Graph integration. By lowering this permission from Directory.Read.All to GroupMember.Read.All, you are ensuring that our presence in your Microsoft tenant is less intrusive, enhancing security for your organization while keeping ContactMonkey functionality the same.

Actions Required to Prepare Your Tenant

To enable this transition, your IT team will need to grant a specific permission for the integration. A ContactMonkey Admin or Owner can go to Settings → Integrations to see which account is being used for other Utility integrations.

1. Update API Permissions (IT Admin)

API Resource Permission Type Scope
Microsoft Graph Delegated GroupMember.Read.All

Your IT Administrator must update the ContactMonkey-Utility enterprise app registration in Microsoft Entra ID (Azure AD) with the above scopes.

To enable the GroupMember.Read.All permission, please use the following Admin Consent URL:

Screenshot 2026-04-28 at 2.41.08 PM

You will be redirected to a login screen—you are not required to enter your credentials if you do not have a ContactMonkey account.

2. ContactMonkey "Flips the Switch"

Once administrative consent is granted, contact our Technical Support team at support@contactmonkey.com. They will manually disable the legacy Directory.Read.All permission for your account. This step must be completed before Step 3 can take place.

3. Account Reconnection

Once Support confirms the change from Step 2, a ContactMonkey Administrator must reconnect the integration:

  1. Click your name at the top right of the ContactMonkey dashboard
  2. Click Settings
  3. Click Integrations
  4. Sign out of the Graph Utility Account tile
  5. Sign back in with the same credentials that were originally connected

See Also

Was this article helpful?